Security incidents created from user-reported phishing emails

If you set up email matching rules, and a user receives an email form an untrustworthy source or is, for any reason, suspicious, the user can save the email in the EML format, attach it to another email, and send it to their instance for analysis.

If the EML matches the criteria defined in any of your active email-matching rules, an inbound action called User Reported Phishing creates a security incident, and parses the EML file. It then adds any of the following observables found in the EML record to the security incident:
  • IP addresses from the header
  • URLs, domains, or IP addresses appearing in the body
  • Hashes found in the EML attachment
  • File names found in the EML attachment
The following information is added to the security incident:
  • The Source is set to Email.
  • The Category is set to Phishing.
  • The Short description shows User Reported Phishing - Subj: x, where x is the subject line of the original email.
  • The Affected user related list shows the user who sent the email.
Note: By default, the User Reported Phishing inbound action parses the EML file only for new emails. If you have a service that forwards emails to be parsed, the inbound action must be changed from New to Forward.

The inbound action also creates an Email Search to locate other email attachments that may be related to the user-reported phishing attack. The Email Search is associated with the security incident and searches for other EML records that have the same Subject AND are from the same Sender.