PhishNet - Getting Started FAST

Support Desk
  • Updated
Follow

This getting started FAST guide will help you get up and running with PhishNet in the quickest manner possible.

PhishNet provides an efficient platform for evaluating the threat level posed by suspicious emails. This is known as a Security Orchestration, Automation, and Response (SOAR) platform and allows a one-stop-shop to review your suspicious emails.

We'll dive straight into getting your system up and running so you can experience PhishNet for yourself. Each stage of configuration has been outlined below. If you are familiar with PhishNet you can use the links below to skip to the relevant section.

Please Note:

If you are unable to see the PhishNet settings in your account this means your account is not yet enabled for this feature. Please contact your Customer Success Manager or support@phishingtackle.com to enable this feature.

How to get to PhishNet™ (SOAR) settings
How_to_get_to_PhishNet__SOAR__settings.png

  1. Click "Organisation".
  2. Click "Settings".
  3. Click "PhishNet™ (SOAR)".

 

How to configure your PhishNet mailbox 

Add your PhishNet mailbox to your Phish Hook button settings

For reported emails to land in your PhishNet inbox, you must first add the Reporting Email Address from your PhishNet settings to the list of Forwarding Email Addresses in the Phish Hook button settings.

  1. Click "Add Reporting Address".
  2. Next click the long email address under Reporting Email Address. You'll see this copies the address to your clipboard.
    PhishNET_Getting_Started_Fast_-_Copy_Email_Address.png
  3. Click the "Phish Hook™ Button" settings and paste the address into the Forwarding Email Addresses... section.

    PhishNET_Getting_Started_Fast_-_Paste_Email_Address.png

Now, any time one of your users reports a suspicious email using the Phish Hook button, it will automatically forward to the PhishNet inbox!

 

How to obtain and enter your VirusTotal API key

PhishNet utilises VirusTotal to scan for malware and other suspicious files. To enable scanning, you must obtain and enter a VirusTotal API key, this is free and easy to do. The guide below will take you through the steps of obtaining an API key and how to enter it. 

  1. Sign up for a free VirusTotal account by clicking here.
  2. Click your "name" in the right-hand corner.
    How_to_obtain_a_VirusTotal_API_key_Step_2.png
  3. Next click "API key".
    How_to_obtain_a_VirusTotal_API_key_Step_3.png
  4. Copy your "API key".
    How_to_obtain_a_VirusTotal_API_key_Step_4.png
  5. Revisit Phishing Tackle. Under "SETUP" in the left-hand column click "Organisation".
    PhishNet_-_Organisation_Settings.png
  6. Click "Settings".
  7. Click "PhishNet™ (SOAR)".
    PhishNet_-_Organisation_Settings_-_PhishNet__SOAR_.png
  8. On the PhishNet™ (SOAR) settings page scroll down and enter your API key in the field "VirusTotal API Key".
    PhishNet_-_Paste_VirusTotal_API_Key.png
  9. Enable VirusTotal scanning.
    PhishNet_-_Enable_VirusTotal_scanning.png
  10. Enter a VirusTotal Timeout time. We recommend 180 seconds.
    PhishNet_-_VirusTotal_Timeout.png
  11. You can automatically scan attachment hashes and URLs. Simply select the settings you would like to use.
  12. Once you have reviewed your settings click the "Save VirusTotal Details" button.

How to access PhishNet Metrics, Mailboxes, Automation, and Templates

  1. Under "PHISHNET" in the left-hand column select the category you would like to access.

How_to_access_PhishNet_Metrics__Mailboxes__Automation__and_Templates.png

PhishNet Mailboxes 

While using PhishNet suspicious and manually reported messages will be sent to the PhishNet mailbox. You are provided with an inbox and a deleted mailbox to help keep messages organised. Actions and rules can be configured to automatically move messages into their appropriate mailbox.

How to add additional mailboxes

Additional mailboxes can be created for you to use. To add an additional mailbox, go to Setup > Click "Organisation" > Click "Settings" > Click "PhishNet™ (SOAR)" > Click "Add New Mailbox".

