01-07-2022 12:19 AM
Hello All,
When running the Phishing Investigation, I get following error at the block "For each attachment:
Failed to resolve variable reference '[$trigger.Phishing Mailbox.output.Attachments$]'
Does any one have this issue and how to fix it ?
Best Regards,
An
Solved! Go to Solution.
01-07-2022 12:47 PM
Hi An,
I was able to reproduce this error if I attempt to run the workflow manually rather than it being triggered by the 'Email Event'. When an email arrives in the mailbox and is pulled down with IMAP the workflow should pull off the attachments and parse them.
Ensure that your credentials and email event are setup and working first and it should process each submitted email automatically.
01-07-2022 12:47 PM
Hi An,
I was able to reproduce this error if I attempt to run the workflow manually rather than it being triggered by the 'Email Event'. When an email arrives in the mailbox and is pulled down with IMAP the workflow should pull off the attachments and parse them.
Ensure that your credentials and email event are setup and working first and it should process each submitted email automatically.
01-09-2022 05:54 PM
01-10-2022 12:25 AM
Hi Brian,
Would you please have a try that the workflow can investigate the attachment and provide the verdict for IOC in the attachment ? I put some IOC ( urls and IPs) in the attachment but it seems that the workflow can not investigate the IOC since two variables "Number of Clean observarable" and " Number of Malicious Observarable" always 0
Best Regards,
An
01-10-2022 08:28 AM
It's been working for me. I send the attached email to the monitored inbox and it will find the the malicious domain that I added to trigger the alert. It sends a two emails back to the submitter:
Hello! The email you submitted for review with the subject "Fwd: Is it phishing?" is being processed. While we investigate, please do not open or share the message. Once we determine whether or not the email is safe, we will get back to you. Reference ID: 01U2ROQWS3V7H1Hchx7AFaNzIIUavCuWlai
and when the observables come back as malicious:
Hello! The email you submitted for review with the subject "Get your free credit scores today with free trial" was found to be DANGEROUS! Please do not open the message and delete it immediately! Reference ID: 01U2ROQWS3V7H1Hchx7AFaNzIIUavCuWlai
Are you getting these messages returned to you via POP from the service? You shouldn't have to look at the workflow itself to track the number of observables that are malicious.
01-10-2022 05:43 PM
Hi Brian,
The attachment is also an email which has some IOCs in the body, is that right ?
I got following message:
The email you submitted for review with the subject "please find attachment" is being processed.
While we investigate, please do not open or share the message. Once we determine whether or not the email is safe, we will get back to you.
Reference ID: 01U52F8DWWMC45jiMZhQwFT281NxVeuy2Fz
Best Regards,
An
01-11-2022 09:41 AM
It is. The community platform wasn't accepting my sample as txt or eml file, so I zipped it up. However if you use it, you'll have to unzip it first before you attach it. This is the file I've been using for demonstration, but the malicious element is just a domain name included in a link.
01-11-2022 05:50 PM
Thank you so much !
An
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide