Viewing Reported Emails

PhishER Inbox Guide

The PhishER Inbox displays emails that your users report manually or by using the Phish Alert Button (PAB). Once your users start reporting emails, you can view and manage them from your Inbox.

See the sections below to learn how to use your Inbox.

Navigating the Inbox

If you would like to show or hide specific Inbox columns, select the gear icon at the top-right corner of the Inbox page. When you click this icon, the Inbox Table Settings pop-up window will open. You can show or hide columns by selecting or deselecting the check box to the left side of the column name.

For more information about the Inbox page, see the screenshot and list below:

  1. Category: This column displays the grouping of messages based on disposition. A message can be categorized or dispositioned in one of three ways: Clean, Spam, or Threat. Each message will be dispositioned as Unknown until a different disposition is determined.
  2. From: This column displays the sender name associated with the original message.
  3. From Email: This column displays the email address associated with the original message.
  4. Subject: This column displays the text found in the subject line of the original message.
  5. First Disposition Date: This column displays the timestamp of when the message was first dispositioned.
  6. Current Disposition Date: This column displays the timestamp of when the message's current disposition was applied.
  7. Reported At: This column displays the date and time of when the message was received by the Inbox.
  8. Reported By: This column displays the name of the user who reported the message.
  9. Reported By (Email): This column displays the email address of the user who reported the message.
  10. Status: This column displays a message's analysis status. A message can have a status of Received, In Review, or Resolved.
  11. Tags: This column displays a label attached to a message based on the message's attributes. There is no limit to the number of tags a message can have. All tags are clickable. By clicking a tag, you can create a filtered view of the PhishER Inbox based on that tag. Tags can be automatically or manually assigned to a message. To learn about the ways tags can be assigned, see the list below:
  12. Users can suggest a tag for a message with the Phish Alert Button (PAB) disposition feature. For more information, see our Adding User Comments and Email Disposition to the Phish Alert Button article.
  13. An admin can manually add a tag to a message from the Inbox or Message Details page of the PhishER Inbox. Admins can also add tags to multiple messages by selecting multiple messages in the Inbox.
  14. Tags are automatically assigned to a message when the message matches a rule containing that specific tag.
  15. Priority: This column indicates if a message needs urgent review due to potential malicious content. A message can have a Low, Medium, High, Critical, or Unknown priority. The priority of a message is determined initially by your organization's rules and actions. However, admins can change the priority at any time.
  16. PhishRIP: This column will be available if PhishRIP is enabled in your PhishER platform. You can click on the plus icon to initiate PhishRIP. If PhishRIP was already initiated on the message, a fishbone icon will display instead.

Downloading the Inbox CSV

You can download a CSV file of your PhishER Inbox by clicking the Download CSV button in the top-right corner of the Inbox page. This CSV file will include all visible and hidden columns in the Inbox.

For more information about these columns, see the table below:

Column Name Description
id This column displays a unique string sequence used to identify the message.
md5 This column displays the hash value of the message using the MD5 algorithm.
sha1 This column displays the hash value of the message using the SHA1 algorithm.
sha256 This column displays the hash value of the message using the SHA256 algorithm.
status This column displays the status of the message. A message can have a status of Received, In Review, or Resolved.
attachments_count This column displays the number of attachments included in the message.
category This column displays the category of a message. A message can be categorized or dispositioned in one of four ways: Clean, Spam, Threat, or Unknown. For more information, see the Navigating the Inbox section above.
from This column displays the email address associated with the original message.
from_name This column displays the sender name associated with the original message.
reply_to This column displays the email address that will populate the to field of an email if a user replies to the message.
reply_to_name This column displays the name or email address that will populate the to field of an email if a user replies to the message.
reported_at This column displays the date and time of when the message was received by the PhishER Inbox. The date and time are in the Coordinated Universal Time (UTC) format.
reported_by This column displays the email address of the user who reported the message.
reported_by_name This column displays the name of the user who reported the message.
priority This column displays the priority of a message. A message can have a Low, Medium, High, Critical, or Unknown priority. For more information, see the Navigating the Inbox section above.
subject This column displays the text found in the subject line of the original message.
tags This column displays all tags that are attached to the message.
IngestionAddress This column displays the reporting email address used to forward the message to PhishER.
Current disposition date This column displays the date and time of when the message was last dispositioned. The date and time are in the UTC format.
First disposition date This column displays the date and time of when the message was first dispositioned. The date and time are in the UTC format.

Filtering the Inbox

You have the ability to filter your Inbox messages. To learn about the filters you can select, see the screenshot and list below:

  • Filter by Category: This section allows you to filter messages based on disposition. For more information, see the options listed below:
    • Clean: Select this option to display all messages dispositioned as clean.
    • Spam: Select this option to display all messages dispositioned as spam.
    • Threat: Select this option to display all messages dispositioned as threat.
    • Unknown: Select this option to display all messages that are not dispositioned as one of the three main dispositions.
  • Filter by Status: This section allows you to filter messages based on their analysis status in PhishER. For more information, see the options listed below:
    • Received: Select this option to display all messages that have not been reviewed in PhishER.
    • In Review: Select this option to display all messages that are in review.
    • Resolved: Select this option to display all messages that have been reviewed and resolved.
  • Filter by Priority: This section allows you to filter messages based on their assigned priority. For more information, see the options listed below:
    • Unknown: Select this option to display all messages that have not been prioritized.
    • Low: Select this option to display all messages marked as low priority.
    • Medium: Select this option to display all messages marked as medium priority.
    • High: Select this option to display all messages marked as high priority.
    • Critical: Select this option to display all messages marked as critical priority.

