1. Expel Help Center
  2. Connect Your Technology
  3. About Integrations

About MDR for Email

MDR for Email provides 24/7 SOC coverage of the alerts generated by your email security tools. The service can be used with any email provider.

Scope and Limitations

  • If you have an email provider other than Google Workspace or Microsoft 365, certain actions like message trace, search for other recipients, and auto remediation will not be available.

Quick Links

MDR for Email vs Managed Phishing

Both of these services are intended to protect you against phishing emails, however the method and scope of ingestion differs.

  • MDR for Email monitors your existing email security tools and ingests their alerts (we do not ingest the email itself). This service is powered by automatic monitoring of alerts via a Workbench integration to one of the supported email security tools.
  • Managed Phishing monitors user submissions of suspected phishing emails and ingests the entire email text, attachments, full metadata, .eml files, etc. This service is powered by human submissions of suspected phishing emails (via a submission button that we add to your email program, or by forwarding the email to us).

You may use both services simultaneously to create comprehensive MDR coverage within Workbench for your email monitoring.

Investigation and Remediation Process

MDR for Email focuses on the data included in the alerts coming from your email security tools. Therefore we only ingest objects like sender, file name, file hash, subject, message size, reply-to address, URLs, recipient actions, etc. We do not review the full email text, examine the .eml files, or retrieve any files that may have been included in the original email (this level of ingestion is part of Managed Phishing).

Ingestion and Triage

When an alert is generated by your email security tool, we ingest it and then process it according to our detection strategy. For suspected phishing attempts that may present a security issue, our Josie bot creates an Expel Alert so that our SOC Analysts can determine whether or not they need to open an Investigation.

Note

You can look for information about your ingested email security alerts on any of the following Workbench pages: Service Review dashboard, Alert Analysis dashboard, Security Devices page, or Situation Report dashboard.

Investigation

The MDR for Email Investigation seeks answers to the following questions:

  • Is the URL valid?
  • Has anyone or any system at the organization accessed the URL?
  • What can we discern about the sender domain, including its age and any historical virus information?
  • Does the file hash contain any viruses?
  • Do we have any existing information about the sender from prior incidents?
  • Has anyone else at the organization received the same email?
  • Is the file present on any other systems within the organization or any security devices?
  • Have any suspicious logins occurred within the organization since the email was received?
  • What can we discern about the source IP address?
  • Are there any related Expel Alerts, either open or resolved?

If our SOC analysts do not believe the email associated with the alert is malicious after performing the Investigation, they will close it.

Remediation

If our SOC analysts confirm during the Investigation that malicious activity is present, the Investigation is flagged as an incident. We then work with you (via Remediation Actions) to remediate the phishing attempt and delete any malicious email(s), or you can automate part of this process by setting up the Remove Malicious Email auto remediation.

Set Up MDR for Email

If you are ready to set up your service, we currently support the following email security tools:

Detection Strategy

Learn more in the MDR for Email Detection Strategy guides.

 

Related articles