Lumu’s spambox analysis ingests your spam and correlates it with other metadata sources to let you know how adversaries are trying to compromise your network infrastructure.

Spambox

Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools.

In this section of the Lumu Portal, you can manage spambox analysis. This unique threat intelligence source can help you understand who adversaries are attempting to compromise in your organization and how they are being targeted. This intelligence will help you make strategic and tactical decisions to disrupt the cycle.

The Lumu Spambox feature ingests spam data and runs advanced correlations between your spambox, known IoCs, and network traffic to support the Continuous Compromise Assessment of your organization.

Set up Spambox

Lumu unlocks the value of your spambox with 3 simple steps:


The spambox capability is part of Lumu Insights and Lumu Defender. If you are a Lumu Free customer, the ability to ingest and analyze spambox metadata can be enabled as an add-on or you can upgrade to Lumu Insights or Lumu Defender, which offers you additional correlation capability, and overall better compromise detection.

Read more about the spambox add-on for Lumu Free in our FAQ .
Forward your spambox to Lumu

Lumu will assign a unique email address to your organization (1). Consult your spam filtering provider for guidance on how to set up your solution to forward all the spam messages to the unique email address provided by Lumu.

Spambox settings - Lumu PortalSpambox settings - Lumu Portal
Related documentation:
  1. Spambox and Office 365
  2. Spambox and G Suite
If you need help to set up your spambox, or your spam filtering solution requires a specific approach on forwarding spam messages to Lumu (e.g. G Suite / Gmail), contact our support team.

Summary

This section contains the configuration settings and a general overview of the spambox data analyzed. The Spambox Activity visualization shows the  total number of spam messages analyzed by Lumu (1) in a period and the top target recipients (2) of the spam messages. You can filter the dashboard by label or date (3).

Summary of Spambox Activity.Figure 1 - Summary of spambox activity.

Campaigns

The Malicious Campaigns section allows you to drill down into detailed, factual data about the attack campaigns targeting your organization’s spambox. This information can help you adjust your cyberdefense and inform future investments.

In this area, you can see how many malicious campaigns target your company (1), the indicators of compromise (IoC), and the total number of recipients. The heat map (2) displays malicious campaign attack patterns to see when the adversaries are sending malicious messages. In the trends area, Lumu shows the distribution of IoCs (3) by threat type (Malware, Spam, Phishing, etc) and the top targeted recipients (4) of malicious campaigns in your organization.

Summary of malicious campaignsFigure 2 - Summary of malicious campaigns.
In the Campaign Details  area, you can see the malicious campaign grouped by subject and sender address (1) and their details, such as the number of emails (2), the quantity of IoCs (3), and the number of target recipients (4) of each campaign.
Malicious Campaigns details - generalFigure 3 - Malicious Campaigns details - general.
You can click on a campaign to see more details such as all the email addresses targeted by the adversary with date and time (1), the domain of each IoCs found in the campaign (2), and the attachments hash information (3). 
Malicious Campaigns details - specificFigure 4 - Malicious Campaigns details - specific.
If you want to explore the IoC and its correlation with other network metadata sources, click on the magnifying glass icon to navigate to the Compromise Context  area.
Does Lumu Spambox do any Spam filtering? Check out the  frequently asked questions about Spambox.

Correlation

This is a comprehensive view of the distribution of the compromise activity (1) that Lumu detected in your spambox according to your assigned labels. You can click on the zoomable chart (3) to drill deeper into your labeled threat activity, which reveals  how and where compromises are spreading  inside an organization’s network infrastructure. You can filter (3) the threat information by label or date.

Network correlation with SpamboxFigure 5 - Network correlation with Spambox.
Remember to assign labels to your traffic to help easily identify the compromise distribution across your infrastructure, in a way that makes sense for your organization.

If you are a Lumu Free customer and have the Spambox Add-on, this correlation area will show you a limited correlation with DNS queries collected using Gateways.

To take full advantage of the Spambox Network Correlation feature with netflows and firewall logs, upgrade to Lumu Insights or Lumu Defender, and set up unlimited Virtual Appliances and Collectors for detailed collection within your on-premise, cloud, and remote environments.

The Correlation Details  show the list of IoCs grouped by domains with information regarding threat types (1), IoC details (2), the last time (3) Lumu found this threat in your spambox data, and the total of contacts (4) between the IoC and your infrastructure.

Network Correlation with SpamboxFigure 6 - Network Correlation with Spambox.
Click on an IoC domain to explore the Compromise Context  area. This capability shows the IoC correlated with other metadata sources. This additional context will help to understand how a particular compromise is spreading and how long has it been in your network.
Compromise ContextFigure 7 - Compromise Context.
The Compromise Context feature allows organizations to enrich confirmed compromise information and understand how the attack is moving, giving security teams the factual data to implement the right response to the most important compromise questions. Explore the Compromise Context feature in our documentation.

Incident Response

We recommend being familiar with Lumu Incident Response Playbooks that are based on the National Institute of Standards and Technology (NIST) Framework and include best practices for how to use Lumu to respond to specific attacks.

To know more about Lumu Portal:
  1. Incidents
  2. Compromise Overview
  3. Collectors
  4. Labels

        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Collectors

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Lumu ...
        • Compromise Overview

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Labels

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Labels ...
        • Incidents

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...