How to resolve reported emails?

Please navigate to PhishArm > Reported emails and then click on the ‘Investigate’ button to view all the key details you need to thoroughly review and resolve the reported email.

The following fields are available once you click on "Investigate":

1. Email attributes

This section provides basic information about the reported email such as the Sender's email address, the Receiver's email address, the Email subject, the Email authentication protocols, etc.

The admin can quickly understand the context and legitimacy of a reported email using these details.

2. HTML tab

This displays the reported email rendered in HTML format.

3. Headers Tab

This displays all the headers and their values that are present in the reported email.

4. Links Tab

This section lists all the links in the reported email and categorizes them into one of three groups.

5. Domains Tab

This section shows the domains associated with all links in the reported email and categorizes them into one of three groups.

6. Attachments Tab

This section shows the attachments included in the reported email and categorizes them into one of three groups.

Based on VirusTotal’s final verdict, if the email is identified as malicious, follow these steps:

1. Run EQA Query

Please ensure EQA is set up, and you can run an EQA query to identify the malicious emails in any other users' inboxes and quarantine them.

To set up EQA, please follow the articles below.

You can run an EQA query using the steps below.

Click on the 'Run EQA Query' option at the bottom.

Once the query window opens, please follow the instructions below:

a) Set a Query name.

b) Leave the Subject field as it is; it will search the users' mailboxes for emails with this subject line.

c) Sender Email (Auto-filled): It contains the email address from which the malicious email was sent.

d) Choose any of the folders below to search for the emails:

1) Everywhere (Recommended)

2) Inbox

3) Quarantine

4) Spam

5) Trash

e) Platform (Auto-filled): Your default email platform will be selected.

f) Body (Auto-filled): This field contains the body of the malicious email.

g) Matching criteria: Either choose All conditions or Any condition, and then click on "Save and Execute Query".

Once the query is run, and if it returns results stating that there are more emails in other users' inboxes, please click on the 'View List' icon as per the screenshot below.

Once you click on the list icon, it will show the list of query results, including the email address, email subject, and all the other details as per the screenshot below.

For security reasons, we do not show the entire email and it is encrypted.

Please click the Action button at the top right corner of the screen to perform any of the following actions.

Configuring the delete option

Please note that the delete option is disabled by default; if you would like to enable it, navigate to EQA's main menu and click on the spindle icon.

And then, click on the Configurations tab to enable it.

You can delete these malicious emails; however, exercise some caution while deleting them.

2. Move to Inbox

If the email is classified as Safe, you can click on the 'Move to Inbox' button to restore that email to the user's inbox.

3. Mark as resolved

We can mark the email as resolved if it is marked as safe or malicious.

You can follow the instructions below to resolve the reported email.

a) If the email is safe, please choose any of the following categories based on the VirusTotal verdict:

b) If the email is malicious, please choose any of the following categories based on the VirusTotal verdict:

c) Please set a severity to this reported email, you can choose any of the following options:

d) You can share an optional feedback to the reporter by toggling the "PROVIDE FEEDBACK TO THE REPORTER" option.

e) Once all of the above options have been chosen, you can click on "Mark as Resolved" to resolve the email.