Abuse Box Integration


Abuse box integrations are available at no extra cost to customers who have purchased External Threats. RiskIQ abuse box integrations automate the ingestion and analysis of suspected phish reported by an organization's customers and/or employees to detect and respond to threats impacting the organization.

Benefits include:

  • Detect and mitigate phishing URLs in abuse box data
  • Automatically process large volumes of reported abuse quickly and accurately, preventing the need to spend employee time investigating reported abuse manually
  • Extract and crawl links from message body, attached files, and images (via OCR) in a fully automated manner
  • Centralize management of phish attacks across a multitude of detection sources to streamline incident response/mitigation and eliminate reporting inaccuracies
  • Built-in integrations with popular email gateway tools and phish reporting / simulation solutions
  • Reveal new insights and report on key metrics related to your abuse data, for example:
    • Determine which brands are most often to used to target your employees to improve training and awareness
    • Determine the ratio of phish targeting your brand that are reported by customers vs. other sources
    • Report on the accuracy of employees' and customers' phish submissions over time
    • Identify legitimate company emails that are being reported as phish

Contact RiskIQ Customer Success to let them know you are interested in setting up an abuse box integration. They will create one or more RiskIQ abuse data email addresses for you, to which you can enable auto-forwarding of all messages from your current abuse box(es).

You can have as many unique forwarding destinations as you would like unique sources to track for reporting purposes. For example, if your company has multiple email aliases where users can forward phishing they observe, you could choose to forward data from all of those aliases to a single RiskIQ email address for user-reported phish and abstract away which particular alias they came from, or you could choose to have multiple RiskIQ email addresses corresponding to different alias in order to track differences in the data received from each. Your Account Manager will work with you to determine the best set-up for your organization's goals.

Data Retention and Privacy

Email messages are securely and permanently deleted by RiskIQ after whatever retention time is required by your organization. Access to view message metadata and full content is restricted via user permissions. After messages are deleted, only the crawls of URLs extracted from the email are stored by RiskIQ with the original message ID, timestamp, subject line, sender, recipient, and abuse box address sent to stored as metadata on the crawl. Crawls with phish or malware content detected are stored indefinitely. Otherwise crawls are stored for 30 days.

How It Works

  • Emails forwarded to a RiskIQ abuse box email account are automatically parsed (URLs extracted from the message body and/or attachments (including parsing URLs from images); any format of attachment is viable but cannot be password-locked)
  • URLs are crawled and analyzed. Email message metadata and scores and classifications of page content are stored in crawl details
    • Standard classifications are malware or phish, but other classifications can be added as customizations 
  • Response and mitigation workflows are initiated based on crawl analysis and configured policies (ex. if page is detected impersonating the client brand to phish consumers, generate an event, submit URL for browser blocking, and send request to takedown site)

Sample Employee Phishing Abuse Box Integration Workflow

Sample Brand Phishing Abuse Box Integration Workflow

Viewing Results

Viewing and reporting on abuse data in available at multiple grains. You can move between each level seamlessly via linked IDs in both directions.


Get the list of all the messages RiskIQ has received with their metadata and rolled up classifications from all crawled URLs found in the message. This list can be viewed and searched in the UI portal, exported to Excel, or via API. Unless the message has been deleted, the original EML file for each message can also be downloaded.


View all the URLs from a particular message with their individual classifications, or view all crawls from an abuse box project across all messages with their associated scores.


Any crawls that trigger a policy will also generate an event alert with the source marked as the name of your abuse box crawl project, or if an event already exists for the same URL, the crawls are instead rolled up under that event as new point-in-time crawl samples. All events are automatically re-crawled over time to monitor their current status and have actions associated to them, such as sending takedown notices. Events can be accessed via the UI portal, exported to Excel, or consumed via email alert, web hook, or API. Events generated from abuse boxes also contribute to standard monthly event reporting across all sources.