PhishNet - Getting Started FAST

Support Desk
  • Updated
Follow

This getting started FAST guide will help you get up and running with PhishNet in the quickest manner possible.

PhishNet provides an efficient platform for evaluating the threat level posed by suspicious emails. This is known as a Security Orchestration, Automation, and Response (SOAR) platform and allows a one-stop-shop to review your suspicious emails.

We'll dive straight into getting your system up and running so you can experience PhishNet for yourself. Each stage of configuration has been outlined below. If you are familiar with PhishNet you can use the links below to skip to the relevant section.

How to get to PhishNet™ (SOAR) settings
How_to_get_to_PhishNet__SOAR__settings.png

  1. Click "Organisation".
  2. Click "Settings".
  3. Click "PhishNet™ (SOAR)".

 

How to configure your PhishNet mailbox 

Add your PhishNet mailbox to your Phish Hook button settings

For reported emails to land in your PhishNet inbox, you must first add the Reporting Email Address from your PhishNet settings to the list of Forwarding Email Addresses in the Phish Hook button settings.

  1. Click "Add Reporting Address".
  2. Next click the long email address under Reporting Email Address. You'll see this copies the address to your clipboard.
    PhishNET_Getting_Started_Fast_-_Copy_Email_Address.png
  3. Click the "Phish Hook™ Button" settings and paste the address into the Forwarding Email Addresses... section.

    PhishNET_Getting_Started_Fast_-_Paste_Email_Address.png

Now, any time one of your users reports a suspicious email using the Phish Hook button, it will automatically forward to the PhishNet inbox!

 

How to obtain and enter your VirusTotal API key

PhishNet utilises VirusTotal to scan for malware and other suspicious files. To enable scanning you must obtain and enter a VirusTotal API key, this is free and easy to do. The guide below will take you through the steps of obtaining an API key and how to enter it. 

  1. Sign up for a free VirusTotal account by clicking here.
  2. Click your "name" in the right-hand corner.
    How_to_obtain_a_VirusTotal_API_key_Step_2.png
  3. Next click "API key".
    How_to_obtain_a_VirusTotal_API_key_Step_3.png
  4. Copy your "API key".
    How_to_obtain_a_VirusTotal_API_key_Step_4.png
  5. Within Phishing Tackle go to Setup > Organisation > Settings > PhishNet™ (SOAR) > VirusTotal and paste your API key.
  6. Click "Save VirusTotal Details".

 

PhishNet Mailboxes 

While using PhishNet suspicious and manually reported messages will be sent to the PhishNet mailbox. You are provided with an inbox and a deleted mailbox to help keep messages organised. Actions and rules can be configured to automatically move messages into their appropriate mailbox.

How to add additional mailboxes

Additional mailboxes can be created for you to use. To add an additional mailbox, go to Setup > Click "Organisation" > Click "Settings" > Click "PhishNet™ (SOAR)" > Click "Add New Mailbox".

The_PhishNet_Mailbox.png

  1. Refresh Mailbox
    • Click refresh to update your mailbox.
  2. Status
    • The message status icon is red for new messages, yellow for messages in review, and green for resolved messages. 
  3. Message Details
    • Message details provide information about the message and the user who reported the suspicious message.
  4. Email preview
    • A preview of the reported email is displayed.
  5. Attachments
    • Information about each attachment inside an email is displayed. 
  6. Hyperlinks
    • The host of each hyperlink and the result of the VirusTotal scan is displayed. 
  7. Email headers
    • The different sections of the email header will be separated into names and values.
  8. Raw message
    • Raw message displays the entire email header. 
  9. Automated rules matched
    • Automated rules that have been triggered by the message will be shown here.
  10. History
    • The history of any changes in message properties will be displayed.
  11. Message Status
    • Message status can be manually changed to new, in review, or resolved.
  12. Message category 
    • Message category can be manually changed to unknown, clean, spam, or threat.
  13. Message priority
    • Message priority can be manually changed to unknown, low, medium, high, or critical.
  14. Message authentication
    • The results of authentication checks are displayed for SPF, DKIM, and DMARC
  15. Message Tags
    • All assigned tags are displayed here.
    • You can also add/remove tags manually.
  16. Quick steps
    • Manually trigger any Quick Step automations (explained in the "automations" section below).
  17. Move this message to your deleted mailbox
    • The selected message will be deleted and will be moved to the "deleted" mailbox.

 

How to use PhishNet Automation (Rules and Actions)

Configuring actions and rules will let you automate how messages should be handled. This in turn will allow you to dedicate your time and resources into other important areas.

PhishNet Rule Editor

PhishNet uses YARA to create rules.

It is not mandatory to have any rules configured to use PhishNet.

YARA is a powerful tool that can be used to identify and classify malware samples, specific sender types or email content, pretty much anything!

The official YARA website provides documentation and examples to help you create your own rules. YARA's documentation can be found here.

To get to the PhishNet Rule editor Find "PhishNet" (in the left-hand column) > Click "Automation" > Click "Rules" > Click "Add new Rule button" (top right-hand corner). 

PhishNet_Rule_Editor.png

  1. Name of Rule
    • Enter a name for your rule.
  2. Description
    • Enter a description for your rule (descriptive rules are recommended to help aid clarity).
  3. Tags to apply if this rule is met
    • You can use Phishing Tackle's list of tags or your own custom tags which will be applied when a rule condition is met.
  4. Rule Target
    • Rules can be applied to any section of an email.
    • The options of where a rule can be applied are raw, body, header, or attachment.
  5. Rule Editor
    • The rule editor allows you to create custom rules.
    • The example above will look for the words "pay" and "immediately". If both words are mentioned within the body of email the tag "Scam" will be assigned.
  6. Save
    • Click save once you have completed your rule.

 

PhishNet Action Editor

The action editor allows you to decide what happens to messages that meet certain conditions. Messages can be scanned for malware, moved to a different mailbox, forwarded to another user and more. 

To get to the PhishNet action editor find "PhishNet" in the (left-hand column) > Click "Automation" > Click "Actions" > Click "Add new action button" (top right-hand corner).PhishNet_Action_Editor.png
PhishNet_Actions_Editor_6-11.png

  1. Active status
    • Each action can be toggled on or off.
  2. Name of Rule
    • Enter a name for this rule.
  3. Description
    • Enter a description for your rule (descriptive rules are recommended to help aid clarity).
  4. When will this rule be automatically triggered?
    • Action triggers can be set to manual, on every message received, messages without a tag or  tag criteria.
  5. What action would you like to take with this message?
    • Message status can be set to new, in review, resolved or don't change.
    • Message category can be set to unknown, clean, spam, threat, or don't change.
    • Message priority can be set to unknown, low, medium, high, critical, or don't change.
  6. What automatic malware scanning would you like to perform?
    • Attachment files and hashes can be automatically scanned for malware.
    • A URL hash can be automatically scanned for malware. 
  7. Would you like to move this message to a different mailbox? 
    • Messages can be moved between different mailboxes.
    • The mailbox options are inbox, sent, deleted, or don't move.
  8. Automatically manage the following tags on this message
    • Tags can be automatically added or removed from messages.
  9. How would you like to report this message?
    • When an action is triggered a custom notification email can be sent to the message reporter and anyone else you would like. 
  10. Quick Steps can be manually triggered within each message.
    • When ticked quick steps will be manually triggered for each message.
  11. What would you like to do with further actions?
    • When checked any other actions that follow will not be executed. 

If you need any help with getting PhishNet configured or have any questions, please contact the support team by clicking here.

Related articles