Issue
Setting an object attribute in the To field in a Send Email playbook action shows the following warning.
For safety reasons, your domain is only configured to allow sending emails to emails that match <regex string>. If the email address interpolated in from this variable is not in the list of allowed email domains, the email will not be sent.
Contact us if you'd like to adjust the list of allowed email domains.
Environment
Red Canary Automation
Send Email playbook action
Resolution
Review the regex string and determine whether all possible recipients are using email domains named in the string, then consider the following.
- If the possible email addresses that will be substituted in the To field are already encompassed by domains in the regex string, no action is required.
- Otherwise, if emails could be sent to an address using a domain not specified in the regex string, open a ticket with Red Canary Support and provide a list of domains that need to be added to your subdomain's regex string.
In the example seen in the screenshot, if all users that may report a phishing email have a @mydomain.com email addresses, then no action is required. However, if phishing emails may also be reported by users with @myothercorp.com or @mydomain.net addresses, then a ticket must be opened with Red Canary Support so the other domains can be added to the regex string of allowed recipients.
The following object attributes can be used as recipients in the Send Email playbook action. All other unnamed variables will fail to pass a properly formatted email address.
• $Identity.email • $Detection.marked_acknowledged_by_user.email • $Detection.marked_resolved_by_user.email • $ReportedPhish.email_reply_to • $ReportedPhish.email_from • $ReportedPhish.email_to • $ReportedPhish.reporter_email • $Note.author_email
Cause
For your security, Red Canary is only able to send emails from your subdomain to known-good addresses. The banner is only a warning of this restriction when using variables as email recipients and not indicative of an explicit misconfiguration in the playbook.
Tags
update allowed email domains, phishing assessment trigger, automation playbook domains, edit regex for email domains, unwanted phishing notification domains, Red Canary regex configuration, Reported Phish Assessment Changes trigger setup
Comments
0 comments
Please sign in to leave a comment.