Abnormal Security Abuse Mailbox Cases
Overview
Abnormal Security's Abuse Mailbox automatically processes user-reported suspicious emails. When users forward or report emails to a designated abuse mailbox address, Abnormal analyzes the reported message and creates a case with an AI-generated judgment. This skill covers case lifecycle, triage workflows, remediation actions, and bulk operations.
Case Lifecycle
User Reports Email
|
v
Case Created (status: Open)
|
v
AI Analysis (judgment generated)
|
+---> Malicious ---> Auto-Remediate (if configured)
|
+---> Suspicious ---> Analyst Review Required
|
+---> Spam ---> Auto-Dismiss (if configured)
|
+---> Safe ---> Auto-Dismiss (if configured)
|
v
Analyst Action
|
+---> Remediate (quarantine/delete across org)
|
+---> Mark Not Spam (release to inbox)
|
+---> Dismiss (close case, no action)
|
v
Case Closed (status: Done)
Case Field Reference
Core Fields
| Field | Type | Description |
|---|
caseId | string | Unique case identifier |
severity | string | Severity level of the case |
affectedEmployee | string | Email address of the user who reported |
firstReported | datetime | When the case was first reported |
Judgment Fields
| Field | Type | Description |
|---|
overallStatus | string | Case status: Open, Acknowledged, Done |
judgmentStatus | string | AI judgment: Malicious, Spam, Safe, No Action Needed |
customerVisibleTime | datetime | When the case became visible in portal |
Reported Message Fields
| Field | Type | Description |
|---|
reportedMessage.subject | string | Subject of the reported email |
reportedMessage.senderAddress | string | Sender of the reported email |
reportedMessage.senderName | string | Display name of the sender |
reportedMessage.recipientAddress | string | Recipient of the reported email |
reportedMessage.receivedTime | datetime | When the reported email was received |
reportedMessage.attackType | string | Detected attack type (if malicious) |
Case Judgments
| Judgment | Description | Recommended Action |
|---|
| Malicious | Confirmed threat (BEC, phishing, malware) | Remediate across organization |
| Spam | Unsolicited bulk email, marketing | Dismiss or move to junk |
| Safe | Legitimate email, no threat detected | Dismiss, notify user it is safe |
| No Action Needed | Phishing simulation or already remediated | Dismiss |
MCP Tools
| Tool | Description | Key Parameters |
|---|
abnormal_cases_list | List abuse mailbox cases | pageSize, pageNumber, filter, fromDate, toDate |
abnormal_cases_get | Get detailed case by ID | caseId |
abnormal_cases_actions | Get available actions for a case | caseId |
abnormal_cases_action | Take action on a case | caseId, action |
Tool Usage Examples
List open cases:
{
"tool": "abnormal_cases_list",
"parameters": {
"filter": "overallStatus eq 'Open'",
"pageSize": 25
}
}
Get case details:
{
"tool": "abnormal_cases_get",
"parameters": {
"caseId": "12345"
}
}
Remediate a case:
{
"tool": "abnormal_cases_action",
"parameters": {
"caseId": "12345",
"action": "REMEDIATE"
}
}
Triage Workflows
Standard Triage Workflow
- List open cases - Get all cases with
overallStatus eq 'Open'
- Sort by severity - Address critical and high severity first
- Review AI judgment:
- If Malicious: verify and remediate across organization
- If Spam: dismiss or move to junk
- If Safe: dismiss and respond to reporter
- If No Action Needed: dismiss (likely phishing simulation)
- Take action - Remediate, dismiss, or mark not spam
- Close case - Case moves to Done status after action
Bulk Triage Workflow
- Filter cases by judgment - Start with cases judged as Malicious
- Batch remediate - Remediate all confirmed Malicious cases
- Review Suspicious - Manually review cases without clear judgment
- Auto-dismiss Safe/Spam - Close remaining low-risk cases
Escalation Criteria
Escalate a case when:
- Multiple users report the same email
- The reported email impersonates an executive
- The email contains active malware or ransomware
- Credentials may have been entered on a phishing page
- The sender is a known vendor or partner (supply chain risk)
Case Actions
| Action | Description | When to Use |
|---|
REMEDIATE | Remove the email from all recipients' inboxes | Confirmed malicious email |
MARK_NOT_SPAM | Release email back to inbox | False positive, legitimate email |
DISMISS | Close case without action | Safe email, phishing simulation, spam |
Error Handling
Common API Errors
| Code | Message | Resolution |
|---|
| 400 | Invalid filter | Check OData filter syntax |
| 401 | Unauthorized | Check API token |
| 403 | Insufficient permissions | Token needs abuse mailbox scope |
| 404 | Case not found | Verify case ID |
| 409 | Case already actioned | Case was already remediated/dismissed |
| 429 | Rate limited | Wait and retry |
Best Practices
- Triage daily - Review abuse mailbox cases at least once per day
- Trust the AI judgment - Abnormal's accuracy is high; use it to prioritize
- Remediate org-wide - When a threat is confirmed, remediate for all recipients
- Respond to reporters - Let users know their report was reviewed
- Track phishing simulation reports - Monitor security awareness training effectiveness
- Correlate with threats - Check if reported emails match known threat campaigns
- Monitor false positive rate - High FP rates may indicate policy tuning needed
Related Skills
