Polarity for Phishing Email Analysis

Use Cases Jun 19, 2020

Today’s post continues an ongoing series on Polarity Use Cases. Data tells a story, Polarity helps you see it with Augmented Reality overlaying contextual information as you work, giving you the right data at the right time to make informed decisions and take action with speed.  No glasses or goggles required, Polarity is software that works in a wide range of use cases. This example showcases a Phishing Use Case.

View this post with Polarity for an added bonus!

  • If you already have Polarity, just add the latest version of the “Polarity Blog Challenge” Reference Channel to your instance.  You can download this Reference Channel from the GitHub repo.
  • If you don’t have Polarity, sign-up for the trial, then just add the latest version of the “Polarity Blog Challenge” Reference Channel to your instance. You can download this Reference Channel from the GitHub repo.

With the special Reference Channel enabled, you’ll see the power of Polarity’s software-based Augmented Reality right in this blog post!

Analyzing Phishing Emails with the Right Data at the Right Time

Despite hundreds of security products being available in the market and dozens deployed in most security teams, the time needed to detect and investigate events as well as respond to attacks continues to increase. This problem results from a number of factors, yet surprisingly one of the greatest causes is data.

All data is security data; the breadth and depth available is unprecedented. Indeed, we need this ever-increasing wave of data to keep our environments safe. While new technologies such as automation, artificial intelligence, and machine learning have emerged to help us manage the growing number of alerts and tickets, human analysts will continue to play a critical role in security teams.

While the answer to nearly any question faced in security teams relies on data, having the right data at the right time is a challenge that can affect teams trying to make informed decisions and act with speed.

Security teams especially struggle with spending a large amount of their valuable time querying intelligence (e.g. URLs, hashes), reviewing SIEM events, searching tickets for information, and looking-up assets and owners; in other words, working with data. The teams have data from these sources and others, but need to perform repetitive queries against multiple data sources in order to see the full story in it.  In fact, the approach most teams use to analyze something as routine as a suspected phishing email illustrates the point; it is tedious work that spans a number of tools and data sources.

It was security analysis challenges like investigating phishing emails or any other security events that led our founders to build Polarity - a unique platform that uses software-based Augmented Reality to overlay contextual information needed to make decisions, exactly when you need it. Polarity brings together what you know, your teammates know, and what’s known by all the tools you use in your security team, so you can see the full story in the data.  Armed with the right data at the right time, what we call Data Awareness and Recall, results in informed decisions and fast action.

With Polarity, teams can reclaim the time they spend querying and switching between products, greatly improve team-wide knowledge sharing, and avoid missing important information that is needed to do their jobs.

Analyzing Phishing Emails with Polarity

Investigating suspected phishing emails is a common task in the SOC. Analysts use a wide range of tools to complete the job with some teams investigating dozens or more emails per day. The process likely includes assessing important details such as the sender, IP, and domain, and taking steps to remediate if the email is actually malicious. From start to finish, it could take more than an hour for each investigation while the analyst works with various SIEM, ticketing, and intelligence tools.


Here’s how Polarity could help an analyst investigate a possible phishing email:

  • An employee receives an email that appears suspicious, and forwards it to the phishing investigation alias.
  • The analyst opens the email from the employee with Polarity running in Highlight mode.
  • The employee's email address is highlighted by Polarity with the Overview showing an annotation made by another analyst in the security team.  For example, the annotation might include context like the employee is an executive in Finance and frequently works on confidential M&A projects.  In other words, they are a good target for spear phishing.
  • The Polarity Overlay shows even further real time context thanks to integrations with the following products used in security teams:
  • ServiceNow indicates that phishing has been an issue and similar cases are under investigation; EmailRep shows that the sender is not trustworthy.
  • Since this is a new case, a ticket is created in ServiceNow.
  • Splunk ES shows similar emails in the logs that have targeted executives in the company.
  • RiskIQ PassiveTotal shows the domain and IP reputation, and VirusTotal shows the file reputation.  Had the device been compromised, the Polarity integration with Carbon Black could have helped quarantine the device.
  • Armed with this context, the analyst confirms the suspected attack and updates the ticket with the information collected in the investigation.

The animation above shows the phishing use case from the analyst’s perspective.  Notice how Polarity overlays contextual information including annotations made by the analyst and teammates as well as information from tools integrated with Polarity.  As the animation concludes, the analyst is even able to update the ticket through the integration with ServiceNow.

Armed with Polarity’s software-based Augmented Reality for data, the analyst was able to get the contextual information needed to make decisions about the suspected phishing email, exactly when it was needed. Polarity brings together what the analyst knew, what his teammates knew, and what’s known by all the tools they use in the security team, so the analyst could see the full story in the data. Armed with the right data at the right time, what Polarity calls data awareness and recall, resulted in an informed decision and fast action.

With Polarity’s 100+ powerful, open-source integrations, you can get immediate access to the data in your tools without pivoting into those tools and searching them for information.  Integrations also allow you to direct other tools to take action, for example updating a ticket in your ticketing system.  SOC teams especially benefit from our integrations with platforms like ServiceNow, Splunk, EmailRep, DomainTools Iris, RiskIQ, VirusTotal, Shodan, Carbon Black, and many others.

See Polarity in Action

Want to learn more? For a deeper understanding, watch our CEO demo Polarity.

What Next?

See for yourself with a Polarity demo or trial. To learn more, take the Tour or tune into our next Community Tech Tuesday.