Wednesday, December 12, 2018

Joe Sandbox Mail Monitor 2.0


As a security professional working in a SOC, CERT or CIRT, you are constantly bombarded with requests from end users asking if the e-Mail attachment they received is safe to open or not. This kind of requests have recently increased with the last Emotet trojan malspam campaign using Word or PDF attachments as a lure:



In most cases, you would take the e-mail and submit it to Joe Sandbox in order to check if it is malicious. If the document analysis shows signs of maliciousness, you would consequently inform the end user.

Wouldn't it be nice if this whole process could be automated so that you can focus on more important tasks?

In this regards, we have good news for you! Joe Sandbox Mail Monitor may be exactly what you are looking for. Joe Sandbox Mail Monitor is integrated into Joe Sandbox Cloud Pro as well as into our on-premise products. We recently added a couple of new interesting features to Joe Sandbox Mail Monitor 2.0 and will present some of them in this blog post.

What exactly is Mail Monitor? Please have a look at the diagram below:




To enable Mail Monitor you first create a new e-mail account with the name sandbox@yourhost.com. Your end-users will then forward suspicious e-Mails to the defined email account. Mail Monitor will periodically fetch new e-mails from that account and submit them to Joe Sandbox. Then, Joe Sandbox will fully dissect the e-mail and analyze all the attachments and URLs it finds in the email body (you have a configurable whitelist to prevent analysis of links in your e-mail signatures). Once the analysis is finished a notification e-Mail is sent to the end user:



With Mail Monitor 2.0 end-users can now also be notified as soon as the forwarded e-mail has been received by Joe Sandbox:



Further, we added summary notifications. Let us assume that the forwarded email contains multiple links and/or attachments. With Mail Monitor 2.0 you can choose if the end user shall receive a notification for each analyzed link and attachment, or just one summary notification:



The detection for summary notifications is based on the analysis with the highest score, i.e. the most malicious sample or URL.

On top of this enhancement, we extended the customization of notifications:


For each notification, you can change the subject and body. For better visibility please choose the Joe Security design.

Finally, we also improved:
  • URL extraction from e-Mail bodies
  • Notifications for cached analysis
  • More intuitive design 
  • Use of {{subject}}, {{to}} and {{from}} in the templates
Does this sound good to you? Would you like to try out Joe Sandbox Mail Monitor 2.0? Contact us today!