Handling Phishing Scams
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2017 11:09 AM
Hello,
I am new to this forum and have only been in ServiceNow for about a half year. Where I could use help with is in the "phishing" area. We get buried in phishing e-mails almost on a daily basis. We have an e-mail address where these can be sent that automatically opens an incident in ServiceNow and assigns it to our Security group. These incidents are also created through e-mails that come through our Help Desk e-mail account and are reassigned to the security group manually. We spend a great deal of time sifting through these for bad websites, bad attachments and compromised accounts. I am curious to know how others are handling phishing?
(Cross listed with the Higher Ed SIG)
Thanks, Doug
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2017 11:13 AM
Hi Doug,
You can use email filters to discard unwanted emails.
Go to System Mailboxes -> Administration -> Filters
You can define what an unwanted email is and what to do with it.
Harel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2017 11:15 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2017 12:37 PM
Thanks Harel. The problem we are having is not that we want to ignore them but find an easier way to figure out if a website listed or an attachment is malicious. We know what the logic would be if we were to write a script but we are not sure if that is feasible. It would also be quite a large effort. There may be other ways that people are handling this also.
Doug

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2017 10:34 AM
There are some new features in the Threat Intelligence application (Threat Intelligence) that you may be able to integrate with (see 'observables').
If you do not yet subscribe to that application, there may be some options for a light integration (REST API) to a paid or open source threat (IoC - Indicator of Compromise) feed.
I can give some more specific details if your security team has a specific lookup in mind.
JarodM