Skip to content

Vade for M365

Overview

Vade for M365 offers AI-based protection against dynamic, email-borne cyberattacks targeting Microsoft 365. It improves user experience and catches 10x more advanced threats than Microsoft.

In this documenation we will explain how to collect and send Vade for M365 logs to Sekoia.io.

The following Sekoia.io built-in rules match the intake Vade for M365. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Vade for M365 on ATT&CK Navigator

Malware Detected By Vade For M365

Vade Secure product Vade for M365 has detected a malware contained in the message.

  • Effort: master
Malware Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365 has detected a malware contained in the message and didn't delete it.

  • Effort: advanced
Phishing Detected By Vade For M365

Vade Secure product Vade for M365 has detected a phishing attempt.

  • Effort: master
Phishing Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365 has detected a phishing attempt and didn't move it to junk folder.

  • Effort: advanced
SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

  • Effort: elementary
Scam Detected By Vade For M365

Vade Secure product Vade for M365, has detected a scam e-mail.

  • Effort: master
Scam Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365, has detected a scam e-mail and didn't block it.

  • Effort: advanced
Spam Detected By Vade For M365

Vade Secure product Vade for M365, has detected a spam e-mail.

  • Effort: master
Spam Detected By Vade For M365 And Not Blocked

Vade Secure product Vade for M365, has detected a spam e-mail and didn't block it.

  • Effort: advanced
Spearphishing (CEO Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with CEO fraud thematic. Impersonation of CEO or senior management members requesting urgent money transfer, usually on an unknown RIB.

  • Effort: master
Spearphishing (Gift Cards Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spear-phishing attempt with gift-cards fraud thematic. Executive impersonation requesting a money transfer to set up gift-cards for employees. Confidentiality and discretion are usually implied.

  • Effort: master
Spearphishing (Initial Contact Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with initial contact fraud thematic. Do not contains any malicious content or specific actions other than a request to reply to the email. “Are you available?”. The main goal is to incite a reply that could register the sending address as a known and legitimate address.

  • Effort: master
Spearphishing (Lawyer Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with lawyer fraud thematic. Impersonation of lawyers and lawyers' firms. The main goal is to make sure the victims will not raise awareness around them. Confidentiality restrictions are implied.

  • Effort: master
Spearphishing (W2 Fraud) Detected By Vade For M365

Vade Secure product Vade for M365 has detected a spearphishing attempt with W2 fraud thematic. Executive or HR impersonation phishing for social security numbers or tax identification numbers. Collected data are generally used for identity theft schemes.

