Hey @Bock 

ServiceNow does not provide an out-of-the-box phishing detection engine that automatically identifies and blocks phishing emails before they are processed by Inbound Email Actions.

Inbound Email Actions process emails that have already been delivered to the ServiceNow mailbox. If an incoming email meets the conditions of an active Inbound Email Action, the platform will process it (for example, by creating an Incident), regardless of whether the email is legitimate or malicious.

In most environments, phishing and spam protection is handled upstream by the organization's email security solution (such as Microsoft Defender for Office 365, Proofpoint, Mimecast, or Cisco Secure Email) before messages reach ServiceNow.

If phishing emails are generating Incidents, consider implementing one or more of the following controls:

1. Review your email security gateway configuration to ensure phishing and spam emails are filtered before reaching ServiceNow.
2. Restrict inbound record creation to trusted domains, known users, or authenticated senders.
3. Add validation logic to your Inbound Email Actions to verify sender addresses, email headers, or other message attributes before creating records.
4. Route suspicious emails to a review or quarantine process instead of automatically creating Incidents.
5. Use Business Rules or Flow Designer to identify and flag potentially suspicious emails for manual review.

*************************************************************************************************************************************

If this response helps, please mark it as Accept as Solution and Helpful.

Doing so helps others in the community and encourages me to keep contributing.

Regards

Vaishali Singh

Servicenow Developer
Linkedin - https://www.linkedin.com/in/vaishali-singh-2273361bb