The case of the malevolent malware!

Standard reporting has been developed over the past couple of years by Microsoft. In the Wave 15 version of the tenant this has been extended further with a Reports page in the Office 365 Admin Center. This covers some of the most requested reports for Exchange, Lync and SharePoint Online. One area that administrators are used to reporting and analysing in more detail is mail traffic for spam, malware or rules.

Using the standard reports in the Office 365 Admin Center you can get an overview of this information. For example, I have been asked to produce a report listing any malware that has been sent or received within our organisation. Thankfully Microsoft has got two ingeniously named reports in the Admin Center that cover this:

malware1

When I checked the reports I found that there were no mailware detections received but some were being sent! The report by default showed the last 14 days but you can change this to go from 7-60 days.

malware2

Unfortunately, I can’t see from this report who the culprit was sending the malware. The Admin Center provides standard reports and an overview of the mail data.  If you want the ability to dig into the detail and view the information on which senders or recipients are breaching these rules then Microsoft have developed an Excel-based tool. You can download it from the Reports overview page in the portal. The tool requires Excel 2013 and there are other system requirements, so please review before installing.

reports1

Once installed it provides you with an overview on each of the key areas of mail flow; Traffic, Malware, Rules and Data Loss Prevention. The first worksheet is Traffic and gives an overview of data. The Malware worksheet has a dashboard with totals for sent malware (28) and received malware (0 in this instance so no graph), and a pivot table to filter by day. It also lists the top offending malware.

malware4

In addition the daily breakdown table allows you to click into the last week’s data and generate a detailed report listing the individual e-mails that have been detected. When clicking on the hyperlinks it launches another query to the Exchange Control Panel Reporting service.

refresh

Once this query is complete you then have a detailed report on the individual e-mail that was infected with malware.

malware5

So the Office 365 Admin Center can be used to provide management level reporting and an overview of the service. If you want to get into the technical detail and pinpoint individual mail items then the Mail Protection Reports for Office 365 is the tool to use. Looks like user@domain.com has been tracked and caught!

Advertisements

Leave a Reply