CanIPhish can integrate with Google Workspace through the use of a Service Account to quarantine emails reported through CanIPhish's Gmail Report Email Add-in. Implementing this functionality significantly improves the email report experience, as reporters don't need to manually move emails to the trash or spam folders after a report takes place.
Additionally, you as the administrator gain powerful capabilities over deciding what type of emails should be quarantined, with the ability to report actual spam/phishing emails to Google, or even recover emails accidentally reported as spam/phishing,
To get started, please follow the steps outlined below.
Note: For Email Quarantine functionality to work, you must be using CanIPhish's Gmail Report Email Add-in. Emails reported through CanIPhish's Report Email Forwarding Address cannot be quarantined.
Table of Contents
- Prerequisite
- Step 1. Create A Google Service Account
- Step 2. Associate The Service Account With Google Workspace
- Step 3. Configure Email Quarantining In CanIPhish
- Frequently Asked Questions
Prerequisite
You need a Google Cloud Project to create a Google Service Account. If you already have a Google Cloud Project that can be used, you can go straight to Step 1.
P.1. Open the Google Cloud Resource Manager
P.2. Click Create Project
P.3. Enter a Project Name and then click Create
Note: It may take a few minutes for the new project to create, once ready it should appear on the resource manager page.
P.4. You now need to enable the Gmail API on the newly created project.To do this, go to APIs and Services > Enable APIs and Services > Enable APIs and Services (at the top of the page). Then enter "Gmail API" into the search field and select Gmail API from the search results. Click Enable to activate the API.
Step 1. Create A Google Service Account
1.1. While logged into your Google Cloud Project, go to IAM and Admin > Service Accounts.
1.2. Click the Create Service Account button at the top of the page.
1.3. Enter a unique name that clearly distinguishes the service accounts purpose (e.g. CanIPhish-Email-Quarantine-Connector - this name can be anything you choose). Then click CREATE AND CONTINUE:
1.4. No role is required for the Service Account, once created, simply click DONE.
1.5. Click into the newly created Service Account and copy or make a note of the Unique ID. We'll need this later.
1.6. While still looking at the Service Account, click the 'KEYS' tab and click ADD KEY > Create new key:
1.7 Select JSON for the 'Key type' and then click CREATE. The newly created key should automatically download once created:
Step 2. Associate The Service Account With Google Workspace
2.1. Open the Google Admin Console.
2.2. Go to Security > Access and data control > API Controls:
2.3. Click on "MANAGE DOMAIN WIDE DELEGATION" at the bottom of the page:
2.4.Click the Add new button next to the API clients field:
2.5. In the Client ID field, enter the Service Accounts Unique ID copied earlier (In Step 1.5).
2.6. In the OAuth scopes field, enter the following oAuth Scope and then click AUTHORIZE:
https://www.googleapis.com/auth/gmail.modify
2.7. Confirm the Gmail API is enabled on the Google Cloud Project used by your Google Workspace Account. This can be confirmed by traversing to the following link and clicking the Enable button if visible: https://console.cloud.google.com/apis/library/gmail.googleapis.com
Step 3. Configure Email Quarantining In CanIPhish
3.1. Login to your CanIPhish account and navigate to the Reporting page and then to the Reported Emails tab. Finally, click the Advanced Settings button.
3.2. In the popup that appears, go to the Quarantine tab, and then click the Google Workspace radio button to begin the begin the integration process for Google Workspace.
2.3. A popup will appear prompting you to provide the Service Account Credential File downloaded earlier (Step 1.7). Please select this JSON file from your directory, and then click Save Credentials.
2.4. The credentials will be saved, and the Integration Status will be set to Active.
2.5. To test that the credentials are functional, click the Test Connectivity button that is now visible.
2.6. In the popup that appears, provide the email address of a user who has a valid Google Workspace email inbox, and then click Test Connectivity. A simple test is run to see if the users mailbox can be queried via Google's Gmail API (i.e. a simple test to check that the credentials can see the mailbox exists). If successful, you will be notified via a small success popup. If successful, close the Connectivity Test popup.
2.7. Configure the Quarantine Settings to suit your needs and then click Apply Updates to finalize the integration. For information on what each setting does, please see the Frequently Asked Questions below.
You're all done!
Frequently Asked Questions
I'm quarantining emails that require analysis, but I want those marked as Not Phish and Not Spam to be restored.
You're in luck! If you've configured CanIPhish to quarantine emails that have an attribution of "Analysis Required", and then later mark those emails as "Not Phish" and "Not Spam", CanIPhish has built-in functionality to restore these emails, so long as those attribution statuses aren't marked for quarantining. For an example of the recommended configuration, please refer to the screenshot below:
Why does CanIPhish require the requested Gmail modify permission?
The https://www.googleapis.com/auth/gmail.modify permission provides CanIPhish with the least amount of privileges to perform email quarantining. With the gmail.modify permission CanIPhish can move reported emails to spam folders, delete reported emails and place them in the trash folder, and additionally restore reported emails if they are marked as Not Spam or Not Phish.
If emails that require analysis are set to be quarantined, does quarantining occur immediately after the report is received?
Near immediately! If your quarantine configuration dictates that emails that require analysis are to be quarantined, then they will be quarantined within 5-40 seconds of the user performing the initial report.
Comments
0 comments
Please sign in to leave a comment.