Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

Integrating Abnormal Report Phish Mailbox with Dune Security

Share phish report data with Dune Security

Abnormal Security’s AI Security Mailbox (formerly known as Abuse Mailbox Automation) allows administrators to automate actions on user-reported emails . Using this feature, we can create a rule that forwards certain reported emails as .eml attachments to a designated SecOps mailbox, based on the specified criteria. Below is a step-by-step guide to set up this rule:

Steps to Create the Forwarding Rule

  1. Log in to the Abnormal Security admin portal: Use your administrator credentials to access the Abnormal Security dashboard.
  2. Verify the abuse/report mailbox configuration: Ensure that an aAbnormal mailbox is configured as your organization’s Abuse Mailbox (AI Security Mailbox) for user-reported emails. If it isn’t already set up, add this address in the Abnormal portal settings so that all user-reported suspicious emails route to this mailbox.
  3. Navigate to the automation or rules section: In the Abnormal Security portal, go to the AI Security Mailbox or Abuse Mailbox section. Look for an option like Automation, Rules, or User-Reported Email Workflow. This is where you can create custom rules for handling reported emails.
  4. Create a new forwarding rule: Click on the option to Add New Rule (or similar). This will open a configuration page where you can define the trigger conditions and actions for the rule.
  5. Set the trigger condition: Define the rule trigger so it activates on emails sent to your abuse mailbox. For example, choose the condition “Recipient address equals [abuse mailbox address]”. This ensures the rule only evaluates emails that were reported (since all such reports go to that address).
  6. Add a sender domain condition: Configure an additional condition to filter emails by the sender’s domain. First, retrieve the list of domains from the JSON provided here. In the rule builder, add a condition like “Sender domain is in list” and input the domains from the list of domain. (If the interface doesn’t allow pasting a list directly, you may need to add each domain as an OR condition or upload them if a list import is supported.) This ensures only emails sent from one of those specified domains will trigger the forwarding action.
  7. Configure the forwarding action: Set the action that will occur when the conditions are met. Choose an action such as “Forward email” or “Send a copy”. In the action details:
    1. Forward to: Enter the address secops@dunewatchtower.com as the destination mailbox for the forwarded email.
    2. Include original email as attachment: Make sure the rule will forward the original reported email as an .eml file attachment. In many cases, Abnormal will forward the message as an attachment by default for user-reported emails, but if there is an option like “Forward as attachment” or “Include original message”, be sure to select it. This way, the SecOps team receives the exact original email (.eml file) for analysis.
  8. Disable any alert/notification options: While configuring the action, do not enable any extra alerts or notifications. Abnormal may have options to notify administrators or end-users when a rule triggers – leave those unchecked/disabled. We only want the email to be forwarded silently to the SecOps address, without generating additional alert emails or portal notifications.
  9. Review and save the rule: Give the rule a clear name (for example, “Forward Reported Phish Tests to Dune Security”) so it’s easily identifiable. Review the conditions and action to ensure they match the requirements. Then, save or publish the rule and ensure it’s toggled Enabled/Active. Abnormal Security will now begin evaluating incoming user-reported emails against this rule.
  10. (Optional) Test the configuration: To verify everything is working as intended, you can perform a quick test. Please reach out to your dedicated Customer Success Engineer or support@dune.security for assistance.