調查 Office 365 中傳遞的惡意電子郵件Investigate malicious email that was delivered in Office 365

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於Applies to

Microsoft Defender For Office 365 可讓您調查讓組織中的人員面臨風險的活動,並採取行動以保護您的組織。Microsoft Defender for Office 365 enables you to investigate activities that put people in your organization at risk, and to take action to protect your organization. 例如,如果您是組織的安全性小組的一部分,您可以找出並調查已傳遞的可疑電子郵件訊息。For example, if you are part of your organization's security team, you can find and investigate suspicious email messages that were delivered. 您可以使用 威脅瀏覽器 (或即時偵測) 來執行此動作。You can do this by using Threat Explorer (or real-time detections).

注意

這裡跳到修正文章。Jump to the remediation article here.

開始之前Before you begin

請確定符合下列需求:Make sure that the following requirements are met:

預覽角色許可權Preview role permissions

若要執行某些動作,例如:查看郵件頭或下載電子郵件內容,您必須將名為 Preview 的新角色新增至另一個適當的角色群組。To perform certain actions, such as viewing message headers or downloading email message content, you must have a new role called Preview added to another appropriate role group. 下表說明必要的角色和許可權。The following table clarifies required roles and permissions.


活動Activity 角色群組Role group 需要預覽角色?Preview role needed?
使用威脅瀏覽器 (和即時偵測) 來分析威脅Use Threat Explorer (and real-time detections) to analyze threats 全域系統管理員Global Administrator

安全性系統管理員Security Administrator

安全性讀取者Security Reader

No
使用威脅瀏覽器 (和即時偵測) 來查看電子郵件的標頭,以及預覽及下載隔離的電子郵件Use Threat Explorer (and real-time detections) to view headers for email messages as well as preview and download quarantined email messages 全域系統管理員Global Administrator

安全性系統管理員Security Administrator

安全性讀取者Security Reader

No
使用威脅瀏覽器來查看標頭、只在電子郵件實體頁面中預覽電子郵件 () 並下載傳送至信箱的電子郵件Use Threat Explorer to view headers, preview email (only in the email entity page) and download email messages delivered to mailboxes 全域系統管理員Global Administrator

安全性系統管理員Security Administrator

安全性讀取者Security Reader

預覽Preview

Yes

注意

Preview 是角色,不是角色群組;預覽角色必須新增至現有的 Office 365 (角色群組中 https://protection.office.com) 。Preview is a role and not a role group; the Preview role must be added to an existing role group for Office 365 (at https://protection.office.com). 移至 [ 許可權],然後編輯現有的角色群組,或新增「 預覽 」角色所指派的新角色群組。Go to Permissions, and then either edit an existing role group or add a new role group with the Preview role assigned. 全域系統管理員角色會指派 Microsoft 365 系統管理中心 (https://admin.microsoft.com) ,而且安全性管理員和安全性讀取者角色會指派在安全性 & 規範中心 (https://protection.office.com) 。The Global Administrator role is assigned the Microsoft 365 admin center (https://admin.microsoft.com), and the Security Administrator and Security Reader roles are assigned in the Security & Compliance Center (https://protection.office.com). 若要深入瞭解角色和許可權,請參閱 安全性 & 合規性中心的許可權To learn more about roles and permissions, see Permissions in the Security & Compliance Center.

我們瞭解預覽和下載電子郵件是機密的活動,因此會為這些活動啟用審核。We understand previewing and downloading email are sensitive activities, and so we auditing is enabled for these. 當系統管理員在電子郵件上執行這些動作後,就會產生相同的審計記錄,並可在 Office 365 安全性 & 規範中心 () 中看到 https://protection.office.comOnce an admin performs these activities on emails, audit logs are generated for the same and can be seen in the Office 365 Security & Compliance Center (https://protection.office.com). 移至 「搜尋 > 審核記錄」搜尋,然後在 [搜尋] 區段中篩選 admin name。Go to Search > Audit log search and filter on the admin name in Search section. 篩選的結果會顯示活動 AdminMailAccessThe filtered results will show activity AdminMailAccess. 選取要在 [ 詳細資訊 ] 區段中預覽或下載之電子郵件的詳細資訊一列。Select a row to view details in the More information section about previewed or downloaded email.