The_PhishNet_Mailbox.png

  1. Refresh Mailbox
    • Click refresh to update your mailbox.
  2. Status
    • The message status icon is red for new messages, yellow for messages in review, and green for resolved messages. 
  3. Message Details
    • Message details provide information about the message and the user who reported the suspicious message.
  4. Email preview
    • A preview of the reported email is displayed.
  5. Attachments
    • Information about each attachment inside an email is displayed. 
  6. Hyperlinks
    • The host of each hyperlink and the result of the VirusTotal scan is displayed. 
  7. Email headers
    • The different sections of the email header will be separated into names and values.
  8. Raw message
    • Raw message displays the entire email header. 
  9. Automated rules matched
    • Automated rules that have been triggered by the message will be shown here.
  10. History
    • The history of any changes in message properties will be displayed.
  11. Message Status
    • Message status can be manually changed to new, in review, or resolved.
  12. Message category 
    • Message category can be manually changed to unknown, clean, spam, or threat.
  13. Message priority
    • Message priority can be manually changed to unknown, low, medium, high, or critical.
  14. Message authentication
    • The results of authentication checks are displayed for SPF, DKIM, and DMARC
  15. Message Tags
    • All assigned tags are displayed here.
    • You can also add/remove tags manually.
  16. Quick steps
    • Manually trigger any Quick Step automations (explained in the "automations" section below).
  17. Move this message to your deleted mailbox
    • The selected message will be deleted and will be moved to the "deleted" mailbox.

 

How to use PhishNet Automation (Rules and Actions)

Configuring actions and rules will let you automate how messages should be handled. This in turn will allow you to dedicate your time and resources into other important areas.

PhishNet Rule Editor

PhishNet uses YARA to create rules.

It is not mandatory to have any rules configured to use PhishNet.

YARA is a powerful tool that can be used to identify and classify malware samples, specific sender types or email content, pretty much anything!

The official YARA website provides documentation and examples to help you create your own rules. YARA's documentation can be found here.

To get to the PhishNet Rule editor Find "PhishNet" (in the left-hand column) > Click "Automation" > Click "Rules" > Click "Add new Rule button" (top right-hand corner). 

PhishNet_Rule_Editor.png

  1. Name of Rule
    • Enter a name for your rule.
  2. Description
    • Enter a description for your rule (descriptive rules are recommended to help aid clarity).
  3. Tags to apply if this rule is met
    • You can use Phishing Tackle's list of tags or your own custom tags which will be applied when a rule condition is met.
  4. Rule Target
    • Rules can be applied to any section of an email.
    • The options of where a rule can be applied are raw, body, header, or attachment.
  5. Rule Editor
    • The rule editor allows you to create custom rules.
    • The example above will look for the words "pay" and "immediately". If both words are mentioned within the body of email the tag "Scam" will be assigned.
  6. Save
    • Click save once you have completed your rule.

 

PhishNet Action Editor

The action editor allows you to decide what happens to messages that meet certain conditions. Messages can be scanned for malware, moved to a different mailbox, forwarded to another user and more. 

To get to the PhishNet action editor find "PhishNet" in the (left-hand column) > Click "Automation" > Click "Actions" > Click "Add new action button" (top right-hand corner).PhishNet_Action_Editor.png
PhishNet_Actions_Editor_6-11.png

  1. Active status
    • Each action can be toggled on or off.
  2. Name of Rule
    • Enter a name for this rule.
  3. Description
    • Enter a description for your rule (descriptive rules are recommended to help aid clarity).
  4. When will this rule be automatically triggered?
    • Action triggers can be set to manual, on every message received, messages without a tag or tag criteria.
  5. What action would you like to take with this message?
    • Message status can be set to new, in review, resolved or don't change.
    • Message category can be set to unknown, clean, spam, threat, or don't change.
    • Message priority can be set to unknown, low, medium, high, critical, or don't change.
  6. What automatic malware scanning would you like to perform?
    • Attachment files and hashes can be automatically scanned for malware.
    • A URL hash can be automatically scanned for malware. 
  7. Would you like to move this message to a different mailbox? 
    • Messages can be moved between different mailboxes.
    • The mailbox options are inbox, sent, deleted, or don't move.
  8. Automatically manage the following tags on this message
    • Tags can be automatically added or removed from messages.
  9. How would you like to report this message?
    • When an action is triggered a custom notification email can be sent to the message reporter and anyone else you would like. 
  10. Quick Steps can be manually triggered within each message.
    • When ticked quick steps will be manually triggered for each message.
  11. What would you like to do with further actions?
    • When checked any other actions that follow will not be executed.

