Email Import

Last Updated: Oct 29, 2018 03:16PM EDT
An .eml or .msg file


A malicious or suspicious email can be imported into ThreatConnect® as an Email Group. ThreatConnect will search for Indicators, allow the user to select which Indicators to import, and then associate these Indicators to the Email Group. Optionally, these same Indicators can be associated to one or more Victims. Once the Email Group is created, the original email, email headers, and all associated Indicators can be viewed.


  1. From the top navigation bar (Figure 1), place the cursor over IMPORT, and select the EMAIL option (Figure 2).
  2. The Import E-mail screen will appear. Click the + IMPORT MSG OR EML FILE button to navigate to a local directory and select a file. After the file is selected, the email information form will be populated with the details from the email (Figure 3).
    • Click on the Owner dropdown menu to select the Organization, Community, or Source to which the Group should be added.
    • Check the Include Shared Data In Analysis box to include crowd analytics. When this feature is enabled, the email will be rated based on Indicators from the user’s connections and Communities, as well as Indicators from within the email. When Indicators are evaluated within the email, the user’s own Indicator ratings will be analyzed first to determine the score of the email. If there are no Indicators, the average ratings of those Indicators across the user’s connections and Communities will be evaluated.
      NOTE: When importing an email into an Organization, the data will be pulled from the Organization and the Communities and Sources to which the Organization has access. When importing an email into a Community or Source, only data from that Community or Source are used to evaluate and score the email.
    • Click the Next button.
  3. The Score screen will appear (Figure 4).
    • Score Total displays the Threat Score of the email. This score is based on the findings in other Organizations, Communities, and Sources if the Include Shared Data In Analysis option was selected in the previous screen.
    • The Score panel explains the rules that were used to determine the Score Total.
    • Click the Next button.
  4. The Indicators screen will appear (Figure 5). This screen highlights all Indicators found in the header and body of the email.
    • Switch between the Header and Body sections using the dropdown menu.
    • On the left, select desired Indicators by hovering the cursor over the Indicator and selecting Add Indicator. Indicators that already exist will be listed on the right in the EXISTING section as a hyperlink. Clicking on the Indicator will open up the Indicator’s Details screen.
    • Any Indicator that is selected will be listed on the right in the NEW section.
    • Click the NEXT button.
  5. The Victims screen will appear (Figure 6).
    • To associate the email with a Victim, select or add Victims from the Victims section and click the ADD button. Next, drag the Victim’s email address from the Unassigned Email Addresses section on the right to the Victims section on the left.
    • Click the Next button.
  6. The Confirm screen will appear (Figure 7). The Confirm screen provides an overview of what is being imported before any action is taken. Once the data are verified, click the SAVE button and the new Email will be imported.
  7. The Details screen for the new Email will now be displayed (Figure 8), showing all the properties of the email, including the Body, Header, and Score Breakdown.

20007-06 EN Rev. B

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found