尋找已傳遞的可疑電子郵件Find suspicious email that was delivered

威脅瀏覽器是一種強大的報表,可用於多種用途,例如尋找和刪除郵件、識別惡意電子郵件寄件者的 IP 位址,或啟動事件以進一步進行調查。Threat Explorer is a powerful report that can serve multiple purposes, such as finding and deleting messages, identifying the IP address of a malicious email sender, or starting an incident for further investigation. 下列程式著重于使用 Explorer 尋找及刪除收件者信箱中的惡意電子郵件。The following procedure focuses on using Explorer to find and delete malicious email from recipient's mailboxes.

注意

瀏覽器中的預設搜尋目前不包含 Zapped 的專案。Default searches in Explorer don't currently include Zapped items. 這適用于所有的視圖,例如惡意程式碼或網路釣魚視圖。This applies to all views, for example malware or phish views. 若要包含 Zapped 的專案,您需要新增 傳遞動作 集,並將其新增至包含 物件。To include Zapped items you need to add a Delivery action set to include Removed by ZAP. 如果您包括所有選項,您會看到所有傳遞動作結果,包括 Zapped 專案。If you include all options, you'll see all delivery action results, including Zapped items.

  1. 流覽至威脅瀏覽器:移至 https://protection.office.com 並使用您的 Office 365 的公司或學校帳戶登入。Navigate to Threat Explorer: Go to https://protection.office.com and sign in using your work or school account for Office 365. 這會帶您前往安全性 & 規範中心。This takes you to the Security & Compliance Center.

  2. 在 [左導覽快速啟動] 中,選擇 [ 威脅管理 > 瀏覽器]。In the left navigation quick-launch, choose Threat management > Explorer.

    使用 [傳遞動作] 和 [傳遞位置] 欄位的 Explorer。

    您可能會注意到 [新增 特殊動作 ] 欄。You may notice the new Special actions column. 這項功能的目的是告知管理員處理電子郵件的結果。This feature is aimed at telling admins the outcome of processing an email. 您可以在與 傳遞動作傳遞位置 相同的地方存取 [特殊動作] 欄。The Special actions column can be accessed in the same place as Delivery action and Delivery location. 在威脅瀏覽器的電子郵件時程表結束時,可能會更新特殊的動作,這是一項新功能,其目的是讓系統管理員更熟悉搜尋體驗。Special actions might be updated at the end of Threat Explorer's email timeline, which is a new feature aimed at making the hunting experience better for admins.

  3. 威脅瀏覽器中的視圖:在 [ 視圖 ] 功能表中,選擇 [ 所有電子郵件]。Views in Threat Explorer: In the View menu, choose All email.

    威脅瀏覽器的「查看」功能表,以及電子郵件-惡意程式碼、網路釣魚、提交和所有電子郵件選項,也是內容惡意程式碼。

    惡意 代碼視圖目前是預設值,會捕獲偵測到惡意軟體威脅的電子郵件。The Malware view is currently the default, and captures emails where a malware threat is detected. 網路釣魚 視圖的運作方式與網路釣魚。The Phish view operates in the same way, for Phish.

    不過, 所有的電子郵件 View 都會 列出組織收到的每封郵件,是否偵測到威脅。However, All email view lists every mail received by the organization, whether threats were detected or not. 您可以想像,這是許多資料,這就是為什麼此視圖會顯示要求套用篩選的預留位置。As you can imagine, this is a lot of data, which is why this view shows a placeholder that asks a filter be applied. (此 view 僅適用于 Office 365 P2 客戶的 Defender。 ) (This view is only available for Defender for Office 365 P2 customers.)

    提交」視圖會顯示系統管理員或使用者向 Microsoft 提交的所有郵件。Submissions view shows up all mails submitted by admin or user that were reported to Microsoft.

