This article was originally published on the community boards for the ticketing and asset program Incident IQ to share with others how I built a system for monitoring reports of phishing emails using various elements of our ticketing system and integrating them with our Google Workspace. The article was singled out as a Community Spotlight for showcasing how school districts are using their program in novel ways. Since those boards are for paying subscribers only, I’ve reposted that article here as I believe the basic system is something that could be reproducible with other similar programs. NB: Some of the links included in the article are to other posts in that private community and so are not publicly available, but that does not take away from the content of the article itself.
We’ve designed and implemented a system where users can report suspicious emails directly in Gmail and it automatically generates a ticket in iiQ as well as triggers a webhook to a dedicated Google Chat Space for a specialized team to quickly remediate. In the few months since we’ve implemented it we have been able to address multiple mass phishing attempts on our domain just minutes after they were launched.
Everyone in education knows how much of a problem phishing emails have become. More likely than not, your school district is also running a phishing simulation program to help train users on how to identify phishing emails and report them so the IT team can address the issue. In our case, we use a service called InfosecIQ to not only run our phishing simulations and training, but it also comes with a Google add-on for Gmail that gives users a convenient button to press either in the browser or Gmail app to report an email directly to us.
(Image taken from InfosecIQ’s PhishNotify+ information page)
Setting this up in InfosecIQ we can have our email notifications sent directly to our dedicated IncidentIQ email address to create a ticket from email.* To make sure that the ticket is properly generated, we created an iiQ user with the Role of Guest based upon our Infosec IQ alerts email to function as the ticket Requestor. (In our case the Guest role has no ability to login, but be aware you need to generate a password for this user when you create it and so could, in theory, find yourself with a loose end that gives access to your iiQ system).
*Read below for suggestions on how you can set this up natively in Gmail without using InfosecIQ.
Additionally, we also created a custom Team aptly named “Phishing Buddies” that is composed of only those members of our organization who are responsible for responding to and investigating phishing emails. That way, when a phishing email is reported to our system and a ticket is created the appropriate individuals are notified.
Finally, we created a unique Issue type called “Phishing Alerts” under our already created custom Issue category “Internal IT Tickets” so when the email to ticket is created we can have the subject of the ticket, aka the Issue, clearly marked as “Phishing Alert.”
(If you are using the default ticket templates the New issue category and New issue type buttons will look a little different but both are found in the Admin > Issues left Nav. We organize our ticket submissions by custom “models” after being inspired by the Tips and Tricks submitted by @Dakota SDOW : https://community.incidentiq.com/discussions-tips-and-tricks-70/group-organize-software-online-system-ticket-choices-with-custom-categories-3365)
With the foundation laid, we then built two Rules using the “when ‘From email’” trigger – one to create the ticket and one to create the webhook that pushes a notification to Google Chat.
For the first ‘From email” Rule, which is used to generate the ticket, we included both When conditions of “From email” being our InfosecIQ alerts email OR “Requestor” being our Guest user created with that same email in the steps above, but technically these are redundant as both would filter the exact same thing.
For the actions performed by this Rule, we made sure that the created ticket is assigned to the Custom “Phishing Buddies” team and the Issue is set to “Phishing Alert” that were created in the steps above. It’s then up to your discretion whether you assign the ticket to a specific agent (as we did), use round robin agent assignment for your Team, or simply don’t include that action so no agent is assigned. Same goes for whether you want “Send email alert to team” with a custom subject and body to be sent (which we did in our case). Importantly, for the webhook Rule to work be sure to have “Continue to next rule” as your final option selected before you hit Save Rule.
For the Webhook Rule to have a Google Chat Notification generated along with our ticket, we were inspired heavily by @jclark’s post https://community.incidentiq.com/discussions-tips-and-tricks-70/get-google-chat-notifications-for-new-tickets-using-webhooks-5044.
The Google Developer pages were also helpful or finding the various ways we could edit and configure our Chat Card: https://developers.google.com/workspace/chat/design-components-card-dialog as well as https://fonts.google.com/icons
We had to experiment with the Google Card generator a bit to get things to look the way we wanted, but for now we kept it very simple by just including a link to the iiQ Ticket that was created and a link to our Infosec IQ Quarantine which shows us the relevant details for the email that was reported as suspicious.