  • Effort: master

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Anti-virus Vade performs behavioral-Based Anti-Malware
Email gateway Vade for M365 blocks attacks from the first email thanks to machine learning models that perform real-time behavioral analysis of the entire email, including any URLs and attachments.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category email
Type change, deletion, denied, info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{ \"id\": \"abcdefgh\", \"date\": \"2024-01-31T10:11:13.974Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"user@test.fr\", \"from_header\": \"user user@test.fr\", \"to\": \"destuser@test.fr\", \"to_header\": \"header stuff\", \"subject\": \"subject\", \"message_id\": \"ABCDEF\", \"urls\": [ { \"url\": \"https://www.test.com/\" }, { \"url\": \"http://www.test.fr\" }, { \"url\": \"https://www.test.io\" } ], \"attachments\": [ { \"id\": \"abcdef\", \"filename\": \"image006.png\", \"extension\": \"png\", \"size\": 477, \"hashes\": { \"md5\": \"abcdef\", \"sha1\": \"abcdef\", \"sha256\": \"abcdef\", \"sha512\": \"abcdef\" } }, { \"id\": \"abcdef\", \"filename\": \"sample.pdf\", \"extension\": \"pdf\", \"size\": 237284, \"hashes\": { \"md5\": \"abcdef\", \"sha1\": \"abcdef\", \"sha256\": \"abcdef\", \"sha512\": \"abcdef\" } } ], \"status\": \"LOW_SPAM\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 460793, \"current_events\": [], \"whitelisted\": true, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": { \"country_name\": \"Ireland\", \"country_iso_code\": \"IE\", \"city_name\": \"Dublin\" }, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": \"\" }",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "png",
                    "hash": {
                        "md5": "abcdef",
                        "sha1": "abcdef",
                        "sha256": "abcdef",
                        "sha512": "abcdef"
                    },
                    "name": "image006.png",
                    "size": 477
                }
            },
            {
                "file": {
                    "extension": "pdf",
                    "hash": {
                        "md5": "abcdef",
                        "sha1": "abcdef",
                        "sha256": "abcdef",
                        "sha512": "abcdef"
                    },
                    "name": "sample.pdf",
                    "size": 237284
                }
            }
        ],
        "from": {
            "address": "user@test.fr"
        },
        "local_id": "abcdefgh",
        "message_id": "ABCDEF",
        "subject": "subject",
        "to": {
            "address": "destuser@test.fr"
        }
    },
    "related": {
        "ip": [
            "1.2.3.4"
        ]
    },
    "source": {
        "address": "1.2.3.4",
        "ip": "1.2.3.4"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "image006.png",
                "id": "abcdef"
            },
            {
                "filename": "sample.pdf",
                "id": "abcdef"
            }
        ],
        "from_header": "user user@test.fr",
        "overdict": "clean",
        "status": "LOW_SPAM",
        "to_header": "header stuff",
        "whitelist": "true"
    }
}
{
    "message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-10T13:00:05.454Z\", \"sender_ip\": \"192.168.1.1\", \"from\": \"test@sekoia.io\", \"from_header\": \"<test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>\", \"urls\": [{\"url\": \"https://sekoia.io\"}], \"attachments\": [{\"id\": \"ca9ph2ostndl7735uht0\", \"filename\": \"image001.png\", \"extension\": \"png\", \"size\": 12894},{\"id\": \"ca9okt0kn1e8usdf633g\", \"filename\": \"archive.zip\", \"extension\": \"zip\", \"size\": 10558}], \"status\": \"LEGIT\", \"substatus\": \"\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 113475, \"current_events\": [], \"whitelisted\": false}",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "png",
                    "name": "image001.png",
                    "size": 12894
                }
            },
            {
                "file": {
                    "extension": "zip",
                    "name": "archive.zip",
                    "size": 10558
                }
            }
        ],
        "from": {
            "address": "test@sekoia.io"
        },
        "local_id": "zekfnzejnf576rge8768",
        "message_id": "<01de2305-f75b-49db-8c61-f661bd498e63.protection.outlook.com>",
        "subject": "Lorem ipsum dolor",
        "to": {
            "address": "test@vadesecure.com"
        }
    },
    "related": {
        "ip": [
            "192.168.1.1"
        ]
    },
    "source": {
        "address": "192.168.1.1",
        "ip": "192.168.1.1"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "image001.png",
                "id": "ca9ph2ostndl7735uht0"
            },
            {
                "filename": "archive.zip",
                "id": "ca9okt0kn1e8usdf633g"
            }
        ],
        "from_header": "<test@sekoia.io>",
        "status": "LEGIT",
        "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
        "whitelist": "false"
    }
}
{
    "message": "{\"id\": \"ch34aoqub3glupige13g\", \"date\": \"2023-04-24T09:01:23.666Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO <test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"OneDrive- Document No.: 1928578 - VadeSecure\", \"message_id\": \"<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>\", \"urls\": [{\"url\": \"https://www.facebo\\u1ecdk.com/login.php\"}, {\"url\": \"https://www.facelbo?k.com/login.php\"}, {\"url\": \"https://www.vadesecure.com/\"}, {\"url\": \"https://sites.google.com/view/gine-office/home\"}], \"attachments\": [{\"id\": \"ch34aoqub3glupige170\", \"filename\": \"\", \"extension\": \"\", \"size\": 10558, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}, {\"id\": \"ch34aoqub3glupige17g\", \"filename\": \"\", \"extension\": \"\", \"size\": 12894, \"hashes\": {\"md5\": \"0eb4a83f99c2cd38d9d4decf809d1701\", \"sha1\": \"4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f\", \"sha256\": \"f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae\", \"sha512\": \"c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156\"}}], \"status\": \"PHISHING\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"MOVE\", \"folder\": \"JunkEmail\", \"size\": 186849, \"current_events\": [], \"whitelisted\": false, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": false}",
    "event": {
        "action": "move",
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "change"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "",
                    "hash": {
                        "md5": "7bc2b146a309acbff2da55e6b4124a82",
                        "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b",
                        "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368",
                        "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423"
                    },
                    "name": "",
                    "size": 10558
                }
            },
            {
                "file": {
                    "extension": "",
                    "hash": {
                        "md5": "0eb4a83f99c2cd38d9d4decf809d1701",
