Email Import

Last Updated: Nov 19, 2019 06:02PM EST
An .eml or .msg file


A malicious or suspicious email can be imported into ThreatConnect® as an Email Group. ThreatConnect will search for Indicators, allow the user to select which Indicators to import, and then associate these Indicators to the Email Group. Optionally, these same Indicators can be associated to one or more Victims. Once the Email Group is created, the original email, email headers, and all associated Indicators can be viewed.

Importing an Email

  1. From the top navigation bar (Figure 1), place the cursor over Import, and select the E-mail option (Figure 2).
  2. The Import E-mail screen will be displayed (Figure 3).
  3. Click the + IMPORT MSG OR EML FILE button to navigate to a local directory and select a file. After the file is selected, the email information form will be populated with the details from the email (Figure 4).
    • Click on the Owner dropdown menu to select the Organization, Community, or Source to which the E-mail Group should be imported.
    • Select the Include Shared Data In Analysis checkbox to include crowd analytics, if available. When this feature is enabled, the email will be rated based on Indicators from the user’s connections and Communities, as well as Indicators from within the email. When Indicators are evaluated within the email, the user’s own Indicator ratings will be analyzed first to determine the score of the email. If there are no Indicators, the average ratings of those Indicators across the user’s connections and Communities will be evaluated.
      NOTE: When importing an email into an Organization, the data will be pulled from the Organization and the Communities and Sources to which the Organization has access. When importing an email into a Community or Source, this checkbox will not be present, as only data from that Community or Source are used to evaluate and score the email.
    • Click the Next button.
  4. The Score screen will be displayed (Figure 5).
    • The Score Total card displays the Threat Score of the email. If the email is being imported into an Organization and the Include Shared Data in Analysis option was selected in the previous screen, then this score is based on the findings in other Organizations, Communities, and Sources. If the email is being imported into a Community or Source or if it is being imported into an Organization and the Include Shared Data In Analysis option was not selected in the previous screen, then this score is based only on the findings within the owner into which the email is being imported.
    • The Score card explains the rules that were used to determine the Score Total.
      NOTE: Private Instance users should contact their System Administrator for details on the email scoring rules configured for their instance of ThreatConnect.
    • Click the Next button.
  5. The Indicators screen will be displayed (Figure 6). This screen highlights all Indicators found in the header and body of the email.
    • Switch between the Header and Body sections by using the dropdown menu at the top left.
    • In the Indicators card on the left, select desired Indicators by hovering the cursor over the Indicator and clicking the ADD INDICATOR button that appears.
    • In the Indicator List card on the right, Indicators that already exist in the target Organization, Community, or Source will be listed in the Existing section as a hyperlink. Clicking on the Indicator will open up the Indicator’s Details screen.
    • Any Indicator that is added from the Indicators card on the left will be listed in the New section of the Indicator List card.
    • Indicators that are part of an Indicator Exclusion List will be listed in the Excluded section of the Indicator List card, along with a brief explanation of which exclusion rule they fall under. See Creating Indicator Exclusion Lists for more information.
    • Click the Next button.
  6. The Victims screen will be displayed (Figure 7).
    • To associate the email with a Victim, select or add Victims from the Victims card on the left and click the ADD button. Next, drag the Victim’s email address from the Unassigned Email Addresses card on the right to the Victims card.
    • Click the Next button.
  7. The Confirm screen will be displayed (Figure 8). The Confirm screen provides an overview of the data being imported before any action is taken. Once the data are verified, click the SAVE button and the new Email will be imported.
  8. The Details screen for the new Email will now be displayed (Figure 9), showing all the properties of the email, including the Body, Header, and Score Breakdown.

20007-07 EN Rev. B

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found