  4. 威脅瀏覽器中的搜尋和篩選:篩選顯示在搜尋列的頁面頂端,以協助系統管理員進行調查。Search and filter in Threat Explorer: Filters appear at the top of the page in the search bar to help admins in their investigations. 請注意,可以同時套用多個篩選,並新增多個逗號分隔值,以縮小搜尋範圍。Notice that multiple filters can be applied at the same time, and multiple comma-separated values added to a filter to narrow down the search. 請記住:Remember:

    • 篩選器對大多數篩選準則完全符合。Filters do exact matching on most filter conditions.
    • 主體篩選使用包含查詢。Subject filter uses a CONTAINS query.
    • URL 篩選器使用或不使用通訊協定 (ex。URL filters work with or without protocols (ex. HTTPs) 。https).
    • URL 網域、URL 路徑及 URL 網域和路徑篩選器不需要使用通訊協定。URL domain, URL path, and URL domain and path filters don't require a protocol to filter.
    • 每次變更篩選值以取得相關結果時,您必須按一下 [重新整理] 圖示。You must click the Refresh icon every time you change the filter values to get relevant results.
  5. 高級篩選:使用這些篩選器,您可以建立複雜的查詢並篩選您的資料集。Advanced filters: With these filters, you can build complex queries and filter your data set. 按一下 [ 高級篩選 ] 開啟具有選項的浮出控制項。Clicking on Advanced Filters opens a flyout with options.

    「高級篩選 ' 是搜尋功能的極佳補充。Advanced filtering is a great addition to search capabilities. 件者、寄件者寄件者網域 上,已引進 boolean 篩選,以允許系統管理員透過排除值來調查。A boolean NOT filter has been introduced on Recipient, Sender and Sender domain to allow admins to investigate by excluding values. 此選項會出現在 [選取參數不 包含任何] 底下。This option appears under selection parameter Contains none of. 會讓系統管理員從其調查中排除警示信箱、預設的回復信箱,而且可用於系統管理員搜尋特定主旨 (主旨 = 「注意」 ) ,收件者可以將收件者可以設定為 defaultMail @ contoso.com 的任何 情況。NOT will let admins exclude alert mailboxes, default reply mailboxes from their investigations, and is useful for cases where admins search for a specific subject (subject="Attention") where the Recipient can be set to none of defaultMail@contoso.com. 這是實際值搜尋。This is an exact value search.

    收件者-' 不含任何的 ' 高級篩選。

    依小時篩選 可協助貴組織的安全性小組快速深入。Filtering by hours will help your organization's security team drill down quickly. 允許的最短時間為30分鐘。The shortest allowed time duration is 30 minutes. 如果您可以將可疑的動作縮小為時間範圍 (例如,發生3小時前) ,這會限制內容,協助找出問題。If you can narrow the suspicious action by time-frame (e.g. it happened 3 hours ago), this will limit the context and help pinpoint the problem.

    [依小時篩選] 選項,以縮小必須處理的資料安全小組數量,而且其最短工期為30分鐘。

  6. 威脅瀏覽器中的欄位:威脅瀏覽器會公開許多安全性相關郵件資訊, 例如傳遞動作傳遞位置特殊動作方向 性、 覆寫URL 威脅Fields in Threat Explorer: Threat Explorer exposes a lot more security-related mail information such as Delivery action, Delivery location, Special action, Directionality, Overrides, and URL threat. 它也可讓您的組織的安全性小組以更高的確定性進行調查。It also allows your organization's security team to investigate with a higher certainty.

    傳遞動作 是由於現有的原則或偵測,而對電子郵件採取的動作。Delivery action is the action taken on an email due to existing policies or detections. 以下是電子郵件可能採取的動作:Here are the possible actions an email can take:

    • 傳遞 -電子郵件已傳遞至使用者的收件匣或資料夾,而且使用者可以直接存取。Delivered – email was delivered to inbox or folder of a user and the user can directly access it.
    • Junked (已傳遞至垃圾) –將電子郵件傳送至使用者的垃圾郵件資料夾或已刪除的資料夾,而且使用者可以存取垃圾郵件或已刪除的資料夾中的電子郵件。Junked (Delivered to junk)– email was sent to either user's junk folder or deleted folder, and the user has access to email messages in their Junk or Deleted folder.
    • 封鎖 –隔離、失敗或丟棄的任何電子郵件訊息。Blocked – any email messages that are quarantined, that failed, or were dropped. (使用者已完全無法存取。 ) (This is completely inaccessible by the user.)
    • 已取代 所有惡意附件取代為附件惡意的 .txt 檔案所取代的電子郵件Replaced – any email where malicious attachments are replaced by .txt files that state the attachment was malicious

