---
title: "Creating a Phishing Mailbox Knowledge Base Article | ThreatConnect"
slug: "creating-a-phishing-mailbox"
description: "This article describes how to create and configure a phishing mailbox in ThreatConnect."
tags: ["Administrator", "Importing Data"]
updated: 2024-05-23T15:30:44Z
published: 2024-05-23T15:30:44Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating a Phishing Mailbox

## Overview

Phishing mailboxes receive malicious or suspicious emails that are flagged by the Email Security Gateway, or emails in **.msg** or **.eml** format that have been flagged by a security analyst. When creating a phishing mailbox, the Organization Administrator specifies whether the mailbox is meant to receive emails directly from network devices or email headers in the form of attachments. ThreatConnect® will parse these emails and, if the email meets the minimum email scoring threshold after the parsing is complete, perform the following actions:

- create an [Email Group object](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#group-types) containing the email’s header and body
- create a [Task Group object](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#group-types) signaling that the email is ready for additional processing
- link previously existing [Indicators](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicator-types) to the Email Group, if they are found in the header or body
- link previously existing Victim email addresses to the Email Group, if they are found in the header or body

## Before You Start

| Minimum Role(s) | - Organization role of Organization Administrator (for creating a phishing mailbox in an Organization) - Community role of Editor or Director (for creating a phishing mailbox in a Community or Source) |
| --- | --- |
| Prerequisites | None |

## Creating a Phishing Mailbox

### Creating a Phishing Mailbox in an Organization

1. Log into ThreatConnect with an Organization Administrator account.
2. On the top navigation bar, hover the cursor over **Settings ![A picture containing text, light Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-lm5q7lqd.png)**and select **Org Settings**. The **Organization Settings**screen will be displayed with the **Membership**tab selected.
3. Click the **Email** tab. The **Email** screen will be displayed (Figure 1). ![Graphical user interface, table  Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-f0ttnq08.png)
4. Click the **Create Phishing Mailbox** button. The **Phishing Mailbox Administration** window will be displayed with the **Mailbox** tab selected (Figure 2). ![Graphical user interface, text, application, email  Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-och0fghu.png)

NoteA System role of Operations Administrator or Administrator is required to modify the **Target Mailbox** name at this step.
  - **Associate Recipients as Victims**: Select this checkbox to create an association between the E-mail Group and the Victim(s) (i.e., the recipient(s) of the email).
  - **Create Victims That Do Not Exist**: Select this checkbox to create Victims that do not already exist in the Organization. This option will be grayed out if the **Associate Recipients as Victims**checkbox is not selected.
  - **Save Sender as a Victim**: Select this checkbox to save the sender of the email as a Victim that is associated with the E-mail Group. This option will be grayed out if the **Associate Recipients as Victims**checkbox is not selected.
  - **Minimum Score Threshold**: Enter the [minimum score](/v1/docs/email-import) that an email must meet to be processed.
  - **Parse Type**: Select whether the **Body** of the email or the **Attachment**should be parsed for Indicators.ImportantIf the phishing mailbox is to parse out Victims, the **Attachment** option must be selected.
  - **Description**: Enter a description for the phishing mailbox.
  - **Tags**: Enter Tags, separated by commas, for the phishing mailbox.
  - Click the **Next** button.
5. The **Task Format**tab will be displayed (Figure 3). ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-oft23dtf.png)
  - **Task Name**: Enter a name for the Task that will be created and associated to the Email Group. The format strings provided under the **Task Description**can be used as variables for the corresponding information.
  - **Task Description**: Enter a description for the Task. The format strings provided under the **Task Description**can be used as variables for the corresponding information.
  - Click the **Next**button.
6. The **Task Date**tab will be displayed (Figure 4). ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-32iu7llx.png)
  - **Days Until Due Date**: Enter the number of days remaining until the Task is due.
  - **Ignore Due Date**: Select this checkbox to ignore the due date. Doing so will gray out the **Days Until Due Date** field.
  - **Days Until Reminder Date**: Enter the number of days until a reminder is issued about the due date.
  - **Ignore Reminder Date**: Select this checkbox to ignore the reminder date. Doing so will gray out the **Days Until Reminder Date** field.
  - **Days Until Escalation Date**: Enter the number of days remaining until the Task’s escalation date.
  - **Ignore Escalation Date**: Select this checkbox to ignore the escalation date. Doing so will gray out the **Days Until Escalation Date** field.
  - Click the **Next**button.
7. The **Task Assign**tab will be displayed (Figure 5). ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-quutx1wb.png)
  - **Assign To**: Select one or more users to which to assign the Task.
  - **Escalate To**: Select one or more users to which to escalate the Task.
  - Click the **Next**button.
8. The **Confirm**tab will be displayed (Figure 6). ![Graphical user interface, text, application  Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-00cipho6.png)
  - Review the selections made for the phishing mailbox.
  - Click the **SAVE**button.
9. The phishing mailbox will be displayed on the **Email**tab of the **Organization Settings**screen (Figure 7). To edit or delete the phishing mailbox, click **Edit**![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-ks5pb1uj.png) or **Delete** ![Icon  Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-k0cacncw.png), respectively, in the **Options**column. ![Table  Description automatically generated with low confidence](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-33536fhz.png)

### Creating a Phishing Mailbox in a Community or Source

1. Log into ThreatConnect with an Editor or Director account for the desired Community or Source.
2. On the top navigation bar, click **Posts**. The **Posts**screen will be displayed.
3. Select the desired Community or Source (**Demo Community**in this example) from the **My ThreatConnect**card on the left side of the screen to display its **Community**or **Source**screen (Figure 8). ![Graphical user interface, application, Teams  Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-gwc1ji1c.png)
4. Click the gear ![Icon  Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-iz5zm8bw.png) icon at the upper-right corner of the **Community**(or **Source**)****card at the top left of the screen. The **Community**(or **Source**) **Config**screen will be displayed with the **Attribute Types**tab selected.
5. Click the **Email**tab. The **Email**screen will be displayed (Figure 9). ![Graphical user interface, table  Description automatically generated](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/creating-a-phishing-mailbox-image-o9ryb0y2.png)
6. Follow Steps 4–7 in [the “Creating a Phishing Mailbox in an Organization” section](/v1/docs/creating-a-phishing-mailbox#creating-a-phishing-mailbox-in-an-organization) to create a phishing mailbox in the selected Community or Source.

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.*

20013-01 v.09.C

## Related

- [Email Import](/email-import.md)
- [Using Automated Email Ingest](/using-automated-email-ingest.md)