Reviewing User Reported Phishing Emails

Email users are key in fighting against phishing. Users can help detect missed attacks, let the security administrators remediate the detected attacks, and adjust the policies to prevent similar attacks in the future.

Harmony Email & Collaboration automatically ingests these reports, alerts administrators about them, and presents them in a dedicated dashboard. This allows administrators to investigate and take necessary actions.

Benefits

Present potentially missed attacks in the Infinity Portal.
Integrated solution for the security admins to investigate and take actions.
Simple, powerful way to increase end-users involvement and interact with them.

Phishing Reports Dashboard

The Phishing Reports dashboard shows the suspected phishing emails from the end users. Whenever a user marks an email as suspected phishing, a new entry is created in the dashboard. This allows the administrator to review and take the relevant actions.

To see the user reported phishing emails, navigate to User Interaction > Phishing Reports.

Acting on Phishing Reports

Administrators can perform one of these actions on phishing reports:

Decline - The report will be declined as the reported email does not seem to be malicious. The email remains in the user's mailbox.
Quarantine - The report will be approved and the email will be sent to quarantine.
Block-list/Allow-list rule - The administrator will choose to create an exception. See Anti-Phishing Exceptions.

Notifying End Users about Approving/Declining their Reports

Administrators can choose to notify end users whenever their phishing reports are approved or declined. To enable these notifications:

Go to Security Settings > User Interaction > Phishing Reports.

Do these in the User-Reported Phishing Emails section:

In the Reviewing phishing reports section, select the Notify users when their reports are approved/declined checkbox.

To configure the sender email address for notifications, do these in the Email notifications sender section:

Friendly-From name
- To use a customized name, select Custom and enter the sender name.
- If no friendly-from name is required, select None.

From address

To use the default email address, select Default. The default email address is no-reply@[recipient domain]. For example, user@company.com receives the email notifications from no-reply@company.com

To use a custom email address, select Custom and enter the email address.

Note - If you use the default sender or any email address under your domain, to prevent SPF and DMARC fail, you must add include:spfa.cpmails.com to your SPF record.

Reply-to address

To use From address as the Reply-to address, select Same as From address.

To use a custom email address, select Custom and enter the email address.

Note - If you use the default sender or any email address under your domain, to prevent SPF and DMARC fail, you must add include:spfa.cpmails.com to your SPF record.

Click Save And Apply.

Note - This will also enable end user notifications for rejected quarantine restore requests. See Managing Restore Requests.

To configure the notification subject and body:

Go to Security Settings > SaaS Applications.
To configure the templates for Office 365 Mail, click Configure for Office 365 Mail.
To configure the templates for Gmail, click Configure for Gmail.
Scroll-down to Advanced and edit these templates:
- Phishing report decline:
  - Report Phishing decline subject
  - Report Phishing decline body
- Phishing report approve:
  - Report Phishing approve subject
  - Report Phishing approve body

Automatic Ingestion of End User Reports

Dedicated Phishing Reporting Mailboxes

Some organizations provide one or more dedicated mailboxes to end-users to forward phishing emails to (for example, phishing_reports@mycompany.com). You can configure Harmony Email & Collaboration to scan such mailboxes, add every email forwarded to them to the Phishing Reports dashboard and create a user-reported phishing event.

To add dedicated mailboxes to the Phishing Reports dashboard:

Go to Security Settings > User Interaction > Phishing Reports.
Select the Dedicated phishing reporting mailboxes checkbox.

Enter the required mailbox email address.

Note - To add multiple mailboxes, enter the mailbox addresses separated by a comma.

Click Save and Apply.

Note - All emails sent by protected users to these mailboxes generate events for administrators to review in the Phishing Reports dashboard. Make sure these are dedicated mailboxes to report phishing.

Generating Events for User Reported Phishing

When a user reports a phishing email, the administrators can determine the event type to be generated by the Harmony Email & Collaboration.

The available options are:

Create an "Alert" event
Create a "Phishing" event
Do nothing

To configure event type for the Phishing Reports emails:

Go to Security Settings > User Interaction > Phishing Reports.
In the User-Reported Phishing Emails section, in Workflow, select the event type to be generated.
Click Save and Apply.

Microsoft Report Message Add-in

Microsoft offers a built-in Mark as Phishing option in Outlook. When a user clicks this option, Microsoft gets notified of the missed suspected phishing email and sends a reports to phish@office365.microsoft.com.

Harmony Email & Collaboration integrates with the native Report Message add-in for Microsoft 365. When a user reports an email as phishing, Harmony Email & Collaboration immediately shows the email in the Phishing Reports dashboard and creates a user-reported phishing event.

Enabling Report Message Add-in in Outlook

By default, in Outlook, the ability to report an email as phishing is enabled.

Office 365 administrators can add the Report Message add-in to their users’ desktop clients if it is not already enabled. To enable the Report Message add-in, refer to Microsoft documentation.

Reporting Phishing Email from Outlook - End-User Experience

Web Client

In the web client, open the email and select Mark as phishing.

Desktop Client

In the desktop client, go to Home tab, click Junk and select Report as Phishing.