Reviewing User Reported Phishing Emails

Email users are key in fighting against phishing. Users can help detect missed attacks, let the security administrators remediate the detected attacks, and adjust the policies to prevent similar attacks in the future.

Harmony Email & Collaboration automatically ingests these reports, alerts administrators about them, and presents them in a dedicated dashboard. This allows administrators to investigate and take necessary actions.

Benefits

  • Present potentially missed attacks in the Harmony Email & Collaboration Administrator Portal.

  • Integrated solution for the security admins to investigate and take actions.

  • Simple, powerful way to increase end-users involvement and interact with them.

Phishing Reports Dashboard

The Phishing Reports dashboard shows the suspected phishing emails from the end users. Whenever a user marks an email as suspected phishing, a new entry is created in the dashboard. This allows the administrator to review and take the relevant actions.

To see the user reported phishing emails, navigate to User Interaction > Phishing Reports.

Acting on Phishing Reports

Administrators can perform one of these actions on phishing reports:

  • Decline - The report will be declined as the reported email does not seem to be malicious. The email remains in the user's mailbox.

  • Quarantine - The report will be approved and the email will be sent to quarantine.

  • Block-list/Allow-list rule - The administrator will choose to create an exception. See Anti-Phishing Exceptions.

Notes:

  • If the user action occurs beyond the data retention period, the system will exclude the emails and will not trigger any workflows.

    For example, if a user reports an email as phishing after the data retention period, Harmony Email & Collaboration will not process the email or trigger the workflow.

  • If a user reports an email sent to multiple recipients as phishing, the Email Profile section will show the reported phishing status only for the specific copy of the email reported by the user.

Notifying End Users about Approving/Declining their Reports

Administrators can choose to notify end users whenever their phishing reports are approved or declined. To enable these notifications:

  1. Go to Security Settings > User Interaction > Phishing Reports.

  2. In the Reviewing phishing reports section, select the Notify users when their reports are approved/declined checkbox.

  3. To change the notification message, click the icon next to the checkbox and make the required changes.

  4. Click Save And Apply.

Note - This will also enable end user notifications for rejected quarantine restore requests. See Managing Restore Requests.

To configure the notification subject and body:

  1. Go to Security Settings > SaaS Applications.

  2. To configure the templates for Office 365 Mail, click Configure for Office 365 Mail.

  3. To configure the templates for Gmail, click Configure for Gmail.

  4. Scroll-down to Advanced and edit these templates:

    • Phishing report decline:

      • Report Phishing decline subject

      • Report Phishing decline body

    • Phishing report approve:

      • Report Phishing approve subject

      • Report Phishing approve body

Automatic Ingestion of End User Reports

Note - For integration with a third party solution, contact Check Point Support.

Dedicated Phishing Reporting Mailboxes

Some organizations provide one or more dedicated mailboxes to end-users to forward phishing emails to (for example, phishing_reports@mycompany.com). You can configure Harmony Email & Collaboration to scan such mailboxes, add every email forwarded to them to the Phishing Reports dashboard and create a user-reported phishing event.

To add dedicated mailboxes to the Phishing Reports dashboard:

  1. Go to Security Settings > User Interaction > Phishing Reports.

  2. Select the Dedicated phishing reporting mailboxes checkbox.

  3. Enter the required mailbox email address.

    Note - To add multiple mailboxes, enter the mailbox addresses separated by a comma.

  4. Click Save and Apply.

Note - All emails sent by protected users to these mailboxes generate events for administrators to review in the Phishing Reports dashboard. Make sure these are dedicated mailboxes to report phishing.

Generating Events for User Reported Phishing

When a user reports a phishing email, the administrators can determine the event type to be generated by the Harmony Email & Collaboration.

The available options are:

  • Create an "Alert" event

  • Create a "Phishing" event

  • Do nothing

To configure event type for the Phishing Reports emails:

  1. Go to Security Settings > User Interaction > Phishing Reports.

  2. In the User-Reported Phishing Emails section, in Workflow, select the event type to be generated.

  3. Click Save and Apply.

Microsoft Report Message Add-in

Microsoft offers a built-in Mark as Phishing option in Outlook. When a user clicks this option, Microsoft gets notified of the missed suspected phishing email and sends a reports to phish@office365.microsoft.com.

Harmony Email & Collaboration integrates with the native Report Message add-in for Microsoft 365. When a user reports an email as phishing, Harmony Email & Collaboration immediately shows the email in the Phishing Reports dashboard and creates a user-reported phishing event.

Enabling Report Message Add-in in Outlook

By default, in Outlook, the ability to report an email as phishing is enabled.

Office 365 administrators can add the Report Message add-in to their users’ desktop clients if it is not already enabled. To enable the Report Message add-in, refer to Microsoft documentation.

Reporting Phishing Email from Outlook - End-User Experience

Web Client

In the web client, open the email and select Mark as phishing.

Desktop Client

In the desktop client, go to Home tab, click Junk and select Report as Phishing.

Automatic Handling of User Reported Phishing Emails

With Harmony Email & Collaboration, you can automate the handling of user reported phishing email reports, significantly reducing administrator's workload.

Every time a user submits a phishing report, Harmony Email & Collaboration re-evaluates the email and gives a re-evaluated verdict (clean, phishing, or inconclusive).

For each re-evaluated verdict, administrators can configure a workflow. To do that:

  1. Go to Security Settings > User Interaction > Phishing Reports.

  2. Expand Reviewing phishing reports and from the list, select one of these:

    1. Manual - Every report is manually reviewed by Administrator.

      • Clean: Send for admin review

      • Inconclusive: Send for admin review

      • Phishing: Send for admin review

    2. Semi-automatic - Automated actions for some updated verdicts and manual review for others.

      • Clean: Decline report. Email remains in mailbox

      • Inconclusive: Send for admin review

      • Phishing: Approve report. Quarantine the email

    3. Automatic - Automatic recommendation is performed.

      • Clean: Decline report. Email remains in mailbox

      • Inconclusive: Approve report. Quarantine the email

      • Phishing: Approve report. Quarantine the email

  3. Expand Workflows and notifications.

  4. Select one of these from the list:

    Re-evaluated Verdict

    Available Workflows

    Re-evaluated as: Clean
    • Send for admin review

    • Decline report. Email remains in mailbox

    Re-evaluated as: Inconclusive
    • Send for admin review

    • Decline report. Email remains in mailbox

    • Approve report. Quarantine the email

    Re-evaluated as: Phishing
    • Send for admin review

    • Approve report. Quarantine the email

  5. Select whom to notify:

    • Notify Admin - The administrator gets a notification when a report is sent for their review.

    • Notify User

      • When report is sent for review - The end user gets a notification when the report is sent for review.

      • When report is approved - The end user gets a notification when the report Is approved.

      • When report is declined - The end user gets a notification when the report is declined.

      Note - The availability of these options depends on the workflow selected.

  6. To customize an email notification (subject and body), click next to the specific notification, make the necessary changes, and then click Save.

  7. Click Save and Apply.

Re-evaluated Verdict - Administrator Experience

Once the Harmony Email & Collaboration re-evaluates the user reported phishing email, you can find the re-evaluated verdict under Security Stack.