New to automation

@Ken, sorry for the delay - hope you had a great weekend!

As far as enrichment, there is a few things I would do:

  1. Strip the Sender address and the From address from email headers (if they are different, then that is not typically normal). Search mailboxes for additional emails sent from those email addresses.
  2. Extract and hash any attachments and check against VirusTotal, Hybrid Analysis, sndbox.io, etc. etc.
  3. Send attachments to an internal sandbox is needed/wanted
  4. Grab any URLs from the body of the message and do a reverse DNS lookup and identify who the hosting provider is. Also get their WHOIS info and you can keep track of this information and use IPs/urls to block at a proxy or border firewall. You can also send automated “takedown” notifications to those hosting providers by pulling their abuse email addresses from WHOIS.
  5. If you want to gather more information, then track and plot (google maps) the send from headers to track the typical path of each email sent - this could or could not show you if an attacker is using a specific open mail relay or other information.

I think you’re heading in the right direction. The biggest thing is writing out your “hypothesis” or “problem statement” – understanding what you are trying to prevent/protect against will help you put in the right automation. Also, a good practice is to say “I expect a X percent drop in {infections, compromised accounts, man hours, etc.} by doing {whatever automation you are wanting to do}”.

I hope this helps!