For more filter options, you can use the Search... box to filter your Inbox using Lucene queries. You can also save a customized filter by clicking the Save query as room button. For more information, see our How to Use Lucene Query Syntax and How to Create and Manage PhishER Rooms articles.

Running Actions on Selected Messages

To select a message, select the check box to the left of the message. When a message is selected, the Run drop-down menu will display in the top-left corner of the Inbox page. From this drop-down menu, you can select an action listed under Replay, PhishRIP, Email, or Actions.

For more information about these options, see the screenshot and list below:

  1. Replay: This subsection allows you to rerun your rules and actions against selected messages. For more information about the available actions, see the list below:
  2. All Rules and All Actions: This action allows you to run all of your custom rules and actions against any selected messages. If your organization has enabled VirusTotal or PhishML, they will run against any selected messages as well.
  3. All Rules: This action allows you to run all of your custom rules against any selected messages. If manually selected, this will also run for emails that do not match the criteria of your tags.
  4. PhishRIP: If your organization has enabled PhishRIP, this subsection allows you to run PhishRIP actions against any selected messages. For more information about the available actions, see the list below:
  5. Create KSAT Template: This action will send the selected email to your KSAT console to create a new phishing template using a clean version of the email.
  6. Find Similar Messages: This action will open the Find Similar Messages pop-up window, which allows you to select the match criteria of your PhishRIP query.
  7. Email: This subsection allows you to send an email. You can click Send Custom Email to open the template editor in a pop-up window. When your email is ready to be sent, click the Send button.
  8. Actions: This subsection allows you to run custom actions against any selected messages.
    Tip:Alternatively, you can select a custom quick action from the QuickActions bar on the top-right side of the Inbox page to run against your selected messages. Both options may be helpful if a message was received before an action was created.

From the top of the Inbox page, you can also set a Category, Status, and Priority for the selected messages and add multiple tags.

If you would like to clear the selected messages, you can click the Clear Selection button.

Viewing Message Details

If you click an individual message in your PhishER Inbox, the Message Details page will open. For more information about the top of the Message Details page, see the screenshot and list below:

  1. From: This field displays the name or email address of the person who sent the original message.
  2. Reply-to: This field displays the name or email address that will populate the to field of an email if a user replies to the message.
  3. To: This field displays the name or email address of the original message recipient.
  4. CC: This field displays any of the email addresses copied on the original message.
  5. Reported: This field displays the date and time of when the message was reported by a user.
  6. Reported by: This field displays the name or email address of the user who reported the message.

All email addresses in this section of the Message Details page are clickable. Clicking an email address will take you to a filtered view of your Inbox and display all of the messages tied to the specific email address.

Note: The timestamp in the top-right corner will display when the message was received by the reporter. A phish hook icon will display next to the date and time if the message was reported using the Phish Alert Button (PAB). A forwarding arrow icon will display next to the date and time if the message was not reported using the PAB.

The Message Details page contains subtabs with information about the message. For more information, click the tabs below:

The Preview tab contains an overview of the message. The overview will include the content found in the body of the message. From this overview, you will also be able to see the number of attachments and URLs in the message.

The Raw Message tab contains the raw version of the message. The raw version is the entire message, including header and body.

The Headers tab provides a view of the message headers. You can use the drop-down menu in the top-right corner to view All Headers, Standard Headers, or Non-Standard Headers. You can also search through the message headers for specific information using the search bar.

By default, the following information will already be highlighted for a quick header scan:

  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting and Conformance (DMARC)
  • Sender Policy Framework (SPF)
  • IP address

The Attachments tab contains more information about the attachments sent with the message.

If available, the following information will be displayed:

  • File Size
  • File Type
  • MD5
  • SHA1
  • SHA256

You have the option to download the attachment by clicking the download icon to the right of the attachment name. If you would like to see all of the messages in your PhishER Inbox that have this attachment, click on the title of the attachment to be taken to a filtered view of your Inbox.

You can filter your Attachments tab by clicking the All Attachments drop-down button. You can narrow your list to only viewing attachments that were labeled as Bad Attachments.

You may also run a scan through VirusTotal by clicking the VirusTotal Scan button. If a scan was completed, the Click to View Report option will display.

Note: To scan with VirusTotal, your PhishER platform must be integrated with VirusTotal. For more information about integrating PhishER with VirusTotal, visit our How to Integrate VirusTotal with Your PhishER Platform article.

You may also detonate and analyze a file through CrowdStrike by clicking the CrowdStrike Detonate button. If a detonation was completed, the View Report option will display.

