Skip to main content

Mailbox phishing

Mailbox-phishing Workflow

Overview

The Mailbox-phishing workflow automates the analysis of phishing emails by extracting URLs from suspicious messages and assessing their safety using security tools. If a URL is deemed malicious, the workflow generates threat indicators and notifies security teams via Slack.

How It Works (Step-by-Step)

  1. Email Retrieval: Fetches suspicious emails from Outlook.
  2. URL Extraction: Identifies and extracts URLs from the email content.
  3. Analysis Submission: Sends the extracted URLs for analysis to ANY.RUN.
  4. Report Retrieval: Gathers the analysis report for further review.
  5. Indicator Creation: If malicious, creates an IOC in CrowdStrike.
  6. Notification: Sends a summary of findings to a designated Slack channel.

Who is this for?

  • Security analysts monitoring email threats.
  • IT teams responsible for phishing prevention.
  • Organizations using Outlook and CrowdStrike for security.

What problem does this workflow solve?

  • Automates the detection and response to phishing threats.
  • Reduces time spent on manual email analysis.
  • Enhances communication among security teams regarding potential threats.