Skip to main content
Splunk Lantern

Managing known phishing email addresses

Applicability

  • Product: Splunk Enterprise or Splunk Cloud Platform
  • Feature: Search
  • Function: Exchange message trace

Problem

Your users report receiving a large number of phishing emails lately. You want to gather information about these messages so that you can create better filters on your network.

Solution

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:
    sourcetype="ms:o365:reporting:messagetrace"
    |stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddressConclusion

Explanations

Splunk Search Explanation
sourcetype="ms:o365:reporting:messagetrace" Search only O365 message trace logs.
|stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddress Return the values shown for each message and group the results by recipient address.

Additional resources

These additional Splunk resources might help you understand and implement these recommendations:

  • Was this article helpful?