                        "sha1": "4665fcc8f1433dda8cd62d1234ead5ee32d4dd5f",
                        "sha256": "f1e1783333718e2c937d7c694dacd518ccca9f219b31fbfda40e72ee16235dae",
                        "sha512": "c6c817094c207e2d7bd12803a875bda79274fbac1c745a81dbd886d25c4147f179209073425a2e8b2f800ec3415376ef38eab64680ecb16ba9820ecde4ea8156"
                    },
                    "name": "",
                    "size": 12894
                }
            }
        ],
        "from": {
            "address": "test@sekoia.io"
        },
        "local_id": "ch34aoqub3glupige13g",
        "message_id": "<5b13d2f4-6078-4ae6-afa9-0d023b89e85a@MR2FRA01FT001.eop-fra01.prod.protection.outlook.com>",
        "subject": "OneDrive- Document No.: 1928578 - VadeSecure",
        "to": {
            "address": "test@vadesecure.com"
        }
    },
    "related": {
        "ip": [
            "163.172.240.104"
        ]
    },
    "source": {
        "address": "163.172.240.104",
        "ip": "163.172.240.104"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "",
                "id": "ch34aoqub3glupige170"
            },
            {
                "filename": "",
                "id": "ch34aoqub3glupige17g"
            }
        ],
        "folder": "JunkEmail",
        "from_header": "Test SEKOIA.IO <test@sekoia.io>",
        "status": "PHISHING",
        "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
        "whitelist": "false"
    }
}
{
    "message": "{\"id\": \"cgrqlp83v5prkopmecf0\", \"date\": \"2023-04-13T07:10:29.191Z\", \"sender_ip\": \"163.172.240.104\", \"from\": \"test@sekoia.io\", \"from_header\": \"Test SEKOIA.IO <test@sekoia.io>\", \"to\": \"test@vadesecure.com\", \"to_header\": \"\\\"test@vadesecure.com\\\" <test@vadesecure.com>\", \"subject\": \"Lorem ipsum dolor\", \"message_id\": \"<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>\", \"urls\": [], \"attachments\": [{\"id\": \"cgrqlp83v5prkopmecfg\", \"filename\": \"commande.docm\", \"extension\": \"docm\", \"size\": 96009, \"hashes\": {\"md5\": \"c1ea14accbb4f5ac66beac2d3f8de531\", \"sha1\": \"bfd1de0e780a3d7f047f6de00f44eaa1868e05e2\", \"sha256\": \"6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424\", \"sha512\": \"77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 179355, \"current_events\": [], \"whitelisted\": true, \"geo\": {\"country_name\": \"France\", \"country_iso_code\": \"FR\", \"city_name\": \"\"}, \"malware_bypass\": true}",
    "event": {
        "action": "nothing",
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "email": {
        "attachments": [
            {
                "file": {
                    "extension": "docm",
                    "hash": {
                        "md5": "c1ea14accbb4f5ac66beac2d3f8de531",
                        "sha1": "bfd1de0e780a3d7f047f6de00f44eaa1868e05e2",
                        "sha256": "6ea92f15f697ef4c78ca02fd3d72b2531f047be00a588901b3d14578ccbd9424",
                        "sha512": "77eec978ebbc455892fbce3dafe78140962c6c25a8050a9c9f0155b27ff1a08588cbf74bb41df49c1413431d307f099547354eabb7e5f23a798192a3c673749d"
                    },
                    "name": "commande.docm",
                    "size": 96009
                }
            }
        ],
        "from": {
            "address": "test@sekoia.io"
        },
        "local_id": "cgrqlp83v5prkopmecf0",
        "message_id": "<d0a5da95-4028-439b-b9d5-a4f220c59022@protection.outlook.com>",
        "subject": "Lorem ipsum dolor",
        "to": {
            "address": "test@vadesecure.com"
        }
    },
    "related": {
        "ip": [
            "163.172.240.104"
        ]
    },
    "source": {
        "address": "163.172.240.104",
        "ip": "163.172.240.104"
    },
    "vadesecure": {
        "attachments": [
            {
                "filename": "commande.docm",
                "id": "cgrqlp83v5prkopmecfg"
            }
        ],
        "from_header": "Test SEKOIA.IO <test@sekoia.io>",
        "status": "LEGIT",
        "to_header": "\"test@vadesecure.com\" <test@vadesecure.com>",
        "whitelist": "true"
    }
}
{
    "message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2022-02-01T23:30:33.982Z\", \"reason\": \"The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence\", \"status\": {\"status\": \"PHISHING\"}, \"actions\": [{\"action\": \"MOVE\"}], \"nb_messages_remediated\": 1, \"nb_messages_remediated_read\": 0, \"nb_messages_remediated_unread\": 1}",
    "event": {
        "action": "move",
        "category": [
            "email"
        ],
        "kind": "event",
        "reason": "The email contains a URL that is flagged as Phishing by Vade Secure Global Threat Intelligence",
        "type": [
            "info"
        ]
    },
    "vadesecure": {
        "campaign": {
            "actions": [
                {
                    "action": "MOVE"
                }
            ],
            "id": "zekfnzejnf576rge8768",
            "nb_messages_remediated": 1,
            "nb_messages_remediated_read": 0,
            "nb_messages_remediated_unread": 1
        },
        "status": "PHISHING"
    }
}
{
    "message": "{\"id\": \"zekfnzejnf576rge8768\", \"date\": \"2021-11-18T15:59:39.368Z\", \"reason\": \"\", \"actions\": [{\"action\": \"DELETE\"}, {\"action\": \"FAILED\"}], \"nb_messages_remediated\": 76, \"nb_messages_remediated_read\": 0, \"nb_messages_remediated_unread\": 76}",
    "event": {
        "action": "delete",
        "category": [
            "email"
        ],
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "vadesecure": {
        "campaign": {
            "actions": [
                {
                    "action": "DELETE"
                },
                {
                    "action": "FAILED"
                }
            ],
            "id": "zekfnzejnf576rge8768",
            "nb_messages_remediated": 76,
            "nb_messages_remediated_read": 0,
            "nb_messages_remediated_unread": 76
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
email.attachments array email.attachments
email.from.address keyword email.from.address
email.local_id keyword email.local_id
email.message_id keyword email.message_id
email.subject keyword email.subject
email.to.address keyword email.to.address
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
source.ip ip IP address of the source.
vadesecure.attachments array vadesecure.to_header
vadesecure.campaign.actions array The actions carried out for the remediation campaign.
vadesecure.campaign.id keyword The ID of the campaign
vadesecure.campaign.nb_messages_remediated long The total number of messages involved in the remediation.
vadesecure.campaign.nb_messages_remediated_read long The number of total read messages involved in the remediation.
vadesecure.campaign.nb_messages_remediated_unread long The number of total unread messages involved in the remediation.
vadesecure.folder keyword vadesecure.folder
vadesecure.from_header keyword vadesecure.from_header
vadesecure.overdict keyword vadesecure.overdict
vadesecure.status keyword vadesecure.status
vadesecure.substatus keyword vadesecure.substatus
vadesecure.to_header keyword vadesecure.to_header
vadesecure.whitelist keyword vadesecure.whitelist

