Abnormal Abuse Mailbox: Save time with AI-driven auto-remediation of employee-reported phishing emails

For SOC analysts, managing an employee-reported phishing mailbox can be a double edged sword. On one hand, legacy tools have made it easy for employees to report would-be BEC and phishing emails. On the other, analysts spend a significant amount of time manually monitoring and determining if messages are safe or need remediating creating a resource bottleneck. It can take minutes to over an hour only to get to the bottom of a phishing report.

A common phishing mailbox workflow goes like this:

• Phishing mailbox receives employee-reported emails
• SOC analyst investigates and decides if the email is safe or malicious
  • For safe emails, inform the employee of the judgement
  • For malicious emails, find the entire email campaign using tools such as Powershell
    • Remove the email campaign
    • Alert employee of the malicious judgement

All of these steps require manual intervention, ticketing or 3rd party tools to manage the mailbox workflow. However, most SOC analysts would prefer minimal involvement when it comes to monitoring their abuse mailbox. To get to a “set it and forget it” workflow requires automation and next-gen detection capabilities. 

Next-Gen Inbound Protection + mSOAR Capabilities to Automate Your Abuse Mailbox

With Abnormal’s Abuse Mailbox, we apply our AI-powered inbound protection technology to pass judgement on employee-reported phishing emails. In doing so, we automatically determine if an email, whether it’s a standalone message or a part of a coordinated campaign sent to multiple employees, is safe or malicious. Additionally, all malicious emails, including those a part of a campaign sitting in inboxes that are unreported, are auto-remediated from the employees inbox, giving analysts built-in mSOAR (email Security Orchestration, Automation and Response) capabilities.

Due to the effectiveness of Abnornal’s detection system, the result is a significant time savings for analysts. They no longer need to spend time investigating safe phishing emails and can focus on real threats.

Abnormal’s Abuse Mailbox:

• Pulls all employee-reported emails in one place
• Automatically provides email judgement via Abnormal’s signal detection capabilities
• Collects the entire email attack campaign
• Automatically remediates email campaigns that are deemed malicious
• Automated employee notification support for safe and malicious reports
• Integrates with existing ticketing systems such as ServiceNow, and SIEM/SOAR tools such as Splunk, LogRhythm, QRadar, Demisto and others
• Integrates with Proofpoint TAP to show reports that have been ingested and processed by Abnormal
• And is platform independent and integrates with both Microsoft O365 and GSuite

Improved Mailbox Experience

With our improved mailbox UI, analysts can quickly view quantitative highlights of the submission breakdown between malicious, safe and spam messages, as well as remediated campaigns and messages. The high-level summary above the campaign log allows analysts to get a quick snapshot of Abuse Mailbox’s effectiveness. Additionally, if you’re a Proofpoint TAP customer, we have integrated into TAP to show reports that have been ingested and processed by Abnormal, giving analysts another look at how Abnormal would handle such events.

Multiple Remediation Options

Abuse Mailbox now supports a ‘Malicious (Permanently Delete)’ remediation option for analysts that want to remove entire campaigns from users’ inboxes for both O365 and GSuite. 

Powerful Dashboard and Reporting Capabilities

We’ve added numerous dashboards and reporting options to improve visibility into key metrics and activity across the organization. Analysts can get a roll-up of reported phishing emails with a breakdown by judgement – Malicious, Safe and Spam. Additionally, Abnormal provides downloadable PDF and CSV reports with custom date ranges, especially useful for an executive audience.

View remediation trends by attack types and as well as the total number of emails, campaigns and Proofpoint TAP-reported emails remediated by Abnormal over the selected time period.

We’ve made it easier to understand who are the top employees in your organization that reported messages to Abuse Mailbox over the selected time period. Analysts can view the types of messages they’re reporting as well as toggle between ‘All Reports’ or ‘Malicious Reports Only’.

Integrated Phishing Reporting Buttons

For organizations that have an existing end-user phishing report workflow, Abuse Mailbox integrates with Cofense/PhishMe and KnowBe4 buttons, as well as the native Microsoft O365 ‘Report Message’ button giving employees the ability to report suspicious emails and notify security teams with just one click. 

Monitor your employee-reported mailbox with Abnormal’s Abuse Mailbox

Interested in seeing what Abnormal Security can do to improve your employee-reported mailbox? Request a demo to learn more.