In addition to supporting manual importing of .eml and .msg files, ThreatConnect® allows users to set up Phishing and Feed mailboxes for automated ingestion of both Indicators and phishing emails. ThreatConnect will search for Indicators, automatically import them, and then associate these Indicators to the Email Group.
NOTE: An Organization Administrator (Org Admin) needs to create the Phishing and Feed Mailboxes before they can be used.
- Copy the email address of the mailbox to be used.
NOTE: This email address will need to be created and supplied beforehand by an Org Admin. If you do not know what the mailbox address is, contact an Org Admin. Also, a System Administrator can rename the mailbox’s email address if desired (e.g., to make it more user friendly).
- After the email address has been copied, open up an email provider and paste the email address into the To: field of a new email. Add any desired Indicators to ingest into ThreatConnect into the body of the email (Figure 1).
- Once the necessary information has been entered, send the email.
NOTE: Remove any email signatures so that any email addresses or hostnames are not accidentally added as Indicators in ThreatConnect.
- From the top navigation bar in ThreatConnect (Figure 2), place the cursor over BROWSE, and then click on the INDICATORS option. A results table will display the newly added Indicators (Figure 3).
- For phishing emails, follow the same steps as for feed emails, but instead of pasting the contents of the phishing email directly into the email body, include the email as an .eml attachment (Figure 4). The title of the email will be its name in ThreatConnect.
- After the email has been sent, from the top navigation bar in ThreatConnect (Figure 2), place the cursor over BROWSE and then over the GROUPS option. Click on the E-MAIL option, and the phishing email will appear in the results table (Figure 5).
- Click on the entry for the E-mail, and the Details flyout will appear (Figure 6).
- Click the Details icon at the top right corner of the flyout, and the Overview tab of the Details screen will appear (Figure 7). Alternatively, hover over the object's entry in the table in Figure 5 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
- Click the UPDATE ANALYSIS button, and the Import E-mail screen will appear (Figure 8).
- Click the Next button until the Indicators screen appears (Figure 9).
- Find the Indicators highlighted in the email header and body, and add them into ThreatConnect by hovering over them and then clicking the ADD INDICATOR button, as demonstrated for the Indicator at the bottom of the screen in Figure 9. They will appear under the NEW heading on the right (Figure 10). The Indicators under the EXISTING heading are hyperlinked. Clicking on one will make that Indicator’s Details screen appear.
NOTE: The Indicators found in the email will be associated with the Email Group only if they already exist within the Organization, Community, or Source to which the phishing mailbox belongs.
- Click the Next button to arrive at the Confirm screen. Once the data are verified, click the SAVE button.