Announcing Email Intelligence for Microsoft 365

For most organizations, typosquats and abusive domains show up in email before they show up anywhere else: in the From: domain, in a link in the body, or buried in a redirect chain that only resolves after a few hops. Have I Been Squatted already draws on registrations, Certificate Transparency logs, and passive DNS for broad discovery. Microsoft 365 tenant mail is now an additional source, and for many organizations that data is already there, waiting.

Email Intelligence for Microsoft 365 is now available on Have I Been Squatted. Once a Microsoft 365 tenant is connected, Have I Been Squatted will read domain threat intelligence from mail, and will surface it alongside other lookup results, rules, and alerts already used for domain monitoring. It can optionally also automatically push sender blocks back into Microsoft 365 when a finding warrants it.

Step 1

Microsoft 365

Tenant mail telemetry

Step 2

Email metadata ingestion

Domains into lookups

Step 3

Have I Been Squatted

Rules and alerts

Step 4

Watchdog

Sender blocks

Step 5

Microsoft 365

Tenant block list

Step 1

Microsoft 365

Tenant mail telemetry

Step 2

Email metadata ingestion

Domains into lookups

Step 3

Have I Been Squatted

Rules and alerts

Step 5

Microsoft 365

Tenant block list

Step 4

Watchdog

Sender blocks

1. 

   Step 1

   Microsoft 365

   Tenant mail telemetry

2. Step 2

   Email metadata ingestion

   Domains into lookups

3. 

   Step 3

   Have I Been Squatted

   Rules and alerts

4. Step 4

   Watchdog

   Sender blocks

5. 

   Step 5

   Microsoft 365

   Tenant block list

Email ingestion and Watchdog can be enabled independently on your connected tenant.

Email ingestion and domain threat intelligence#

Email ingestion uses Microsoft Defender Advanced Hunting to pull domain-only telemetry from the tenant, including URLs in messages, sender domains, and related fields. Message content is never accessed or stored. Have I Been Squatted matches the extracted domains to monitored domains, attributes them, and writes them into lookup results marked as discovered via Microsoft Defender Advanced Hunting.

From there, the same rules, tags, alerts, and enrichment apply as for any other finding. The only difference is provenance: the domain showed up in tenant mail, not in a registration feed that caught up weeks later. Ingestion does not block anything, so teams that only want earlier signal can run it without touching Watchdog.

Watchdog and sender blocks in Microsoft 365#

When a lookup flags a malicious sender domain and it passes active rules and heuristics, Watchdog adds a sender block to the Tenant Allow/Block List in Exchange Online. Subsequent messages from that domain are quarantined in Microsoft 365 without any manual intervention.

Blocks expire after 30 days by default and include a note referencing the lookup that triggered them. Watchdog is independent of ingestion and can be enabled once a baseline of mail-sourced findings is established.

Turn it on#

Email Intelligence is available to Enterprise customers as an add-on feature, starting today.

1. In the Have I Been Squatted console, open "Integrations" and select "Microsoft 365 Email Intelligence".
2. Enable "Email ingestion", "Watchdog", or both.
3. Complete the Microsoft OAuth consent flow as an administrator and save your settings, adding protected domains if Watchdog is on.

Abusive domains targeting an organization tend to appear in mail long before any other detection surface sees them. Email Intelligence closes that gap, and Watchdog ensures that once a sender domain is scored as malicious, response follows quickly and automatically.