Team: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
Environment: Microsoft 365, Google Workspace
Summary: This guide will cover how to obtain a suspicious email reported by one of your users, which will allow Huntress SOC Support to perform further analysis.
Be sure to handle all suspicious emails securely to prevent further unauthorized access. Additionally, ensure that you have the necessary permissions and authorization and are adhering to all legal requirements and organizational policies regarding user data and privacy.
- Method 1 - Using eDiscovery Content Search
- Method 2 - Using Administrative Granted Access to Access the Mailbox
- Method 3 - Asking the User to Forward the Email to you as an Attachment
- Method 1 - Using Google Vault
- Method 2 - Asking the User to Forward the Email to you as an Attachment
Microsoft 365
Method 1 - Using eDiscovery Content Search
Note: this requires a plan with access to eDiscovery. If you do not have a Microsoft 365 plan that includes eDiscovery, please use Method 2 or Method 3 instead.
- Follow the instructions here to create and run a content search. You must ensure that you have proper role group access (noted in the “Before you run a search” section of the linked document).
- Once the content search is complete, follow the instructions here to export the content search results
- Under “Export Exchange content as,” choose the “Individual messages” option
- Send/upload the .msg to your SOC Support Agent
Method 2 - Using Administrative Granted Access to Access the Mailbox
- Log into admin.microsoft.com
- Navigate to Users > Active users
- Click on the affected user’s name
- Click on the “Mail” tab
- Click “Read and manage permissions”
- Click “Add permissions,” then select your account and click “Add”
- Navigate to outlook.office.com
- Click on your profile photo/avatar in the top right corner and click “Open another mailbox.” Start typing the name or email address of the affected user, then click on the user and click “Open”
- Find the email and right-click on the list item to “Save as” a .eml (or click the 3 dots to “Save as” if already viewing the opened email)
- Send/upload the .eml to your SOC Support Agent.
Method 3 - Asking the User to Forward the Email to you as an Attachment
- If the user is on a mobile device, instruct them to “Forward as Attachment” the phish to you by clicking the 3 dot menu while viewing the email.
iOS
Android
- If the user is on a desktop, instruct them to “Forward as attachment” the phish to you by clicking the dropdown arrow next to the forward button while viewing the email.
- Once you receive the email, right-click on “Save as” a .eml and send/upload the .eml to your SOC Support agent.
Google Workspace
Method 1 - Using Google Vault
Note: this requires a plan with access to Google Vault. If you do not have a Google Workplace plan that includes access to Google Vault, please use Method 2 instead.
- Log into your Google Admin account
- Navigate to vault.google.com
- Click on “Matters”
- Create and name a new “Matter”
- Choose the “Gmail” service
- Enter your user’s email address in the “Account email addresses” field
- Query for the email by subject (in the “Terms (optional)” field) and, if necessary, by Date sent
- Hit the “Search” button
- Click on the email in the results list
- Click on the “Original” button and save the file as a .eml
- Send/upload the .eml to your SOC Support Agent.
You may also follow more detailed instructions here, although these instructions will result in the export of a .mbox and contain more information than Huntress requires. Huntress needs only the .eml of the phish, so be sure to filter the contents of the .mbox and only provide us with the phish in question.
Method 2 - Asking the User to Forward the Email to you as an Attachment
Instruct the user to do the following:
- Log into the Gmail web app
- Locate the original phishing email in their inbox, but don’t click on it
- Right-click on the email and select “Forward as attachment”
- Send the email to you
- Once you receive the email, send/upload the .eml to your SOC Support Agent.