Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

Orchestrate Actions Based on Automating Phishing Email Analysis

Set up phishing and feed mailboxes for automated ingestion of indicators and phishing emails

ThreatConnect allows users to setup phishing and feed mailboxes for automated ingestion of both indicators and phishing emails. These mailboxes can be setup to receive emails directly from network devices or receive the headers in the form of attachments. Upon ingestion or import of the email, the indicators will be parsed, enriched and associated to the email in the platform. Optionally, these indicators can be associated with one or more victims. Once the email group is created, the original email, email headers, and all associated indicators can be viewed. If the indicators reach a threshold defined by the user, they can be automatically sent to your SIEM (ex. Splunk), blocked in the firewall, sent to a sandbox or automated malware analysis (AMA) solutions for analysis, sent to endpoints or tickets can be created. When an email is ingested, scores are derived based on the indicators’ confidence and criticality ratings.

In the below Playbook, upon receipt of a suspected phishing email in the ThreatConnect mailbox, an automated email will be sent to the sender with instructions, and a thank you for their action. The email and attachments will then be parsed; where the indicators will be associated to the original email. Files will then be stripped and sent to a sandbox or AMA for analysis. The Playbook will then associate the analysis and telemetry from the AMA to the original email. If indicators are critical enough, they can be blocked in the firewall and/or a ticket can be created in a ticketing system.

This Playbook can be expanded to query endpoints or asset management systems. All Playbooks are repeatable templates and can be changed to facilitate the uniqueness of each enterprise. These types of Playbooks can ingest multiple files and file types for adding to the malware vault for use in any AMA.

About the Author


By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at