    傳遞位置:可用的傳遞位置篩選器,可協助系統管理員瞭解可疑的惡意郵件如何結束,以及對它採取的動作。Delivery location: The Delivery location filter is available in order to help admins understand where suspected malicious mail ended-up and what actions were taken on it. 產生的資料可匯出至試算表。The resulting data can be exported to spreadsheet. 可能的傳遞位置如下:Possible delivery locations are:

    • 收件匣或資料夾 –電子郵件會根據您的電子郵件規則,在收件匣或特定資料夾中。Inbox or folder – The email is in the Inbox or a specific folder, according to your email rules.
    • 部署或外部 –信箱不存在於雲端中,但為內部部署。On-prem or external – The mailbox doesn't exist in the Cloud but is on-premises.
    • [垃圾郵件]資料夾–電子郵件位於使用者的 [垃圾郵件] 資料夾中。Junk folder – The email is in a user's Junk mail folder.
    • [刪除的郵件] 資料夾-電子郵件是在使用者的 [刪除的郵件] 資料夾中。Deleted items folder – The email is in a user's Deleted items folder.
    • 隔離 –隔離區中的電子郵件,而不是使用者信箱中的電子郵件。Quarantine – The email in quarantine, and not in a user's mailbox.
    • Failed -電子郵件無法送達信箱。Failed – The email failed to reach the mailbox.
    • 丟棄-電子郵件已遺失于郵件流程中的某處。Dropped – The email was lost somewhere in the mail flow.

    方向 性:此選項可讓您的安全性作業小組以郵件來自的「方向」來篩選,或前往。Directionality: This option allows your security operations team to filter by the 'direction' a mail comes from, or is going. 方向性值為 輸入輸出組織內 的 (,對應至您的組織外寄出的郵件、從您的組織寄出或內部傳送至您的組織內部,分別是) 。Directionality values are Inbound, Outbound, and Intra-org (corresponding to mail coming into your org from outside, being sent out of your org, or being sent internally to your org, respectively). 此資訊可協助安全性運作小組發現欺騙和模擬,因為方向性值 (ex 之間不相符。This information can help security operations teams spot spoofing and impersonation, because a mismatch between the Directionality value (ex. 輸入) 和寄件者 (中 似乎 是內部網域) 的網域很明顯!Inbound), and the domain of the sender (which appears to be an internal domain) will be evident! 方向性值是分開的,而且可以與郵件追蹤有所不同。The Directionality value is separate, and can differ from, the Message Trace. 結果可以匯出至試算表。Results can be exported to spreadsheet.

    覆寫:此篩選器會取得出現在 [郵件詳細資料] 索引標籤上的資訊,並使用它來公開允許和封鎖郵件已覆 的組織或使用者原則。Overrides: This filter takes information that appears on the mail's details tab and uses it to expose where organizational, or user policies, for allowing and blocking mails have been overridden. 此篩選器最重要的一點是它可協助貴組織的安全性小組查看因設定而傳遞的可疑電子郵件數目。The most important thing about this filter is that it helps your organization's security team see how many suspicious emails were delivered due to configuration. 這讓他們有機會視需要修改允許和封鎖。This gives them an opportunity to modify allows and blocks as needed. 這個篩選的結果集可以匯出至試算表。This result set of this filter can be exported to spreadsheet.