Note: To detonate a file through CrowdStrike, you must have a PhishER Plus subscription and your PhishER platform must be integrated with the CrowdStrike Falcon Sandbox. For more information about integrating PhishER with CrowdStrike, visit our How to Integrate CrowdStrike with Your PhishER Platform article.

The Domains and URLs tab contains details about each domain and URL detected in the message. For more information, see the screenshot and list below:

  • Sender Info: This section displays information about the sender's domain associated with the original source of the message. For example, "thisismyfull-link.com".
  • Links Info: This section displays information about links detected in the message, including the full URL, when the link was first detected, and when the link was most recently detected.

If you would like to view all of the messages in your PhishER Inbox that contain a specific link, click the link to be taken to a filtered view of your Inbox. To copy the link, click the copy icon to the right of the URL. To create a PhishER Blocklist entry using the link, click the Create Blocklist Entry button next to the copy icon.

You can filter all of the redirector links found in the message from the All URLs drop-down menu. If a message does not have redirector links, the target URL will be used to filter your results. You can filter your URL view based on the following drop-down menu options: All URLs, Ignored URLs, Observed URLs, Scanned URLs, and Unscanned URLs.

You may also run a scan through VirusTotal by clicking the VirusTotal Scan button. If a scan was completed, the Click to View Report option will display.

Note: To scan with VirusTotal, your PhishER platform must be integrated with VirusTotal. You must also have Full Message and Message Details access in order to use the Scan with VirusTotal button. For more information about integrating PhishER with VirusTotal, visit our How to Integrate VirusTotal with Your PhishER Platform article. For more information about Security Role access, see the Roles section of our PhishER Settings: Security Roles article.

You may also run a scan through CrowdStrike by clicking the CrowdStrike Detonate button. If a scan was completed, the Click to View Scan Results option will display.

Note: To scan with CrowdStrike, you must have a PhishER Plus subscription and your PhishER platform must be integrated with the CrowdStrike Falcon Sandbox. For more information about integrating PhishER with CrowdStrike, visit our How to Integrate CrowdStrike with Your PhishER Platform article.

The Matched Rules tab contains a table of all of the rules that the message matched after the system runs. This tab provides insight into why a certain tag was assigned to the message. Each row displays the name and description of the rule, when it was matched to messages, the number of matched messages, and the tags associated with the rule.

Note: The Matched Count column refers to the number of times the rule has matched a message in your Inbox.

The History tab contains all of the user, action, and rule events associated with the message. For more information, see the screenshot and list below:

  • User Event: A user event is a user-initiated action that was manually applied to a message and caused the message to change. For example, a user event could be "Field changed by User User_Name on Mon DD, YYYY at H:MM", or "VirusTotal scan initiated for Link URL or Attachment Name".
  • Action Event: An action event occurs when a triggered action causes a message to change. For example, an action event could be "Email sent by Action Action_Name on Mon DD, YYYY at H:MM".
  • Rule Event: A rule event occurs when a matched rule causes a message to change. For example, a rule event could be "Tag changed by Rule Rule_Name on Mon DD, YYYY at H:MM".

Viewing the Actions and Discussion

On the right side of the Message Details page, you can view the Actions and Discussion sidebar. From this sidebar, you can open the Actions and Discussion subtabs.

For information about these subtabs, see the subsections below:

Actions

From the Actions subtab, you can update the message's dispositioning and tags, download the original reported email, and run actions against the message. If PhishRIP is enabled, you can create and view PhishRIP queries, and you can view your PhishML confidence results. For more information, see the screenshot and list below:

  1. Category, Status, Priority: Use these options to change the message's dispositioning. For more information, see the Filtering the Inbox section above.
  2. QuickActions: Click one of your custom QuickActions to run an action against the message.
  3. PhishRIP: This section displays how many PhishRIP queries were initiated and the date of the last query. Click Create New Query to initiate a PhishRIP query. Click View Query to see the past PhishRIP queries that were created for this message.
  4. Download Original Email: Click this button to download a copy of the original email as an .eml file.
    Note: If an email was manually forwarded to your PhishER Inbox instead of being reported via the Phish Alert Button (PAB), the downloaded message will not include email headers.
  5. Run: You can click this button then select one of the following options from the drop-down menu. For more information, see the Running Actions on Selected Messages section above.
  6. Actions: Run a single action against the message.
  7. Email: Send a custom email.
  8. PhishRIP: Create a KSAT template.
  9. Replay Run all rules or all rules and actions against the message.
  10. Assigned Tags: Add or remove a message's Assigned Tags.
  11. PhishML Confidence: Review your PhishML confidence results.
  12. Delete Message: Click this button to delete the message.

Discussion

From the Discussion subtab, you can communicate with other admins about a message. Similar to a chat window, this method of communication may be useful for organizations with multiple admins managing the PhishER Inbox.

To post a comment in the Discussion tab, click in the Comment here text box and type your message. Then, click the Send button to make your comment visible to all admins with PhishER access.

Users can communicate with admins about specific messages when they use the Phish Alert Button (PAB). When users leave a comment while using the PAB, the comment will appear in the Discussion subtab. For more information, see our Adding User Comments and Email Disposition to the Phish Alert Button article.

Can't find what you're looking for?

Contact Support