O365 Email Reported By User Found Malicious

name: O365 Email Reported By User Found Malicious
id: 7698b945-238e-4bb9-b172-81f5ca1685a1
version: 11
date: '2026-04-15'
author: Steven Dick
status: production
type: TTP
description: The following analytic detects when an email submitted to Microsoft using the built-in report button in Outlook is found to be malicious. This capability is an enhanced protection feature that can be used within o365 tenants by users to report potentially malicious emails. This correlation looks for any submission that returns a Phish or Malware verdict upon submission.
data_source:
    - Office 365 Universal Audit Log
search: |-
    `o365_management_activity` Workload=SecurityComplianceCenter Operation=AlertEntityGenerated Name="Email reported by user as*"
      | fromjson Data
      | rename _raw AS temp etps AS _raw
      | extract pairdelim=";" kvdelim=":"
      | rename _raw AS etps temp AS _raw
      | search RescanVerdict IN (Phish,Malware)
      | rex field=tsd "\<(?<src_user>.+)\>"
      | eval src_user = case(isnull(src_user),tsd,true(),src_user)
      | rename Name as signature, AlertId as signature_id, AlertEntityId as user, tsd as sender, ms as subject
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest user src
           vendor_account vendor_product signature
           signature_id src_user sender
           subject
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `o365_email_reported_by_user_found_malicious_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must deploy/allow the usage of the Microsoft Office Report A Message function.
known_false_positives: No false positives have been identified at this time.
references:
    - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/submissions-outlook-report-messages?view=o365-worldwide
drilldown_searches:
    - name: View the detection results for - "$src_user$" and "$user$"
      search: '%original_detection_search% | search  src_user = "$src_user$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src_user$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_user$", "$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
rba:
    message: The user $user$ reported an email classified from $src_user$
    risk_objects:
        - field: src_user
          type: user
          score: 50
        - field: user
          type: user
          score: 50
    threat_objects:
        - field: subject
          type: email_subject
tags:
    analytic_story:
        - Spearphishing Attachments
        - Suspicious Emails
    asset_type: O365 Tenant
    mitre_attack_id:
        - T1566.001
        - T1566.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1566/o365_various_alerts/o365_various_alerts.log
          sourcetype: o365:management:activity
          source: o365