Table of contents

1) Properties of the reported email section

2) Easy Analysis of a reported email.

3) How to resolve a reported email.

1. Go to PhishArm > Reported Emails

2. On the reported emails page, you will see a list of all the reported emails. You can search for a specific email by using the subject line in the search bar on the top right corner of this page, or you can click on Investigate on any particular email from the list shown on this page.

3. Once you click on Investigate, the details page with all the important information related to the reported email is opened. You will see the following information about a reported email.

a. Email Attributes:

This provides basic information about the reported email such as Email Subject, Sender email, email tags such as SPF, DKIM, DMARC, etc. From this information you can determine whether an email was generated from a legitimate source, with a verified signature.

b. HTML tab:

This displays the reported email rendered in HTML.

Right-Hand also provides you with the option of converting a malicious reported email into a harmless phishing email simulation template, which can then be used to test the behavior of other users in the organization by running a phishing campaign.

To do this, you need to scroll down and click on the "Convert to email template" button.

c. Headers Tab

This displays all the headers and their values that were present in the reported
email. By examining the email header information, you can track the path that the email took from the sender's server to your inbox. If the email header information doesn't match up with the intended sender, it's likely a spoofed email. Similarly, you can use the IP address to determine where the email originated.

Examine key fields:

Check for mismatches or inconsistencies to figure out suspicious emails.

d. Links Tab

This helps the admin to identify the malicious links that are present in the reported email. You can also scan the links via the VirusTotal Integration which is mentioned in the link below.

e. Domains Tab

This displays the domains to which all the links in the reported email belong. The domains can be scanned through Virus Total which provides a verdict. Please refer to the link below.

f. Attachments.

This displays any malicious attachments in a particular email and they can be scanned via VirusTotal which provides a verdict. Please refer to the link below.

Once you click on investigate on the reported email. You will be able to see all the tabs listed below in the reported email.

Please refer to the below video which shows how to analyze a reported email via the VT integration.

All the above helps you identify if a reported email is safe or not. Once the analysis is completed, you can choose to do the following.

If the email is classified as Malicious, please click on Run EQA Query to create a query and scan all the users' inboxes, and remove all malicious emails from all users’ inbox if identified.

Once the EQA query is created, you can resolve the email by following the below steps.

a. Categorize the email into one of the following categories

1) Safe - Uncategorized, Simulation or Secure.

2) Malicious - Threat, Phishing, Spam or BEC.

3. Assign a severity from the following possible values

1)Low

2)Medium

3)High

4)Critical

4. Please click on "PROVIDE FEEDBACK TO THE REPORTER" toggle to provide feedback based on the category of the email, if it's malicious or safe. Please type the message in the blank field that appears after the toggle is on.

5. After that, please click on "Mark as Resolved".

6. Choose to move the email back to the user's inbox if the email was mistakenly reported as suspicious or quarantined or click on "Mark secure only".

7. Based on your action, the email will either move to the resolved section or to the user's inbox.

​