    威脅瀏覽器覆寫Threat Explorer Overrides 其含義What they mean
    組織原則允許Allowed by Org Policy 郵件是透過組織原則所導向的信箱。Mail was allowed into the mailbox as directed by the organization policy.
    由組織原則封鎖Blocked by Org policy 郵件已封鎖為由組織原則所導向的方式傳遞到信箱。Mail was blocked from delivery to the mailbox as directed by the organization policy.
    組織原則封鎖的檔擴充File extension blocked by Org Policy 從組織原則的導向中,File 遭到封鎖,無法傳遞至信箱。File was blocked from delivery to the mailbox as directed by the organization policy.
    使用者原則所允許Allowed by User Policy 信箱是使用者原則所導向的信箱。Mail was allowed into the mailbox as directed by the user policy.
    使用者原則封鎖Blocked by User Policy 郵件已封鎖由使用者原則所導向的方式傳遞到信箱。Mail was blocked from delivery to the mailbox as directed by the user policy.

    Url 威脅: [url 威脅] 欄位已包含在電子郵件的 [ 詳細資料 ] 索引標籤中,指出 URL 所呈現的威脅。URL threat: The URL threat field has been included on the details tab of an email to indicate the threat presented by a URL. URL 所呈現的威脅可以包含 惡意 代碼、 網路釣魚垃圾郵件,而 不具威脅 的 url 會在 [威脅] 區段中指出 威脅。Threats presented by a URL can include Malware, Phish, or Spam, and a URL with no threat will say None in the threats section.

  7. 電子郵件時程表視圖:您的安全作業小組可能需要深入瞭解電子郵件詳細資料,以進行進一步調查。Email timeline view: Your security operations team might need to deep-dive into email details to investigate further. 電子郵件時程表可讓系統管理員將電子郵件所採取的動作從傳遞傳遞至傳遞投遞。The email timeline allows admins to view actions taken on an email from delivery to post-delivery. 若要查看電子郵件時程表,請按一下電子郵件的主旨,然後按一下 [電子郵件時程表]。To view an email timeline, click on the subject of an email message, and then click Email timeline. (它會顯示在面板上其他標題(如摘要或詳細資料)。 ) 這些結果可以匯出至試算表。(It appears among other headings on the panel like Summary or Details.) These results can be exported to spreadsheet.

    電子郵件時程表會開啟一個表格,顯示電子郵件的所有傳遞和傳遞後事件。Email timeline will open to a table that shows all delivery and post-delivery events for the email. 如果電子郵件上沒有進一步的動作,您應該會看到原始傳遞的單一事件,其狀態為「類似 網路釣魚」的結果(如 封鎖)。If there are no further actions on the email, you should see a single event for the original delivery that states a result, such as Blocked, with a verdict like Phish. 系統管理員可以匯出整個電子郵件時程表,包括索引標籤上的所有詳細資料,以及電子郵件 (例如,主旨、寄件者、收件者、網路和郵件識別碼) 。Admins can export the entire email timeline, including all details on the tab and email (such as, Subject, Sender, Recipient, Network, and Message ID). 電子郵件時程表會在隨機進行分解,因為檢查不同位置所花費的時間較少,以嘗試瞭解自電子郵件到達後發生的事件。The email timeline cuts down on randomization because there is less time spent checking different locations to try to understand events that happened since the email arrived. 當電子郵件上發生多個事件,或在電子郵件上接近時,這些事件會顯示在時程表視圖中。When multiple events happen at, or close to, the same time on an email, those events show up in a timeline view.

  8. 預覽/下載:威脅瀏覽器可讓您的安全性運作小組提供調查可疑電子郵件所需的詳細資料。Preview / download: Threat Explorer gives your security operations team the details they need to investigate suspicious email. 您的安全性作業小組可以:Your security operations team can either:

檢查傳遞動作和位置Check the delivery action and location

威脅瀏覽器中 (和即時偵測)中,您現在已有 傳遞動作傳遞位置 欄,而不是先前傳遞的 [ 狀態 ] 欄。In Threat Explorer (and real-time detections), you now have Delivery Action and Delivery Location columns instead of the former Delivery Status column. 這會使您的電子郵件成為土地的更完整的畫面。This results in a more complete picture of where your email messages land. 此變更的一部分目標是讓調查更容易進行安全作業小組,但 net 結果是知道問題電子郵件訊息的位置。Part of the goal of this change is to make investigations easier for security operations teams, but the net result is knowing the location of problem email messages at a glance.

傳遞狀態現在劃分為兩個資料行:Delivery Status is now broken out into two columns:

  • 傳遞動作 -此電子郵件的狀態為何?Delivery action - What is the status of this email?

