What is the Security Inbox?

Learn more about the Security Inbox and its features.

The Security Inbox feature allows you to access and manage emails from a mail account to clone emails (creating templates in Portal), find metadata about an email, create email blocklists/safelists, and find information about how often your targets have used KillPhish to report/scan an email. All changes you make in Inbox (marking, moving, deleting, etc.) will also effect the mailbox it is connected to. Additionally, Inbox will create four folders (see Reviewed Folders below) in the mailbox so that emails can be reviewed and archived.

Every hour, Security Inbox will automatically index any new messages in the mailbox. Any Phishing Test emails found will be logged as Reported and then archived to the Reviewed Test Emails folder.

You can access your inbox by clicking on the Inbox tab and choosing an inbox account from the Inbox dropdown (6 in the image below). If you only have one inbox connection, the dropdown will be hidden.

inbox.png

  1. Inbox
  2. Lookup
  3. Blocklist
  4. Safelist
  5. Endpoints
  6. Inbox Dropdown
  7. Inbox Table
  8. Reviewed Folders

Inbox

The Inbox page is where you can view messages in the inbox of an email account connected. (To connect an email account to your Inbox, see Mail Settings.) When you first load the email account, the Inbox folder will be opened. The different folders inside the email account will appear on the left of the list of emails.


Lookup

The Lookup tab lets you enter an email address, IP address, domain, or URL and will display blocklist, site info, domain SPF and MX records, WHOIS results, and third-party RBL entries.

 

lookup_tab.png

 


Blocklist

The Blocklist tab will display email addresses, domains, and URLs that are blocked by Inbox. To add a new entry, click the Add button. You'll then be able to add a comma- or semicolon-separated list of email addresses, domains, or URLs. You can also import a CSV file. The Export Blocklist button lets you export the entire table so you can add the blocked domains, URLs, and email addresses to your email client's blocklist. The dropdown on the far right of the Blocklist table lets you lookup the entry or delete the entry. 

The Blocklist table consists of the name (email address, domain, or URL for the entry), type (email address, domain, or URL), status (monitoring is shown if the domain, URL, or email is reported by a target, blocked if the item was manually added by an admin), the number of emails reported confirmed as phishing by an admin that contained that URL/domain or were from that email address (R/T), the date the entry was created, and the last time the entry changed (such as getting moved from monitoring to blocked).  

The Reported/Threshold (R/T) column provides the counts for how many reported emails have been confirmed as phishing by an admin and the current threshold of how many reported emails can exist without being blocked. In order to unblock an entry, you simple need to use the Set to Monitoring option in the Actions dropdown. This will change both the status and increase the threshold by one. Once another email is confirmed containing that entry, it will once again become blocked. If an item needs to be permanently unblocked regardless of how many reported emails contain the item, you can add that item to the Safelist.

If an email comes from an email address in the blocklist, and an instance of KillPhish is tied to that inbox account, then the email will automatically show as "High Risk" when scored by that instance of KillPhish. Links that are found in the blocklist will automatically receive a penalty of 50 when scored by KillPhish.

blocklist.png

 


Safelist

The Safelist tab will display email addresses, domains, and URLs that are safelisted by the inbox. To add a new entry, click the Add button. You'll then be able to add a comma- or semicolon-separated list of email addresses, domains, or URLs. You can also import a CSV file. The Export Safelist button lets you export the entire table so you can add the safelisted domains, URLs, and email addresses to your email client's safelist. The dropdown on the far right of the Safelist table lets you lookup the entry or remove it from the Safelist.

If an email comes from an email address in the safelist, and an instance of KillPhish is tied to that inbox account, then the email will automatically show as "Low Risk" when scored by that instance of KillPhish (though the score will still be noted). Links that are found in the safelist will automatically receive a penalty of 0 when scored by KillPhish.

safelist.png

 


Endpoints

The Endpoints tab shows the results from reporting and scanning emails using the plugins for targets in your account. It displays a table of the targets' email addresses, first name, last name, app (which app sent the email - Outlook 365 or Outlook), IP address of the target, number of times the target has scanned emails using the Microsoft KillPhish add-in, and the date of the last scan. There is also a "Last Report" column that shows the date of the last time the target/user reported an email. In addition to these columns, there are five columns that are marked with icons, each described below.

