Hi Experts,

I would like to understand if there is any OOB or recommended custom integration approach in ServiceNow Security Operations to identify phishing emails from a shared/group mailbox.

Scenario:

• The security team maintains a single shared mailbox (e.g., security@company.com).

• This mailbox receives:

  • Potential phishing emails reported by users

  • Regular user responses

  • Genuine operational/security communications

• Not all emails received are phishing-related.

• The potential phishing emails received in this mailbox need to have a specific format / text. These emails could be sent randomly

Requirement:

We are looking for an integration or mechanism that can:

1. Pull emails from the shared mailbox automatically.

2. Evaluate all incoming emails (including random/unstructured emails).

3. Validate whether the email qualifies as a phishing candidate based on defined conditions/rules.

4. Automatically create a Security Incident (SIR) in ServiceNow only when criteria match.

5. Ignore non-phishing or irrelevant emails without creating records.

Questions:

• Is there any Out-of-Box (OOB) capability in ServiceNow SecOps to support this use case?

• Are there recommended integrations (e.g., phishing platforms, SOAR tools, or mailbox parsers) typically used for this scenario?

• What is the best practice when the mailbox contains both phishing and legitimate communications?

Any architecture suggestions or implementation experiences would be greatly appreciated.

Thanks in advance!