Handling Phishing Campaigns

doughender
Kilo Explorer

‎01-30-2017 09:46 AM

Hello,

I am new to this forum and have only been in ServiceNow for about a half year. Where I could use help with is in the "phishing" area. We get buried in phishing e-mails almost on a daily basis. We have an e-mail address where these can be sent that automatically opens an incident in ServiceNow and assigns it to our Security group. These incidents are also created through e-mails that come through our Help Desk e-mail account and are reassigned to the security group manually. We spend a great deal of time sifting through these for bad websites, bad attachments and compromised accounts.

I am curious to know how others are handling phishing?

Thanks,

Doug

0 Helpfuls
  • 955 Views
3 REPLIES 3

ravi1_tandon
Kilo Guru

‎01-30-2017 09:50 AM

Hello Dough,



You can try Email filters plugin and put in the rule. There are OOTB rule as well which can be modified. The email filter rules also support condition scripts and condition builder.



https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/administer/notification/concept/c_EmailFilters.html



the above link is for Istanbul but should work in previous versions as well.



Regards



Ravi Tandon


0 Helpfuls

doughender
Kilo Explorer
In response to ravi1_tandon

‎01-30-2017 12:38 PM

Thanks Ravi.


The problem we are having is not that we want to ignore them but find an easier way to figure out if a website listed or an attachment is malicious. We know what the logic would be if we were to write a script but we are not sure if that is feasible. It would also be quite a large effort. There may be other ways that people are handling this also.



Doug


0 Helpfuls

chloe_a
Giga Contributor
In response to doughender

‎11-06-2017 04:57 PM

Hi Doug,



I know this is an old question... We have a similar issue where we don't want to ignore these reports, but already get a lot of the information from other sources before the end users report it anyway. Our approach has been similar in terms of the reporting via Service Desk as well as via an email to our security team (who have tickets raised within ServiceNow). There is also a record producer within our Service Portal for contacting Security - we have now added an option in for 'do you wish to have a response' which is helping us reduce the number of issues we need to respond to (reducing time - it logs them so we can report on them but auto resolves them as an FYI effectively), and we can then focus on reviewing the reports for anything we are not aware of already. Where they do require a response, we have trained our Service Desk in the initial triage of these issues to help reduce the noise and ensure security are focussing on reducing the instances of this getting through.



Other than the tools that are available to automatically block certain types of traffic or locations, or scan attachments/websites (thinking things like Mimecast here) we haven't found any other way to reduce this other than the manual review.



Not sure if that is helpful at all, but you aren't alone with the issue!



- Chloe


0 Helpfuls