  • 傳遞位置 -這封電子郵件會以結果的方式路由傳送?Delivery location - Where was this email routed as a result?

傳遞動作是由於現有的原則或偵測,而對電子郵件採取的動作。Delivery action is the action taken on an email due to existing policies or detections. 以下是電子郵件可能採取的動作:Here are the possible actions an email can take:

  • 傳遞 -電子郵件已傳遞至使用者的收件匣或資料夾,而且使用者可以直接存取。Delivered – email was delivered to inbox or folder of a user and the user can directly access it.

  • Junked –將電子郵件傳送至使用者的垃圾郵件資料夾或已刪除的資料夾,而且使用者可以存取垃圾郵件或已刪除的資料夾中的電子郵件。Junked – email was sent to either user's junk folder or deleted folder, and the user has access to email messages in their Junk or Deleted folder.

  • 封鎖 –隔離、失敗或丟棄的任何電子郵件訊息。Blocked – any email messages that are quarantined, that failed, or were dropped. (使用者已完全無法存取。 ) (This is completely inaccessible by the user.)

  • 已取代 所有惡意附件取代為附件惡意的 .txt 檔的電子郵件。Replaced – any email where malicious attachments are replaced by .txt files that state the attachment was malicious.

傳遞位置顯示原則和執行傳遞後偵測的結果。Delivery location shows the results of policies and detections that run post-delivery. 其連結到「傳遞動作」。It's linked to a Delivery Action. 已新增此欄位,以深入了解找到問題電子郵件時所採取的動作。This field was added to give insight into the action taken when a problem mail is found. 以下是傳遞位置可能的值:Here are the possible values of delivery location:

  • 收件匣或資料夾 –電子郵件是在收件匣或資料夾中 (根據您的電子郵件規則) 。Inbox or folder – The email is in the inbox or a folder (according to your email rules).

  • 部署或外部 –信箱不存在於雲端上,但為內部部署。On-prem or external – The mailbox doesn't exist on cloud but is on-premises.

  • [垃圾郵件]資料夾–電子郵件位於使用者的 [垃圾郵件] 資料夾中。Junk folder – The email is in a user's Junk folder.

  • [刪除的郵件] 資料夾-電子郵件是在使用者的 [刪除的郵件] 資料夾中。Deleted items folder – The email is in a user's Deleted items folder.

  • 隔離 –隔離區中的電子郵件,而不是使用者信箱中的電子郵件。Quarantine – The email in quarantine, and not in a user's mailbox.

  • Failed -電子郵件無法送達信箱。Failed – The email failed to reach the mailbox.

  • 入–電子郵件會在郵件流程中遺失。Dropped – The email gets lost somewhere in the mail flow.

查看您電子郵件的時程表View the timeline of your email

電子郵件時程表 是威脅瀏覽器中的欄位,可讓您的安全性運作小組更輕鬆進行搜尋。Email Timeline is a field in Threat Explorer that makes hunting easier for your security operations team. 當電子郵件上發生多個事件或在同一時間關閉時,這些事件會顯示在時程表視圖中。When multiple events happen at or close to the same time on an email, those events show up in a timeline view. 某些會在 [ 特殊動作 ] 欄中捕獲傳送投遞至電子郵件的事件。Some events that happen post-delivery to email are captured in the Special actions column. 將電子郵件的時程表中的資訊組合在一起,可讓系統管理員深入瞭解原則和威脅處理 (例如郵件路由的位置,以及在某些情況下,最後評估) 。Combining information from the timeline of an email message with any special actions that were taken post-delivery gives admins insight into policies and threat handling (such as where the mail was routed, and, in some cases, what the final assessment was).

重要

這裡跳到修正主題。Jump to a remediation topic here.

修復 Office 365 中傳遞的惡意電子郵件Remediate malicious email delivered in Office 365

適用於 Office 365 的 Microsoft DefenderMicrosoft Defender for Office 365

保護 Office 365 中的威脅Protect against threats in Office 365

查看 Office 365 的 Defender 報告View reports for Defender for Office 365