Flow Name: Email Security Investigation
Trigger: Email Incident Alert From Sublime (or any other vendor)
Input: Email Security Alert Data (containing details like alert severity, affected mailboxes, attack type (BEC,Phishing,malware etc), files attached, user involved, etc.)
Steps:
Email Security Alert Response Flow
Alert Severity CheckHigh: Known malware, confirmed phishing attempt, business email compromise (BEC), credential harvesting attempt, or a user-reported fraudulent email.
Medium: Suspicious email with potential phishing/malware indicators, an unknown sender with weak SPF/DKIM/DMARC, or minor anomalies in email behavior.
Low: Spam, marketing emails, or newsletters sent repeatedly.
Actions Based on Severity:
High: 
Recommend to block the sender domain and IP, investigate email headers, and check for impacted users. Notify users and recommend password reset if account compromise evidences have been found (exmaple account is involved in a past data breach)
Medium: 
Notify the security team and monitor user interactions for signs of account compromise.
Low: 
No action
User Involvement & Attack FrequencySingle User Targeted: Notify the user and suggest security awareness training.
Multiple Users Affected: Suggest Block sender and alert IT.
High Attack Frequency on One User: Launch a phishing simulation campaign and online phishing awareness training for the user.
Repeated Organization-Wide Phishing Attacks: Review email filtering rules, enable DMARC enforcement, and conduct company-wide security training.
Recommended Actions for Continuous Security Improvement If high severity: Block domain/IP.
If VIP involved: Block domain/IP.
If the attack is persistent on a user: Enforce phishing training and awareness.
If multiple users are targeted: Investigate and improve email filtering rules.
If spam is excessive: Update blocklists and educate users on email hygiene.
