This article provides an overview of the Expel Phishing service and how it interacts with suspicious emails.
Quick Links
- Overview
- Email Submissions
- Email Providers
- Phishing Buttons
- Notifications
- Automatic Email Removal
- Expel Collaboration FAQ
Overview
Our goal is to save time for your security team by helping them investigate suspicious emails that have bypassed their email security tools. We also search for any threats in your environment that could come from your email inbox. If we find a harmful email, we check who else received it and use the security tooling you’ve enabled in Workbench to see how the attacker gained access and what damage they caused. Then, we start the remediation process.
The following high-level flowchart illustrates in detail how Expel Phishing works:
Email Submissions
An email submission is an instance of an email reported to Expel as a potential phishing attempt by an individual associated with your organization. This includes emails submitted to Expel by using the Expel phishing button, a third-party reporting button, or an email forwarded to a configured email alias.
Email submissions fall into two high-level categories in Workbench:
-
Benign
Benign emails don’t pose a threat to your environment (for example, a simulation, marketing email, or otherwise non-threatening email).
-
Malicious
Malicious emails are threats to your environment that are further categorized as the following types:
-
Potential threat (Investigation)
Potential threats are emails that haven't compromised the safety of your environment yet, but could lead to it.
-
Active threat (Incident)
Active threats are emails that have compromised the safety of your environment.
-
The Expel detection engine groups email submissions together as a single Expel Alert when all three of the following are true:
-
Subject is an exact match.
-
Sender is an exact match.
-
The original email was received by our service within the previous seven days.
Unsupported Submissions
Sometimes, users make submissions that the Expel Phishing service does not support. This includes, for example, text messages or voicemail. When Expel receives these types of submissions, analysts do the following:
-
Close the alert.
-
Classify the alert as Other.
-
Mark the alert as out of scope for the service.
You can trigger a notification for your security team when this happens. The notification informs the submitter and the security team that an out-of-scope submission was received but wasn’t investigated.
Email Providers
Expel Phishing fully supports email submissions from users whose organizations use Microsoft 365 or Google Workspace as their provider. Limited support is provided for emails submitted from Microsoft Exchange Server.
For submissions received from Microsoft Exchange Server, the following activities are limited:
-
Identifying other recipients of the suspicious email
-
Scoping for active Business Email Compromise for users on Microsoft Exchange
-
Automatic email removal
By design, Gmail limits the amount of interaction users have with emails identified as malicious. One such limitation in Gmail is a lack of support for third-party add-ons to send emails to human analysis. As a workaround for this restriction, you can enable the Expel Fetch Initial Email feature and instruct users to forward emails to the shared inbox you set up in Workbench. As a result, we’re able to retrieve suspicious emails and assess whether they're malicious and whether they compromised your environment.
Both Microsoft and Google give you the option to learn who else received the suspicious email:
- For Microsoft 365 environments, Microsoft 365 Message Trace must be enabled to run the investigative action that identifies other recipients in Workbench. This investigative action runs at the time of submission and presents the results to an analyst to support their decision with additional context.
- For Google Workspace environments, you must grant the appropriate permissions in BigQuery to run the investigative action that identifies other recipients.
Phishing Buttons
With Expel Phishing, you have the following options to send emails for analysis:
-
Using the official Expel phishing button
-
Using a third-party phishing button
For this option, you must configure it such that the original email is sent with the submission in the form of an
.eml
file. Google's Report Phish button is not currently a supported third-party phishing button because it does not include the.eml
file. -
Forwarding suspicious email to an email alias
For this option, you must enable the appropriate permissions in your email provider's tenet to allow Expel to access the necessary information in the original email.
The Expel phishing button is built to make sure that submissions come to our pipeline as attachments in the .eml
format. This increases the efficiency of our automation, and helps us provide quick triage and accurate analysis. Some third-party buttons aren’t available across every medium (for example, mobile apps, desktop apps, or web browsers). The Expel phishing button is available on all native clients for Gmail and Microsoft Outlook. The button isn’t available on third-party email apps (for example, Apple Mail).
Notifications
You can configure notifications to be sent to the submitter of the suspicious email. Workbench delivers both receipt and investigation outcome emails to those who submitted an email for analysis. You can configure this email to be sent from an alias that belongs to your security team. Contact support to set up your environment to send these notifications.
In addition to submitter notifications, you can configure Workbench to send notifications to your security team in the channel of your choice for any of the items in our default list.
Automatic Email Removal
You can enable automatic removal of malicious emails for your email tenet through Workbench. This feature finds and removes any matching emails from the inboxes of the submitter and other users.
The auto-remove feature looks for the malicious email in the user’s entire email (inbox and other folders), and moves the email to the trash. As a result, you can undo the removal in the rare instance when the decision to remove the email was a mistake.
Whether an email is removed from the user's inbox when Expel receives a submission, depends on the provider:
-
Microsoft 365: Emails submitted to Expel through the Expel phishing button are moved to the user’s trash on submission.
-
Google Workspace: It is currently not possible to trigger a refresh of the inbox view to show the user that the submitted email was deleted. To avoid a confusing experience for the submitter, emails are not deleted upon submission. If we determine that an email is malicious during our investigation, and if the Auto Remove Email function is enabled for your environment, the email is removed automatically for all users.
For details, see Microsoft 365 and Google Workspace.
Because of current technical limitations with Microsoft's API, we don't support the auto-remove feature for Microsoft Exchange.
All .eml
files are included in the lead Expel alert for the investigation. You can view the files in the metadata in the Timeline section of a Workbench investigation. By clicking the linked Subject block, you download the .eml
file for that submission. The Expel database keeps all submission files as file records, and you can fetch the records with API.
Expel Collaboration FAQ
I'm in the onboarding stage for the Expel Phishing service. What does my team need to do for the SOC to start working on my emails?Work with the customer success team to make sure everything is configured as required and confirm the date you want to start the live service delivery. To test if the configurations are working as expected, contact support so the SOC can process the test email submissions appropriately.
We're about to run a phishing simulation in our organization. How can I help make sure that the Expel SOC will be able to properly identify these emails?
Notify the customer success team about the sender address, subject line, and provide a sample .eml
file for the simulation, so the Expel SOC can create the appropriate automations.