PhishNet Catch & Release

Catch & Release allows you to sanitise real phishing emails that your organisation has received and convert the email into a template that can be used in a simulated phishing campaign.

Catch & Release will replace all links within a reported email with safe links and will replace common attachment types with safe attachments with the same name (where possible). This section of the knowledge base article will explain how to create a Catch & Release Quick Step.

How to configure a catch & Release Quick Step

  1. Under "PHISHNET" in the left-hand column click "Automation".
  2. Click "Actions".
    PhishNet_-_Catch___Release_Configuration.png
  3. Click "ADD NEW ACTION".
    PhishNet_-_Catch___Release_Configuration_-_Add_New_Action.png

  4. Enable "Active status".
  5. Enter a name for the rule. We recommend "Catch & Release".
  6. Enter a description for the rule. We recommend "Convert email in PhishNet mailbox to a phishing email template.".
  7. For the setting "When will this rule be automatically triggered" select "Manually triggered only".
  8. The setting "What action would you like to take with this message?" can be left as the default values.
  9. The first section of settings should look like the image below.
    PhishNet_-_Catch___Release_Configuration_-_Actions_Part_1.png
  10. The settings in "What automatic malware scanning would you like to perform?" can be left as the default values.
  11. The setting in "Would you like to move this message to a different mailbox?" can be left as the default value.
    PhishNet_-_Catch___Release_Configuration_-_Actions_Part_2.png

  12. Click the drop-down arrow next to "Email Template Library" and select "ADD TO LIBRARY".
    PhishNet_-_Catch___Release_Configuration_-_Actions_Part_3.png

  13. When the "Catch & Release" Quick Step is used the email template will use the values you have set in these fields.
    PhishNet_-_Catch___Release_Configuration_-_Actions_Part_4.png
  14. The settings in "Automatically manage the following tags on this message" can be left as the default values.
  15. The settings in "How would you like to report this message?" can be left as the default values.
  16. Under the setting "Quick Steps can be manually triggered within each message." click "Add to Quick Steps".
    PhishNet_-_Catch___Release_Configuration_-_Actions_Part_5.png

  17. Select a "for your Quick Step.
    PhishNet_-_Catch___Release_Configuration_-_Quick_Steps_Colour.png

  18. The setting "How would you like to report this message?" can be left as the default value.
  19. Click "SAVE THIS ACTION".
    PhishNet_-_Catch___Release_Configuration_-_Save_Action.png

How to use the catch & Release Quick Step

Now that you have configured a Catch & Release Quick Step you can simply select the Quick Step in your PhishNet Mailbox to create a new template.

  1. In your PhishNet Mailbox click the "Catch & Release" Quick Step.
    PhishNet_-_Catch___Release_Configuration_-_Select_Catch___Release_Quick_Step.png

  2. The emails that you have used the "Catch & Release" Quick Step on will be added to your phishing email templates. You can click the "Edit Template" button to make changes to the template.
    PhishNet_-_Catch___Release_Configuration_-_Phishing_Email_Templates.png

  3. An example of a "Catch & Release" template is displayed below. We recommend carefully reviewing the template and sending yourself a test email before sending the template to your users to ensure it meets with your requirements.
    PhishNet_-_Catch___Release_Configuration_-_Template_Review.png

If you need any help with getting PhishNet configured or have any questions, please contact the support team by clicking here.

Related articles