Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Search for and delete phishing emails

Search for and delete phishing emails

Deleting phishing emails can help reduce exposure to a specific attack across an organization. You can manage phishing emails on your email server by searching, granting approvals, and deleting them.

Before you begin

Roles required: sn_sec_cmn.cap_email_read

You can determine how many users were targeted by a phishing attack by querying an email record associated with a security incident.

Supported software:
  • Microsoft® Exchange Server 2010

About this task

This feature is used by the Security Operations Integration - Email Search and Delete workflow to run a query against your email server. Depending on the search criteria you select, the search identifies all emails within a phishing attack, and returns the total number of emails affected or details from the emails affected.

Procedure

  1. Navigate to Security Incident > Show Open Incidents.
  2. Choose a security incident.
  3. If the Email Search related list is not visible, click the Show All Related Links related link.
  4. Click the Email Search related list.
    Email Search related list
  5. Click New.
  6. Fill in the fields, as appropriate.
    Field Description
    Name Name of the search query
    Query from criteria A preview of the query run on the email server. Generated from all the associated active search criteria records.
    Description Describe what the search query is looking for.
  7. Right-click in the form header and select Save.
  8. Click the Email Search Criteria tab and click New.
  9. Fill in or edit the fields, as appropriate.
    Field Description
    Email search Displays the name of the email search. You can change it if needed.
    Search field

    Field to search in the email server.

    The search field has the following choices:

    Subject
    This criteria searches for emails that contain the Subject line text specified in the Search text field. For emails that meet this search criteria, the total number of phishing emails and the details of each email, including the email date received, email read status, recipient, and message ID, are returned.
    From
    This criteria searches for emails that contain the sender's full email address (for example, jane.doe@abc.com) specified in the Search text field. For emails that meet this search criteria, the total number of phishing emails and the details of each email, including the email date received, email read status, recipient, and message ID, are returned.
    Note: You cannot use the From and Recipient fields in the same query.
    Recipient
    This criteria searches for emails that contain the recipient's full email address (for example, john.doe@abc.com) specified in the Search text field. It also searches for emails in the To, Cc, and Bcc fields. For emails that meet this search criteria, the total number of phishing emails and the details of each email, including the email date received, email read status, recipient, and message ID, are returned.
    Note: You cannot use the From and Recipient fields in the same query.
    Body
    This criteria searches for emails that contain the body text specified in the Search text field. For emails that meet this search criteria, the total number of phishing emails is returned.
    Cc:
    This criteria searches for emails that contain the Cc full email address (Ex: jane.doe@abc.com) specified in the Search text field. For emails that meet this search criteria, the total number of phishing emails is returned.
    Bcc:
    This criteria searches for emails that contain the Bcc full email address (Ex: jane.doe@abc.com) specified in the Search text field. For emails that meet this search criteria, the total number of phishing emails is returned.
    Attachment
    This criteria searches for emails that contain either the attachment file name or attachment contents specified in the Search text field. For emails that meet this search criteria, the total number of phishing emails is returned.
    Note: Only plain text attachments are supported for searching the attachment contents.
    Retention Policy
    This criteria searches for emails that contain retention policy numbers specified in the Search text field. For emails that meet this search criteria, the total number of phishing emails is returned.
    Active Select this check box to activate this email search query.
    Operator Possible values are AND and OR. You can define how search criteria are combined to run in the email server.
    Order The order in which the search query is built from the search criteria.
    Search Text The text to search for. Single quotation marks, double quotation marks, and colons are not supported.
  10. Click Submit.
  11. Repeat as needed to define additional search criteria.
    Email Search Criteria related list
  12. Click New.
  13. Click Submit.
  14. You can view the results of the search by clicking the Email Search Results tab.
    Email Search Results
    Each line of the Email Search Result Entries form represents a separate email.
  15. After you have created a search criteria record, two buttons appear in the Email Search form: Delete from Email Server(s) and Search on Email Server(s).
    Email search for phishing threats
  16. To search for emails in the selected server that meet the search criteria you defined, click Search on Email Server(s).