Overview
The Security Inbox feature allows you to access and manage emails from a mail account to clone emails (creating templates in PhishingBox), find metadata about an email, create email blocklists/safelists, and find information about how often your targets have used KillPhish to report/scan an email. All changes you make in Inbox (marking, moving, deleting, etc.) will also affect the mailbox it is connected to. Additionally, Inbox will create four folders (see Reviewed Folders below) in the mailbox so that emails can be reviewed and archived.
Every hour, Security Inbox will automatically index any new messages in the mailbox's root folders. Any Phishing Test emails found in these folders will be logged as Reported and then archived to the Reviewed Test Emails folder.
NOTE: Subfolders will not be indexed.
You can access your inbox by clicking on the Inbox tab and choosing an inbox account from the Inbox dropdown (6 in the image below). If you only have one inbox connection, the drop-down will be hidden.
Use the links below to jump to a section:
Inbox
The Inbox tab is where you can view messages in the inbox of an email account connected. (To connect an email account to your Security Inbox, see Mail Settings.) When you first load the email account, the Inbox folder will be opened. The different folders inside the email account will appear on the left of the list of emails. The Inbox scan works just like the KillPhish scan -- it scans links, looks for suspicious words, looks for dangerous attachments, and checks the message headers.
Inbox Drop-down
This drop-down lets you choose between inbox accounts available to you. Depending on your Portal account, you may be allowed to have multiple inbox connections. You can add a connection from the Inboxes tab on the Mail Settings page.
Inbox Table
When you initially load an inbox, it will open the Inbox folder, displaying all messages in that folder. It shows the email address of the reporter, the originator email address (the email address from which the email originally came), You can archive/delete messages, mark emails as read/unread, flag emails, lookup email addresses, and open messages. Unread messages are distinguished by a blue indicator and a light background, while opened messages appear with a darker background for clear visual differentiation.
Selecting emails in the table will reveal several buttons at the top of the page, described below.
refresh the inbox table.
move the selected message(s) to a specific folder.
archive the selected message(s) to one of the Reviewed Folders. There are several different archive options, described below.
- Archive as Phishing Email - will place the selected message(s) in the Reviewed Phishing Emails folder.
- Archive as Spam Email - will place the selected message(s) in the Reviewed Spam Emails folder.
- Archive as Safe Email - will place the selected message(s) in the Reviewed Safe Emails folder.
- Archive as Test Email - will place the selected message(s) in the Reviewed Test Emails folder.
NOTE: The first time the inbox connection is loaded, these "Archive as ..." folders will be created inside the inbox account.
Clicking any of the "Archive as ... " buttons will reveal an Archive & Respond popup. This popup lets you mark the message according to a specific threat type. You can also choose to send out an email to the endpoint that reported the message by toggling on the Respond to Reporter checkbox. This will send an email to the individual that reported the email.
The URLs and Domains tabs at the bottom of the Archive & Respond popup can be added to the Blocklist by moving them to the box on the right. They will appear in your blocklist after you click the Archive & Respond button. When the domains have been added to your blocklist, any email containing them will receive a red warning, as in the example below.
delete the selected message(s)
mark the selected message(s) as read/unread
flag the selected message(s)
To the right of each email address in the Inbox table is a lookup button - - which, when clicked, will take you to the Lookup tab and run a lookup on that email address.
To the far right of the Inbox table are three buttons for each email: Review & Archive (which displays the Archive & Respond popup, described above), Mark as Read/Unread, and delete.
Reviewed Folders
The Reviewed Phishing Emails, Reviewed Safe Emails, Reviewed Spam Emails, and Reviewed Test Emails folders will be automatically created when the inbox is loaded for the first time.
- Reviewed Phishing Emails - this folder contains message that the admin has identified as phishing.
- Reviewed Safe Emails - this folder contains messages the admin has identified as safe.
- Reviewed Spam Emails - this folder contains messages the admin has identified as spam.
- Reviewed Test Emails - this folder contains simulated phishing emails that were reported. Such messages are automatically moved to this folder when they arrive in the inbox.
