Handling Phishing Scams

doughender · ‎01-30-2017

Hello,

I am new to this forum and have only been in ServiceNow for about a half year. Where I could use help with is in the "phishing" area. We get buried in phishing e-mails almost on a daily basis. We have an e-mail address where these can be sent that automatically opens an incident in ServiceNow and assigns it to our Security group. These incidents are also created through e-mails that come through our Help Desk e-mail account and are reassigned to the security group manually. We spend a great deal of time sifting through these for bad websites, bad attachments and compromised accounts. I am curious to know how others are handling phishing?

(Cross listed with the Higher Ed SIG)

Thanks, Doug

oharel · ‎01-30-2017

Hi Doug,

You can use email filters to discard unwanted emails.

Go to System Mailboxes -> Administration -> Filters

You can define what an unwanted email is and what to do with it.

Harel

oharel · ‎01-30-2017

Just noticed my screenshot did not paste...

Below is an example of a filter that ignores certain senders. You can do the same for body, subject, etc.

doughender · ‎01-30-2017

Thanks Harel. The problem we are having is not that we want to ignore them but find an easier way to figure out if a website listed or an attachment is malicious. We know what the logic would be if we were to write a script but we are not sure if that is feasible. It would also be quite a large effort. There may be other ways that people are handling this also.

Doug

jarodm · ‎02-04-2017

There are some new features in the Threat Intelligence application (Threat Intelligence) that you may be able to integrate with (see 'observables').

If you do not yet subscribe to that application, there may be some options for a light integration (REST API) to a paid or open source threat (IoC - Indicator of Compromise) feed.

I can give some more specific details if your security team has a specific lookup in mind.

JarodM