Skip to main content
All CollectionsPhishArmAnalyze Reported Emails
How to investigate a reported email?
How to investigate a reported email?
Soumalya Mitra avatar
Written by Soumalya Mitra
Updated over 4 months ago

Table of contents

Properties of the reported email section

1. Go to PhishArm > Reported Emails

2. On the reported emails page, you will see a list of all the reported emails. You can search for a specific email by using the subject line in the search bar on the top right corner of this page, or you can click on Investigate on any particular email from the list shown on this page.

3. Once you click on Investigate, the details page with all the important information related to the reported email is opened. You will see the following information about a reported email.

a. Email Attributes:

This provides basic information about the reported email such as Email Subject, Sender email, email tags such as SPF, DKIM, DMARC, etc. From this information you can determine whether an email was generated from a legitimate source, with a verified signature.

b. HTML tab:

This displays the reported email rendered in HTML.

Right-Hand also provides you with the option of converting a malicious reported email into a harmless phishing email simulation template, which can then be used to test the behavior of other users in the organization by running a phishing campaign.

To do this, you need to scroll down and click on the "Convert to email template" button.

c. Headers Tab

This displays all the headers and their values that were present in the reported
email. By examining the email header information, you can track the path that the email took from the sender's server to your inbox. If the email header information doesn't match up with the intended sender, it's likely a spoofed email. Similarly, you can use the IP address to determine where the email originated.

Examine key fields:

  • From

  • Reply-To

  • Return-Path

  • Received

  • X-Originating-IP

  • Authentication-Results

Check for mismatches or inconsistencies to figure out suspicious emails.

d. Links Tab

This helps the admin to identify the malicious links that are present in the reported email. You can also scan the links via the VirusTotal Integration which is mentioned in the link below.

e. Domains Tab

This displays the domains to which all the links in the reported email belong. The domains can be scanned through Virus Total which provides a verdict. Please refer to the link below.

f. Attachments.

This displays any malicious attachments in a particular email and they can be scanned via VirusTotal which provides a verdict. Please refer to the link below.

All of the links, domains, and attachments can be scanned/analyzed on the reported emails via an integration with Virus Total. Please refer to this article titled "Easy Analysis of Reported Emails by Integrating VirusTotal with PhishArm" for the complete information about Creating a free VT account, Configuration, and deletion of the VT integration.

Easy Analysis of a reported email.

Once you click on investigate on the reported email. You will be able to see all the tabs listed below in the reported email.

  • Email Attributes

  • HTML

  • Headers

  • Links

  • Domains

  • Attachments

Please refer to the below video which shows how to analyze a reported email via the VT integration.

How to resolve a reported email.

All the above helps you identify if a reported email is safe or not. Once the analysis is completed, you can choose to do the following.

If the email is classified as Malicious, please click on Run EQA Query to create a query and scan all the users' inboxes, and remove all malicious emails from all users’ inbox if identified.

Please refer to this article titled "How to use Email Quarantine Automation (EQA)?" to learn more about using EQA to run a query.

Once the EQA query is created, you can resolve the email by following the below steps.

  1. You can resolve the email if it is malicious or safe based on VirusTotal's verdict by clicking on "Mark as Resolved".

  2. Once you click on "Mark as Resolved" you will be redirected to the next page to categorize the email either as "Safe" or "Malicious" based on the VirusTotal verdict.

a. Categorize the email into one of the following categories

1) Safe - Uncategorized, Simulation or Secure.

2) Malicious - Threat, Phishing, Spam or BEC.

3. Assign a severity from the following possible values

1)Low

2)Medium

3)High

4)Critical

4. Please click on "PROVIDE FEEDBACK TO THE REPORTER" toggle to provide feedback based on the category of the email, if it's malicious or safe. Please type the message in the blank field that appears after the toggle is on.

5. After that, please click on "Mark as Resolved".

6. Choose to move the email back to the user's inbox if the email was mistakenly reported as suspicious or quarantined or click on "Mark secure only".

7. Based on your action, the email will either move to the resolved section or to the user's inbox.


Did this answer your question?