Configure

Info

Consuming logs from Vade now requires the Vade Threat Intel & Investigation (TII) module. MSSP partners can benefit from this module from their Partner's Portal. Final customers are invited to contact their Vade commercial contact to setup this module.

First you need to reach the Playbooks page in order to initiate your playbook using the dedicated button.

You can directly choose the Get M365 Email Events trigger if you are creating a playbook from scratch otherwise you will have to find it within the Actions library panel under the Vade secure menu to drag and drop the trigger on the graph.

To start configuring the selected trigger, you'll need to bring Vade's documentation which can be found here. This documentation will allow you to get the following information: your client_id and your client_secret. You can also get the api_host and oauth2_authorization_url, if necessary. In most common cases, the api_host is https://m365.eu.vadesecure.com and the oauth2_authorization_url is https://api.vadesecure.com/oauth2/v2/token

Then you just have to configure the trigger itself by filling its name, by setting its frequency in seconds and by adding your Office 365 tenant identifier (tenant_id)

Lastly, you must add the Sekoia's action Push Events to intake to the graph and configure it using :

  • the Sekoia.io api_key generated within the user center
  • the base_url (https://intake.sekoia.io)
  • the events_path to push on Intake (your logs, you will probably fill it with {{ node.0['emails_path'] }})
  • the intake_key of the intake you have previously created (documentation can be found here)