  • flag.png the total number of emails reported by the endpoint
  • red_fish.png the number of emails reported by the endpoint that the admin monitoring the inbox has confirmed are phishing emails
  • red_circel.png the number of emails reported by the endpoint that the admin monitoring the inbox has confirmed are spam emails
  • red_check.pngthe number of emails reported by the endpoint that the admin monitoring the inbox has confirmed are safe or marketing type emails
  • blue_fish.pngthe number of emails reported by the endpoint that are confirmed simulated testing emails from Portal

 

endpoints.png

In the far right column is a dropdown that has several options, described below.

  • Target Details - takes you to the Target Details page for the endpoint 
  • Lookup Target - takes you to the Lookup tab and looks up the endpoint
  • Check Counts - refreshes the counts displayed on the reported, confirmed spam, confirmed phishing, etc. columns
  • Update Name - displays a popup that lets you change the endpoint's name
  • Delete Item - deletes the endpoint 

 

dropdown.png

 


Inbox Dropdown

This dropdown lets you choose between inbox accounts available to you. Depending on your Portal account, you may be allowed to have multiple inbox connections. You can add a connection from the Inboxes tab on the Mail Settings page.


Inbox Table

When you initially load an inbox, it will open the INBOX folder, displaying all messages in that folder. It shows the email address of the reporter, the originator email address (the email address from which the email originally came), You can archive/delete messages, mark emails as read/unread, flag emails, lookup email addresses, and open messages.

Selecting emails in the table will reveal several buttons at the top of the page, described below.

mass_actions_-_inbox.png

 

refresh_inbox.png refresh the inbox table

move_email.png move the selected message(s) to a specific folder

archive_email.png archive the selected message(s) to one of the Reviewed Folders. There are several different archive options, described below.

  • Archive as Phishing Email - will place the selected message(s) in the Reviewed Phishing Emails folder
  • Archive as Spam Email - will place the selected message(s) in the Reviewed Spam Emails folder
  • Archive as Safe Email - will place the selected message(s) in the Reviewed Safe Emails folder
  • Archive as Test Email - will place the selected message(s) in the Reviewed Test Emails folder

Note: The first time the inbox connection is loaded, these "Archive as ..." folders will be created inside the inbox account.

archive_options.png

Clicking any of the "Archive as ... " buttons will reveal an Archive & Respond popup. This popup lets you mark the message according to a specific threat type. You can also choose to send out an email to the endpoint that reported the message by toggling on the Respond to Reporter checkbox. This will send an email to the individual that reported the email.

archive_popup.png

The URLs and Domains tabs at the bottom of the Archive & Respond popup can be added to the Blocklist by moving them to the box on the right. They will appear in your blocklist after you click the Archive & Respond button. When the domains have been added to your blocklist, any email containing them will receive a red warning_icon.png warning, as in the example below.

email_lookup_button.png

delete_message.png delete the selected message(s)

mark_message.png mark the selected message(s) as read/unread

flag_message.png flag the selected message(s)

 

To the right of each email address in the Inbox table is a lookup button - lookup_button.png - which, when clicked, will take you to the Lookup tab and run a lookup on that email address.

email_lookup_button.png

 

To the far right of the Inbox table are three buttons for each email: Review & Archive (which displays the Archive & Respond popup, described above), Mark as Read/Unread, and delete.

single_action_buttons.png

 


Reviewed Folders

The Reviewed Phishing Emails, Reviewed Safe Emails, Reviewed Spam Emails, and Reviewed Test Emails folders will be automatically created when the inbox is loaded for the first time. 

  • Reviewed Phishing Emails - this folder contains message that the admin has identified as phishing
  • Reviewed Safe Emails - this folder contains messages the admin has identified as safe
  • Reviewed Spam Emails - this folder contains messages the admin has identified as spam
  • Reviewed Test Emails - this folder contains simulated phishing emails that were reported. Such messages are automatically moved to this folder when they arrive in the inbox.