SOAR Platform / Blog / Why Your Organization Should Have a Phishing Mailbox

Why Your Organization Should Have a Phishing Mailbox

Numerous polls and studies have concluded that phishing remains the most significant cybersecurity threat that organizations face today[1][2][3]. Phishing targets the weakest link in most security stacks: the user. Now, more than ever, organizations must implement innovative solutions to help mitigate the threats posed by phishing, spear-phishing, and whaling emails. One solution many organizations turn to is a dedicated “phishing mailbox”.

A phishing mailbox is a mailbox specifically for users to forward known or suspected phishing emails. The organization’s SOC (Security Operations Center) or information security team monitors the inbox and investigates the emails received. They then respond to the user, determining the validity of the email and giving directions on how to proceed.

Benefits of phishing mailboxes

Encouraging your users to submit emails they are suspicious of to a designated phishing mailbox is an excellent way of teaching them to think about information security in their day-to-day workflow and empowering them with the ability to take meaningful action that supports the organization’s information security policy. Users who report phishing emails to the phishing mailbox should be thanked for a job well done. This creates a sense of accomplishment and participation in the ownership of the organization’s security. It also makes them more likely to report suspicious emails in the future, turning your users into malicious email sensors.

Another substantial benefit of phishing mailboxes is that users’ submissions provide a goldmine of free threat intelligence. Free! The emails they submit will contain malicious links with URLs, domains, or IP addresses that should be blocked. Some emails might also contain malicious attachments; if executed, they attempt to run code or download second stage malware that could harm your organization. They also contain indicators that could be extracted via sandboxing or manual analysis and blocked, protecting your organization from attack. The free threat intelligence gained from users’ submissions can give an organization the data it needs to take proactive measures before a potential compromise occurs.

The importance of automation

In an organization of fewer than a hundred people, a SOC team could perhaps keep up with all phishing emails. However, as most CISOs know, an organization’s SOC team doesn’t always scale linearly with the organization’s number of users and hosts. The modern SOC analyst is asked to do more and more each day. This is why introducing automation into existing workflows is key in keeping up with the increasing number of threats in today’s cybersecurity landscape.

How SOAR can help

Using a SOAR (Security Orchestration Automation and Response) platform, such as CyberSponse’s CyOPs (TM), is an effective way of bringing modern technology and automation to the fight. With automated data enrichment and decision making, SOAR tools can vastly cut down the number of phishing emails an analyst needs to review. This allows analysts to make faster, easier decisions by having contextual enrichment data pre-populated before they receive an alert. SOAR platforms can also reduce the number of false positives that analysts review; they automatically perform much of the investigative work necessary to determine if a suspected phishing email is indeed malicious.

By Senior Automation Engineer, Jared Betts
By Senior Incident Responder, David Ferguson

Leave your comments