This feature allows a Phriendly Phishing Admin to connect Phish Focus to your MS tenant and easily update the Block List from within Phish Focus. As an Admin, you can review reported emails in Phish Focus and create a block list entry. That block list entry updates to your MS 365 mail server block list and moves future emails from same entries to either your users' Junk folder or quarantined automatically.
Requirements
- The Block List feature is only used for organisations using MS 365 mail server.
- An Azure account that has an Active Subscription.
- Phriendly Phishing Administrator needs to connect to their Organisation's Microsoft 365 tenant, accepts consent on behalf of the Organisation and should have below permissions:
- Compliance Administrator (Log into Azure Portal > under Assigned Roles)
- Organisation Management (Log into MS Defender Portal > Permissions > Email and Collaboration > Roles > Organisation Management > edit and add members that need permission)
Things to Note
- For each zone, you can use only one MS tenant. If you are already connected to a MS 365 tenant, other admins within your zone needs to login to the same tenant.
- You are required to re-authorise after a 24 hour period
- If a Phriendly Phishing Admin did not connect to MS 365 tenant under Settings, to perform Add to Block List from within the Message Details > Actions, you will be requested to login.
This article covers below
- Enable Block List
- Disconnect from MS 365 Tenant
- Create Block List Entries from an Email
- Manage Block List Entries
- Block List Activity Logs
- Synchronisation between Phish Focus and MS 365 Tenant
Enable Block List
Block List is a configurable option by the Admins and by default this button is disabled. Refer to below steps on how to enable the feature:
- From the Phriendly Phishing platform, click Phish Focus.
- Clicks Settings > Enable Block List
- Connect to MS 365 Tenant. You are required to log-in to your MS 365 Tenancy and accepts to grant Phish Focus to connect and use permissions.
- Once logged in successfully, the below notification will appear. Click OK.
- After clicking, OK you will see your Tenant ID and User ID
Log out or disconnect from MS 365 Tenant
As an Admin you can log-out if you want to remove the connection to your MS Account by clicking Log-out or disconnect from the tenant.
Notes on Disconnecting from MS 365 Tenant:
All the MS 365 accounts logged for this tenant are also logged out.
The data of the tenant/mail server are store and kept temporarily.
Log-out
Disconnect from Tenant
Create Block List Entries from an Email
Once Block List is enabled and the connection to MS 365 tenant is successful, Admins can now create block list entries which are synchronised with MS 365 Blocklist.
Block List entries are created from the body of the email which includes:
- Sender Email Address
- URL in the Email content
- File Hash of the email's attachment
See steps below to create a Block List:
- Click the reported email > Actions > Add to Block List
- A pop-up dialogue box below appears, for you to choose which information to block. Click Save.
- Once Saved, while information is syncing to MS 365 Server, status appears as Pending. Once sync has completed, status now appears as Action under Block List.
Manage Block List Entries
As an admin you have visibility and can manage the block list entries for your zone. Refer to below lists:
- Value
- 3 Attribute Types the entry could be: Sender, URL, and File Hash
- Created Date (date value was created)
- Expiration date (date value is set to expire - could be: Never expire, 7 days, or 30 days)
- Synced status: Pending, Active, Failed or Expired.
- Action: Edit, Delete
Synched Status
Below status indicates if the entered value is synced or connected to the MS service successfully or not. Synched status can be filtered.
- Pending = value is in the process of being added or deleted from the MS 365 blocklist.
- Active = value is successfully added to the blocklist and synced with the connected MS 365 mail server.
- Failed = value is not successfully added and synced. It could be because of an existing entry in MS 365 and cannot be duplicated.
- Expired = value has expired. When it reaches the expiration date, it is removed from the MS 365 block list and status in Phish Focus is “Expired”.
Action
As a Phriendly Phishing Admin, you can action a value dependent on the synced status. Edit, allows an Admin to change the expiration date and Delete allows an admin to remove the whole value from the block list.
- Pending: Delete
- Active: Edit, Delete
- Failed: Delete
- Expired: Edit, Delete
Block List Activity Logs
All activities of Block List feature are logged in Activity Logs. This section shows below information:
- Modified Date and Time
- Value: name of the entry which has been modified
- Action type:
- Created
- Deleted
- Edited
- Expired
- Done by, which could be any of the below:
- An Admin who performed the action
- System
- Synced from MS 365 - action caused by syncing data from MS 365 block list.
As an Admin, you can download the logs as a CSV file.
Synchronisation between Phish Focus and MS 365 Tenant
This section provides Admins an insight on the sync process happening after adding an entry in the block list.
From Phish Focus:
- If a value is created from Phish Focus → it is added to the MS 365 block list
- If a value is updated from Phish Focus (expiration date) → it is updated to the MS 365 block list
- If a value is deleted from Phish Focus → it is removed from the MS 365 block list
From MS 365 Block List:
- If a value is created from MS 365 block list → NO CHANGE or UPDATE in Phish Focus.
- If a value is updated from MS 365 block list (expiration date) → it is updated in Phish Focus and a log is recorded under activity logs
- If a value is deleted from MS 365 block list → it is removed in Phish Focus and a log is recorded under activity logs
- If a value is auto-removed from MS 365 block list when it reaches the expiration date → it shows as Expired in Phish Focus
Comments
Please sign in to leave a comment.