FireEye Stories

Detecting Malicious Email Attachments in Your Outlook Inbox

In this post, I’m going to demonstrate how I use Microsoft Flow and FireEye’s Detection on Demand API to automatically detect and delete emails with malicious attachments from my Outlook inbox. If you or your company subscribes to Office365, then you probably have access to Flow. The easiest way to check is to navigate to the Microsoft Flow website and login with personal or work account. The flow template that I created has been submitted for review to be published in the public Flow templates page, but until it’s published you can download the Malicious Email Detection Flow and import it into your flow account.

Initialization

The flow is set up to activate if you receive an email with attachments in your inbox. If an email with one or more attachments is received, then the flow will initialize the DoD (Detection on Demand) API. The flow will only execute successfully if the API key is provided, so you will need to obtain a free trial key following the instructions from our developer portal.

Scanning Loop

Next, the flow will submit each attachment to the DoD API and then check the status of each submission every 10 seconds until the report is finished. The flow will check each report result, setting the malicious email flag to true if any of the reports detected a malicious file.

Taking Action

The final step is to move the email to the trash folder if it contains a malicious attachment, as determined by the malicious email flag variable. You can specify the email be moved to a different folder if you prefer, such as a “Quarantine” folder, but make sure you create the folder in your Outlook account first.

Summary

Microsoft Flow is an easy way to automate tasks in your Office365 environment without the need to write code or host it, and this template is a working example of how you can use security products like FireEye’s Detection on Demand to add an additional layer of security to your workflow.

This flow isn't intended to replace more robust email security solutions, as it requires each user to configure the flow for their account and it only scans email attachments. For enterprise level protection, check out FireEye Cloud Email Security for Office365.