The subject of this case study is a communications provider focused on delivering communication and collaboration solutions to SMBs and partners. The organization is trusted by more than 100,000 businesses to provide a reliable and secure suite of cloud office applications.
A Rolling Stone That Gathers Moss
In Greek mythology, Sisyphus was the king of Corinth who got his comeuppance from Zeus by being dealt an ultimate, everlasting punishment - keep rolling an immense boulder up a hill, only for it to roll back down as soon as it neared the top. This hellish rinse and repeat has made its way into the English lexicon, with tasks that are both laborious and never-ending being described as Sisyphean.
The security team who are the protagonists of this story are as kind as Sisyphus was cocky, but they were still subjected to what seemed like equivalent punishment. They were spending an untold amount of time triaging, investigating, and responding to user-reported emails. For every reported email, the triage and response process was largely manual and involved data analysis from disparate sources (e.g. looking at headers, checking discrepancies between from and reply-to addresses, looking for forged headers, analyzing email content).
The lead security engineer on the project said:
“It took a lot of time to investigate email threats for a variety of reasons. We usually do a lot of digging to look at the headers, check the original message source, verify bulk senders versus reply-to addresses, analyze forged entries in the headers, and inspect the content for anything unusual. Doing this manually for every reported email threat took up far more of our time that it should have.”
To take response actions on offending emails (delete, quarantine) through Microsoft Exchange, the security team had to reach out to the IT team and build custom KQL queries. This made the entire process too time-consuming and prevented the security team from focusing on other pressing needs. The security team attempted to automate the abuse mailbox process with a Security Orchestration, Automation, and Response (SOAR) solution, but discontinued the project because SOAR implementation depended too heavily on Python expertise and playbook-building knowledge without necessarily simplifying the process.
For managing user-reported emails, the security team was looking for a solution that simplified operations, automated large parts of the process, and surfaced email threat indicators for further investigation whenever required.
The security engineer said, “We were looking to make this entire process easier. Automation was the aim, but our SOAR experiment didn’t work out as expected because of Python knowledge requirements and version control challenges. We wanted the process to be easier for end users, who could report something to a mailbox. After reporting, we wanted some steps to be taken automatically, so that the security team’s time could be spent on investigating threats that actually needed our attention.”
Greasing The Wheels
Armorblox abuse mailbox remediation
Because the customer already had an existing process in place for abuse mailbox remediation, the security team started off by triaging user-reported emails themselves before forwarding suspicious emails to Armorblox. After witnessing the value Armorblox provided and the time it saved throughout the remediation process, the security team is now transitioning to having Armorblox directly ingest user-reported threats without a human triage step in between.
Armorblox automatically investigates and remediates user-reported emails forwarded to the platform. Remediation actions can be automatically applied across affected user mailboxes, even if only one user reported the email. Automating away the repetitive parts of phishing response has saved valuable time for the security team.
For every suspicious reported email, Armorblox provides rich indicators of compromise (IOCs) that draw from thousands of signals across identity, behavior, and language. The security team now spends more time investigating rather than collecting data for investigation.
So Long, Sisyphus
Armorblox has helped automate and simplify the customer’s phishing response process, enabling the security team to devote more of their time to investigating advanced threats.
Simplified and automated operations
Forwarded emails are analyzed by Armorblox and automatically remediated across user mailboxes if they flag existing detection categories. This eliminates the need for reaching out to the IT team and writing custom scripts for remediating suspicious emails. While the previous SOAR deployment added complexity, Armorblox is easy to use and provides value for the security team without interrupting their daily work.
Triage and remediation times for user-reported phishing emails have reduced by 92% since deploying Armorblox.
The security engineer said:
“It saves us a lot of time when we can directly access the suspicious email from Armorblox instead of having to reach out to other teams or build custom queries to retrieve emails. It can be disheartening to spend hours triaging and investigating email threats that end up not being malicious. Now I can just forward a suspicious email to Armorblox, have it categorized, searched across affected mailboxes, and remediated in minutes.”
Centralized insights for threat investigation
Rich threat insights are provided for every email, helping the security team make informed decisions whenever an email threat requires manual review. These insights include analysis from global fraud models, communication history, email authentication checks, anomalies in sender identity or behavior, and in-email highlights for potential social engineering cues.
Instead of manually collecting the above information (or not having access to it at all), the security team now has all salient email threat intelligence in one place, making it easier to take remediation actions or use the intelligence as a base for further analysis.