I found one article talking about this type of attack that was written two years ago. I can’t believe more people aren’t talking about this. I’m seeing emails being sent from a compromised M365 account using Microsoft Purview. Sending this way ends up with only a notification of a secure message being sent to the intended target. If the email is examined before delivery or even after delivery, nothing can be seen of the malicious message. The only way to see the payload is to be authenticated to M365 using the target’s credentials. This makes phishing email analysis virtually impossible. I’m left with determining whether or not message sent through Purview is malicious by looking at the list of recipients it was sent to, and even then having no way to definitively state with 100% accuracy that an email is malicious without somehow logging onto M365 using the target’s credentials.
If you’ve seen these malicious Microsoft Purview messages and you have a way to examine the payload, please let me know!
–Matt