Message View
Clicking the subject of an email will open the Message View. Here, you can preview the message and inspect the raw message, header, domains, links, and images:
The Message View has five action buttons:
- Archive & Respond
- Mark as Flagged or Unflagged
- Mark as Read or Unread
- Delete
- Clone: The clone button will create template based on the email in view. When clicking this button, you will need to configure the From Name, From Email, Domain, Subject, and the Training/Landing Page:
Lookup
The Lookup tab lets you enter an email address, IP address, domain, or URL and will display blocklist, site info, domain SPF and MX records, WHOIS results, and third-party RBL entries.
Blocklist
The Blocklist tab will display email addresses, domains, and URLs that are blocked by Inbox. To add a new entry, click the Add button. You'll then be able to add a comma- or semicolon-separated list of email addresses, domains, or URLs. You can also import a CSV file. The Export Blocklist button lets you export the entire table so you can add the blocked domains, URLs, and email addresses to your email client's blocklist. The dropdown on the far right of the Blocklist table lets you lookup the entry or delete the entry.
The Blocklist table consists of the name (email address, domain, or URL for the entry), type (email address, domain, or URL), status (monitoring is shown if the domain, URL, or email is reported by a target, blocked if the item was manually added by an admin), the number of emails reported confirmed as phishing by an admin that contained that URL/domain or were from that email address (R/T), the date the entry was created, and the last time the entry changed (such as getting moved from monitoring to blocked).
The Reported/Threshold (R/T) column provides the counts for how many reported emails have been confirmed as phishing by an admin and the current threshold of how many reported emails can exist without being blocked. In order to unblock an entry, you simple need to use the Set to Monitoring option in the Actions dropdown. This will change both the status and increase the threshold by one. Once another email is confirmed containing that entry, it will once again become blocked. If an item needs to be permanently unblocked regardless of how many reported emails contain the item, you can add that item to the Safelist.
Safelist
The Safelist tab will display email addresses, domains, and URLs that are safelisted by the inbox. To add a new entry, click the Add button. You'll then be able to add a comma- or semicolon-separated list of email addresses, domains, or URLs. You can also import a CSV file. The Export Safelist button lets you export the entire table so you can add the safelisted domains, URLs, and email addresses to your email client's safelist. The dropdown on the far right of the Safelist table lets you lookup the entry or remove it from the Safelist.
If an email comes from an email address in the safelist, and an instance of KillPhish is tied to that inbox account, then the email will automatically show as "Low Risk" when scored by that instance of KillPhish (though the score will still be noted). Links that are found in the safelist will automatically receive a penalty of 0 when scored by KillPhish.
Endpoints
The Endpoints tab shows the results from reporting and scanning emails using the plugins for targets in your account. It displays a table of the targets' email addresses, first name, last name, app (which app sent the email - Outlook 365 or Outlook), IP address of the target, number of times the target has scanned emails using the Microsoft KillPhish add-in, and the date of the last scan. There is also a "Last Report" column that shows the date of the last time the target/user reported an email. In addition to these columns, there are five columns that are marked with icons, each described below.
- the total number of emails reported by the endpoint.
- the number of emails reported by the endpoint that the admin monitoring the inbox has confirmed are phishing emails.
- the number of emails reported by the endpoint that the admin monitoring the inbox has confirmed are spam emails.
- the number of emails reported by the endpoint that the admin monitoring the inbox has confirmed are safe or marketing type emails.
- the number of emails reported by the endpoint that are confirmed simulated testing emails from PhishingBox.
In the far right column is a dropdown that has several options, described below.
- Target Details - takes you to the Target Details page for the endpoint .
- Lookup Target - takes you to the Lookup tab and looks up the endpoint.
- Check Counts - refreshes the counts displayed on the reported, confirmed spam, confirmed phishing, etc. columns.
- Update Name - displays a popup that lets you change the endpoint's name.
- Delete Item - deletes the endpoint.
FAQs
What data does PhishingBox store?
To provide the Security Inbox feature, we store certain metadata from the connected mailbox. This includes:
- Email Metadata: Information about your emails such as identifiers and sender information.
- Folder Structure: Details regarding the organization of your emails into folders and subfolders.
Comments
0 comments
Please sign in to leave a comment.