Phishing Email Identification from Shared Mailbox – OOB or Custom Integration Options?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Hi Experts,
I would like to understand if there is any OOB or recommended custom integration approach in ServiceNow Security Operations to identify phishing emails from a shared/group mailbox.
Scenario:
The security team maintains a single shared mailbox (e.g., security@company.com).
This mailbox receives:
Potential phishing emails reported by users
Regular user responses
Genuine operational/security communications
Not all emails received are phishing-related.
- The potential phishing emails received in this mailbox need to have a specific format / text. These emails could be sent randomly
Requirement:
We are looking for an integration or mechanism that can:
Pull emails from the shared mailbox automatically.
Evaluate all incoming emails (including random/unstructured emails).
Validate whether the email qualifies as a phishing candidate based on defined conditions/rules.
Automatically create a Security Incident (SIR) in ServiceNow only when criteria match.
Ignore non-phishing or irrelevant emails without creating records.
Questions:
Is there any Out-of-Box (OOB) capability in ServiceNow SecOps to support this use case?
Are there recommended integrations (e.g., phishing platforms, SOAR tools, or mailbox parsers) typically used for this scenario?
What is the best practice when the mailbox contains both phishing and legitimate communications?
Any architecture suggestions or implementation experiences would be greatly appreciated.
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
ServiceNow Security Operations has built-in functionality to support User Reported Phishing emails. You can utilize Email Parsers and Email matching rules so that specific emails are targeted.
Check out the docs: https://www.servicenow.com/docs/r/security-management/security-incident-response/urp-about.html?cont...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
Thank you for the response and for sharing the docs on User Reported Phishing.
We have already implemented the User Reported Phishing email integration as described in the documentation. However, our current requirement is slightly different and relates to a shared mailbox use case.
In our scenario, phishing emails are received in a shared security mailbox that is also used for regular analyst communication and genuine user responses. There is no consistent subject, sender pattern, or predefined rule that uniquely identifies phishing emails.
Currently, security analysts manually review this mailbox and create Security Incident Response (SIR) tickets in ServiceNow for suspected phishing emails.
The customer’s objective is to automate this process, where ServiceNow should:
Monitor the shared mailbox
Identify potential phishing emails from mixed email traffic
Automatically create Security Incident records for phishing candidates
Ignore non-phishing or unrelated emails
Is there any OOB capability, recommended architecture, or custom integration approach within ServiceNow Security Operations that can support this type of intelligent email ingestion from a shared mailbox?
Any guidance or implementation suggestions would be greatly appreciated.