If you want to see the JSON we used for this chat card (everything that is in bold has been edited for privacy), see below:
{
"cardsV2": [{
"card":
{
"header": {
"title": "Email reported using PhishNotify+",
"imageUrl": "CUTEPHISHY.IMAGE",
"imageType": "CIRCLE",
"imageAltText": "PhishNotify Icon"
},
"sections": [
{
"widgets": [
{
"decoratedText": {
"icon": {
"knownIcon": "TICKET"
},
"topLabel": "Ticket Number",
"text": "<a href=\"DISTRICTIIQ.URL/{Ticket.TicketId}\">{Ticket.TicketNumber}</a>",
}
},
{
"divider": {}
},
{
"buttonList": {
"buttons": [
{
"text": "Visit Infosec IQ Quarantine",
"icon": {
"materialIcon": {
"name": "lock"
}
},
"color": {
"red": 0,
"green": 125,
"blue": 50,
"alpha": 1
},
"type": "FILLED",
"onClick": {
"openLink": {
"url": "INFOSEC.URL"
}
}
}
]
}
}
]
}
]
}
}],
}The advantages of this system is that we get nearly real-time alerts (usually all of this triggers less than 5 minutes after the user hits the report button) and it creates a notification that easily stands out for rapid response. Having everything in a Google Chat Space also helps with collaborating on the issue so everyone can see right in the chat if anyone has started working on the issue and what they’ve done (if you really wanted to get fancy you could even explore using Rules and Webhooks to update the Chat anytime an action is performed in iiQ). This has had real impacts for our district in the few months we have had it set up. On two occasions we have had mass phishing emails sent – one from a compromised email at another district, and one masquerading as our Superintendent – and in both cases were were able to remove and isolate any concerns well before 95% of the potentially affected users had even realized they had gotten a phishing email. Admittedly, this system is reliant on the diligence of our faculty and staff to initially report the email, but they are our frontline in this cybersecurity “war.” This reporting and notification system then goes a long way in helping us to support them and build a more collaborative environment that enhances our overall cybersecurity posture.
An addendum:
Even if you don’t have the InfosecIQ service that we do, you can still spin up a similar setup by creating a dedicated email on your Gmail domain that users can forward suspicious emails to in order to trigger the ticket creation and webhook notification. In that case, be mindful that if you use forwarding detection under the leftnav Admin > Site Options it will put the person who sent in the email as the Requestor for the ticket. In that case, you can add two additional Actions to your rule ‘From email’ Rule – one is you can have the action “Set requested by” to be your created Guest user from above and, two, you can use the “Remove all followers” if for whatever reason you don’t want that original user to be updated on the ticket itself. This gets you the same basic process, but it is incredible how much having a simple one-click button in Gmail helps to get people to report potential phishing emails.
In a related fashion, you can also try to rely upon Gmail’s native reporting and alert system. Gmail presents users with a drop down option to mark an email as Spam or Phishing in the expanded menu next to the Reply button, and Google Admins can set up alerts to get a notification when this happens. The biggest problem we have found with relying upon Google’s alert system is that most of the time the emails that are triggered are sent several hours later. You also need to set up additional email forwarding schemes on your Google domain because you cannot use an external email as a receiver of Google Admin alerts. In that case you would need to create a dedicated email that gets the alerts, and then have those forwarded into your iiQ address for email to ticket. That is complicated by the fact that Google’s systems seem to be somewhat intelligent in capturing when you try to have an Admin alert set up to email an outside email address and I have only gotten this to work manually and not auto-magically.
In summary, there are five elements in iiQ that you need to configure to reproduce our system or similar:
- An iiQ account with Role of Guest that acts as the “Requestor” for the reported email
- A custom iiQ Team that gets notifications when these tickets are created
- Custom Issue to categorize the ticket and give it a subject
- A Rule that creates the ticket
- A Rule that creates the webhook
Happy Phish Hunting!
Layers of Abstraction 
Leave a comment