Google Workspace - Email Quarantine

CanIPhish can integrate with Google Workspace through the use of a Service Account to quarantine emails reported through CanIPhish's Gmail Report Email Add-in. Implementing this functionality significantly improves the email report experience, as reporters don't need to manually move emails to the trash or spam folders after a report takes place.

Additionally, you as the administrator gain powerful capabilities over deciding what type of emails should be quarantined, with the ability to report actual spam/phishing emails to Google, or even recover emails accidentally reported as spam/phishing,

To get started, please follow the steps outlined below.

Note: For Email Quarantine functionality to work, you must be using CanIPhish's Gmail Report Email Add-in. Emails reported through CanIPhish's Report Email Forwarding Address cannot be quarantined.

Table of Contents

• Step 1. Assign Permissions To The CanIPhish Service Account
• Step 2. Validate Service Account Connectivity
• Frequently Asked Questions
   

Step 1. Assign Permissions To The CanIPhish Service Account

1.1. Login to your CanIPhish account and navigate to the Reporting page and then to the Reported Emails tab. Finally, click the Report Email Settings button.

1.2. In the popup that appears, go to the Quarantine tab, and then click the Google Workspace radio button to begin the begin the integration process for Google Workspace.

1.3. A new pop-up will appear, and you will see a Client ID for the Service Account that CanIPhish has created for your tenant. Permissions need to be assigned to this Service Account. Make note of the Client ID, as this will be needed in a later step.

1.4. Open a new browser tab and log in to the Google Admin Console.

1.5. Go to Security > Access and data control > API Controls:

 

1.6. Click on "MANAGE DOMAIN WIDE DELEGATION" at the bottom of the page:

 

1.7.Click the Add new button next to the API clients field:

 

1.8. In the Client ID field, enter the Client ID copied earlier (In Step 1.3).

1.9. In the OAuth scopes field, enter the following OAuth Scope and then click AUTHORIZE:
 

https://www.googleapis.com/auth/gmail.modify

Step 2. Validate Service Account Connectivity

2.1. Go back to the CanIPhish Cloud Platform browser tab.

2.2. Validate that the integration is functioning by providing the email address of a user who has a valid Google Workspace email inbox, and then click Validate Connection. A simple test is run to see if the users mailbox can be queried via Google's Gmail API (i.e. a simple test to check that the credentials can see the mailbox exists). If successful, you will be notified via a small success popup. If successful, close the Setup Connectivity popup.

2.7. Configure the Quarantine Settings to suit your needs and then click Apply Updates to finalize the integration. For information on what each setting does, please see the Frequently Asked Questions below.

You're all done!

Frequently Asked Questions

I'm quarantining emails that require analysis, but I want those marked as Not Phish and Not Spam to be restored.

You're in luck! If you've configured CanIPhish to quarantine emails that have an attribution of "Analysis Required", and then later mark those emails as "Not Phish" and "Not Spam", CanIPhish has built-in functionality to restore these emails, so long as those attribution statuses aren't marked for quarantining. For an example of the recommended configuration, please refer to the screenshot below:

Why does CanIPhish require the requested Gmail modify permission?

The https://www.googleapis.com/auth/gmail.modify permission provides CanIPhish with the least amount of privileges to perform email quarantining. With the gmail.modify permission CanIPhish can move reported emails to spam folders, delete reported emails and place them in the trash folder, and additionally restore reported emails if they are marked as Not Spam or Not Phish.

If emails that require analysis are set to be quarantined, does quarantining occur immediately after the report is received?

Near immediately! If your quarantine configuration dictates that emails that require analysis are to be quarantined, then they will be quarantined within 5-40 seconds of the user performing the initial report.