Set up phishing and feed mailboxes for automated ingestion of indicators and phishing emails
ThreatConnect allows users to setup phishing and feed mailboxes for automated ingestion of both indicators and phishing emails. These mailboxes can be setup to receive emails directly from network devices or receive the headers in the form of attachments. Upon ingestion or import of the email, the indicators will be parsed, enriched and associated to the email in the platform. Optionally, these indicators can be associated with one or more victims. Once the email group is created, the original email, email headers, and all associated indicators can be viewed. If the indicators reach a threshold defined by the user, they can be automatically sent to your SIEM (ex. Splunk), blocked in the firewall, sent to a sandbox or automated malware analysis (AMA) solutions for analysis, sent to endpoints or tickets can be created. When an email is ingested, scores are derived based on the indicators’ confidence and criticality ratings.
In the below Playbook, upon receipt of a suspected phishing email in the ThreatConnect mailbox, an automated email will be sent to the sender with instructions, and a thank you for their action. The email and attachments will then be parsed; where the indicators will be associated to the original email. Files will then be stripped and sent to a sandbox or AMA for analysis. The Playbook will then associate the analysis and telemetry from the AMA to the original email. If indicators are critical enough, they can be blocked in the firewall and/or a ticket can be created in a ticketing system.
This Playbook can be expanded to query endpoints or asset management systems. All Playbooks are repeatable templates and can be changed to facilitate the uniqueness of each enterprise. These types of Playbooks can ingest multiple files and file types for adding to the malware vault for use in any AMA.