Phishing Mailboxes receive malicious or suspicious emails that are flagged by the Email Security Gateway or emails in .msg or .eml format that have been flagged by a security analyst. When creating a Phishing Mailbox, the Administrator must specify if the mailbox is meant to receive emails directly from network devices or if it is meant to receive email headers in the form of attachments. ThreatConnect® will parse these emails, and when the parsing is complete, if the email meets the minimum email scoring threshold, then ThreatConnect will create an Email object and Task object and link previously existing Indicators to the Email object if they are found in the header or body.
- On the top navigation bar (Figure 1), hover the cursor over the Settings icon and select ORG SETTINGS from the dropdown menu (Figure 2).
- The Organization Settings screen will appear (Figure 3).
- Click the Email tab, and the Email screen will appear (Figure 4).
NOTE: For Communities and Sources, access the Email screen by going to the Community Config or Source Config screen (see ThreatConnect Community and Source Administration Guide for more information) and clicking on the Email tab. The Community Config or Source Config screen may be accessed by clicking on POSTS in the top navigation bar, selecting a Community or Source from the My ThreatConnect card on the left-hand side, clicking on the Community/Source Settings icon at the top left, and then clicking on the Email tab.
- Click the Create Phishing Mailbox button, and the Phishing Mailbox Administration wizard will appear (Figure 5).
NOTE: A System Administrator can modify the Target Mailbox name at this step.
- Click in the Minimum Score Threshold box, or on the Plus (+) or Minus (-) signs, to select the minimum score that an email must meet in order to be processed.
- Click one of the Parse Type radio buttons to select if the body of the email or the attachment should be parsed.
NOTE: If the phishing mailbox is to parse out Victims, the Use Attachment option must be selected.
- Click the Include recipients as victims radio button to create an association between the email and the Victim asset.
NOTE: The association is created only if the Victim asset already exists in ThreatConnect.
- Click the Exclude recipients from header radio button to remove the 'To' email field from the header during import, thus making the Victim's email address anonymous.
- Click the Save Sender as Victim checkbox to create an association between the sender and the Victim asset.
- Click inside the Description text box to enter a description for this mailbox.
- Click inside the Tags text box to specify tags for this mailbox.
- Click the Next button and proceed through the steps required for ThreatConnect to assign a task to an analyst when new emails arrive.
- Click the SAVE button to confirm.