In addition to supporting manual importing of .eml and .msg files, ThreatConnect® allows users to set up Phishing and Feed mailboxes for automated ingestion of both Indicators and phishing emails. ThreatConnect will search for Indicators, automatically import them, and then associate these Indicators to the Email Group.
NOTE: An Organization Administrator (Org Admin) needs to create the Phishing and Feed Mailboxes before they can be used.
- Copy the email address of the mailbox to be used.
NOTE: This email address will need to be created and supplied beforehand by an Org Admin. If you do not know what the mailbox address is, contact an Org Admin. A System Administrator can rename the mailbox’s email address if desired (e.g., to make it more user friendly).
- After the email address has been copied, open up an email provider and paste the email address into the To: field of a new email. Add any desired Indicators to ingest into ThreatConnect into the body of the email (Figure 1).
- Once the information has been entered, send the email.
NOTE: Remove any email signatures so that any email addresses or hostnames are not accidentally added as Indicators in ThreatConnect.
- From the top navigation bar in ThreatConnect (Figure 2), place the cursor over Browse, and then click on the Indicators option. A results table will display the newly added Indicators (Figure 3).
- For phishing emails, follow the same steps as for feed emails, but instead of pasting the contents of the phishing email directly into the email body, include the email as an .eml attachment (Figure 4). The subject line of the email will be its name (Summary) in ThreatConnect.
- After the email has been sent, from the top navigation bar in ThreatConnect (Figure 2), place the cursor over Browse and then over the Groups option. Click on the E-mail option, and the phishing email will be displayed in the results table (Figure 5).
- Click on the entry for the E-mail, and its Details drawer will be displayed (Figure 6).
- Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 7). Alternatively, hover over the object's entry in the table in Figure 5 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
- Click the UPDATE ANALYSIS button, and the Import screen of the Import E-mail window will be displayed (Figure 8).
- Click the Next button, and the Score screen will be displayed (Figure 9).
- Click the Next button, and the Indicators screen will be displayed (Figure 10).
- Find the Indicators highlighted in the email header and body, and add them into ThreatConnect by hovering over them and then clicking the ADD INDICATOR button, as demonstrated for the Indicator at the bottom of the screen in Figure 10. They will appear under the NEW heading on the right (Figure 11). The Indicators under the EXISTING heading are hyperlinked. Clicking on one will display that Indicator’s Details screen.
NOTE: The Indicators found in the email will be associated with the Email Group only if they already exist within the Organization, Community, or Source to which the phishing mailbox belongs.
- Click the Next button, and the Confirm screen will be displayed (Figure 12).
- Verify the data. Then click the SAVE button.