At Material, we know there's no such thing as a universal workflow when it comes to reviewing user-reported emails. Some organizations take a "hands-off" approach and let Material's Phishing Herd Immunity protect users in near-real time with link and attachment speed bumps or blocks. Other organizations with dedicated security staff complement this with a more in-depth approach—manually reviewing reported messages to unravel ongoing adversarial campaigns or identify attacker trends. No matter what your phishing triage workflow is, we believe having the ability to automate repetitive tasks should be possible and straightforward.

Introducing a Material Action Template

We’re excited to share that we've worked with Tines to create an Action Template for Material. This template allows users to interact with Material's API without having to write a single line of code. To get started, just log into your Material admin console to create an API token and configure an event subscription to point to a Tines webhook.

Example Playbook: Analyzing Attachments in Reported Messages

Let's dig into a reasonably sophisticated triage flow for analyzing email attachments. The goal of this playbook is to gather information about the attachments and automatically present a summary of the findings to your security team. 

When someone flags an email as suspicious in Material, a case gets created in the Phishing Herd Immunity console. A case is essentially a container of messages that share similar qualities (sender, subject, etc) that can be remediated together. When a case gets created, the event subscription will send a notification to the Tines webhook with information about the case. Tines then makes additional calls against the Material API to gather information about the messages in the case, including information about their attachments. At the end of this automated workflow, you'll be able to present your security team with the SPF/DKIM/DMARC pass/fail results, VirusTotal hash lookup results, and Joe Sandbox dynamic analysis report.

Get Started with Tines + Material

Automating elements of a phishing triage workflow is one small example of what can be accomplished using Tines + Material. Material's API not only allows you to search for and retrieve email metadata, but allows you to take actions against messages as well. Whether you're looking to integrate Material with other tools, apply an additional level of scrutiny to certain messages, or simply receive a notification when certain events happen, the team at Material is here to help you tailor a workflow to fit your organization's needs.

Resources:

• Playbook file: Material Security Email Attachment Triage

For more questions, contact our team.