1. Expel Help Center
  2. Expel Managed Phishing
  3. Get Started With Managed Phishing

Fetching Phishing Data from Forwarded Email

When a user forwards a suspicious email to an alias or shared inbox (for example, security@acme.com) instead of reporting it in their email client, some data necessary for proper analysis might be lost. You can configure the Expel Managed Phishing service to retrieve all the required information and ensure an accurate threat assessment.

You can enable this feature in Google Workspace and Microsoft 365.

Note

If you do not enable this feature, email submissions without an .eml file are not processed or analysed. Email clients generate .eml files when a suspicious message is reported directly in the client, for example, by clicking a dedicated button.

Quick Links

Google Workspace

Before you start, provision the Expel service account and configure Google Workspace in Workbench. For more information, see Google Workspace (formerly G Suite) onboarding guide.

Step 1: Onboard Your Google Workspace Instance

  1. In your Google Cloud project, search for and select Gmail API.

  2. Enable the Gmail API permissions for the project.

  3. In the Google Workspace admin console, access the Domain-wide delegation configuration.

  4. Locate the API client created for the Expel service account and click Edit.

  5. Add the following OAuth scope:

    https://www.googleapis.com/auth/gmail.readonly

  6. Click Authorize.

Step 2: Enable Gmail Logs in BigQuery

  1. In the Google Workspace admin console, access the Gmail setup page.

  2. Hover over Email Logs in BigQuery and click the pencil icon.

  3. In the section that appears, select the Enable checkbox and provide a description.

  4. Select the project to which the service account belongs.

  5. For the name of the new BigQuery dataset, type gmail_logs_dataset.

  6. Click Save.

  7. From the IAM console console in the project where the service account was created, click the pencil icon.

  8. Add the BigQuery Job User role to the service account.

  9. Click Save.

  10. In the Google Cloud console, navigate to BigQuery.

  11. In the Explorer menu on the right, find and open gmail_logs_dataset.

  12. Click Edit details.

    The location of the edit details button in the dataset

  13. Set the retention to 30 days.

  14. Click Save.

  15. Click Sharing > Permissions.

    The location of the Sharing drop-down in the dataset

  16. In the New principals section, add the BigQuery Data Viewer role.

  17. Click Save.

Microsoft 365

Before you start, configure the Message Trace API. For more information, see Microsoft 365 Message Trace set up.

Step 1: Enable the Required Permissions

Option 1: Connection Through the Expel Enterprise Application

If you connected to Workbench through the native Expel enterprise application, do the following:

  1. Navigate to the Expel Admin Consent page.

  2. Review and accept the requested permissions.

Option 2: Connection Through a Custom Microsoft Entra ID Application

If you connected to Workbench by creating a custom Microsoft Entra ID application, do the following:

  1. In the Azure portal, navigate to the App registrations page.

  2. Select the custom Microsoft Entra ID application and navigate to API permissions.

  3. Click Add a permission.

  4. Select Microsoft Graph, and click Application permissions.

    The location of application permissions in MS Graph

  5. Search for and select mail.read.

  6. Click Add permissions.

  7. In the Configured permissions section, click Grant admin consent for Expel.

    The location of the Grant admin consent button in Azure

  8. Confirm the action by clicking Yes.

What Happens Next

That's it for the configuration! Your Expel Managed Phishing service is now set up to accept and analyze forwarded emails. As we receive these emails, Workbench searches your email client for the original suspicious email. Then, we send all the relevant information and metadata from that initial email to Workbench for assessment by a member of the Expel Security Operations team.

Related articles