All Collections
PhishArm
Analyze Reported Emails
Easy Analysis of Reported Emails by Integrating VirusTotal with PhishArm
Easy Analysis of Reported Emails by Integrating VirusTotal with PhishArm
K
Written by Karthek S
Updated over a week ago

Table of Contents:

Closing the loop on the reported emails can be a time-consuming affair. An analyst triaging the reported emails has to look for indicators of compromise in the message headers, authentication checks(DKIM, SPF, DMARC), sender profile, links, domains, attachments to name a few.

As far as the headers, Auth checks, and sender profile are considered the email gateway or server can take care of these elements via rules, however, there is always a chance that the links domains and attachments have passed through the email filters or phishing detection and the analyst cannot decide without being sure of the verdict on these vectors.

The primary reason for this is that there are 0-day vulnerabilities, webpages/domains

/attachments mutating to become malicious after passing the check on the threat intelligence platforms.

Hence, to make things easier for our customers we are bringing the capability to use VirusTotal within the PhishArm interface. Below are the steps you can use to configure and use VirusTotal.

Creating a free VirusTotal account

  1. Go to virustotal.com and click on sign-up.


  2. You can either choose to fill in your details or use the authentication methods provided by VirusTotal out of the box.

  3. After completing the simple sign-in process you will land on this screen

    1. Click on the avatar/profile picture icon → Click on API Key.

  4. When you are re-directed to this page, click on the copy icon adjacent to API Key section.

  5. Save the API key in a safe place you can refer later.

Cyberready PhishArm currently only supports the public API of VirusTotal. The limitations for lookup for a free public account are shown below.

Request rate

4 lookups / min

Daily quota

500 lookups / day

Monthly quota

15.5 K lookups / month

Configuring VirusTotal in your PhishArm account

  1. Navigate to PhishArm → Reported Emails → Click on investigate.

  2. In the second drawer click on links or domains or attachments section.

  3. In the expanded selection(here: link) you will notice the verdicts on links as blurred. If you want verdicts on these click on the “View Verdicts with VirusTotal” link.

  4. Copy the API key that you had saved from VirusTotal, Select the options links, domains, and attachments, and click on Save → Your integration is ready to use.

  5. The successful integration will be reflected in the links, domains, and attachments section as shown below:

  6. Initially, all the links/domains/attachments will show as uncategorized because they are not yet categorized but if you want you can have verdicts on them. To get the verdict click on the scan button:

  7. After scanning the link will go to processing mode, which means that PhishArm has sent the link for scanning, and the verdict is awaited. It will take about 3-5 minutes to get the verdict:

  8. The verdict will be shown as follows:

  9. You can filter the verdicts using this filter:

What do the verdicts mean:

Uncategorized - Scanning is available from VirusTotal but it is not analyzed yet.

Safe - The link/domain/attachment is safe.

Malicious - The link/domain/attachment is malicious.

Simulation - The link/domain/attachment is part of a simulated email from RH.

Inactive - Link/Domain is inactive.

Suspicious - The link/domain/attachment is suspicious.

Processing - PhishArm is waiting for the verdict.

Removing or Editing your VT integration

  1. Go to company management → Employees → Connectors → Click on VirusTotal integration delete icon.


Did this answer your question?