Your PhishER console provides system actions to help you manage messages. If you have an older PhishER subscription that doesn't have the system actions included in the console, you can manually create the actions. This article provides information about how each system action is configured.
To use these actions, you must enable and configure PhishML and the VirusTotal integration for your PhishER platform.
Clean Email Notification for Admin
If PhishER determines that a message is clean, this action notifies the designated admin to review the email.
In the Name field, you can enter "Clean Email Notification for Admin".
In the Description field, you can enter "(System Default) Bypassed - No Hash - Ignored [Email Address Required] [PML Required] [VT Required]".
Use the options in the drop-down tabs to set up this action.
-
Specify Tags: Select this option to trigger this action for specific tags. From the Has options, select Any. Then, add the following tags to trigger this action: PML:CLEAN, VT_BYPASSED, VT_HASH_NOT_FOUND, and VT_IGNORED. From the Doesn't Have options, select Any and add the VT_BAD tag.
-
- Select Status. Then, select In Review from the drop-down menu.
- Select Set Priority. Then, select Medium from the drop-down menu.
- Select Set Category. Then, select Unknown from the drop-down menu.
-
Note:To avoid creating a new email template every time this action runs, we recommend that you create this template before setting up the action.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
Subject: PhishER: Clean email received by PhishER that needs review
Body: Hello,
Please log in to PhishER and review this email:
[[subject]]
Reported by:
[[reporter_name]] - [[reporter_email]]
Sent by [[sender_name]] - [[sender_email]]
Please review this email and indicate if the email is clean. If so you can use the "Email Release" quick action to return it to the reporter.
**If the email is determined not to be clean, please use the appropriate action to disposition the email, up to and including PhishRIPing it** - Select Specify Recipients. Add the email address of the admin you want to receive the email.
- Select Include PhishER links and tag information.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
Automatic Clean Email Notification for Reporter
If PhishER determines that a message is clean, this action notifies the user who reported the original email automatically.
In the Name field, you can enter "Automatic Clean Email Notification for Reporter".
In the Description field, you can enter "The email was found clean by PhishML and non-malicious by VirusTotal. Returning to the original reporter. Mentions the PAB in the template. [PML Required] [VT Required]".
Use the options in the drop-down tabs to set up this action.
-
Specify Tags: Select this option to trigger this action for specific tags. From the Has options, select All. Then, add the following tags which will trigger this action: PML:CLEAN, VT_SCANNED. From the Doesn't Have options select All. Then, add the following tag which will to trigger this action: VT_BAD.
-
- Select Status. Then, select Resolved from the drop-down menu.
- Select Set Priority. Then, select Low from the drop-down menu.
- Select Set Category. Then, select Clean from the drop-down menu.
-
Note:To avoid creating a new email template every time this action runs, we recommend that you create this template before setting up the action.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
Subject: PhishER: Thank you for reporting - The email you reported was determined to be a clean/legitimate email
Body: Hello [[reporter_first_name]],
This is an automated email from your IT Department and PhishER. Please do not use the Phish Alert Button on this email [Orange Hook].
The email you reported [[subject]] was reviewed by your IT Department and determined to be a clean email, not a phishing email.
The email has been included in the bottom of the body, please action as necessary. - Select Include Original Reporter.
- Select Include original email at the bottom of body.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
Unmet PML Threshold Notification for Admin
If an email doesn't meet the threshold for PhishML dispositioning, this action notifies the designated admin to review the email. To use this action, you must enter email addresses in the Send Email option’s From and Reply To fields.
In the Name field, you can enter "Unmet PML Threshold Notification for Admin".
In the Description field, you can enter "Notifies admin of an email that didn't reach the ML thresholds [Email Address Required] [PML Required] [VT Required]".
Use the options in the drop-down tabs to set up this action.
-
Specify Tags: Select this option to trigger this action for specific tags. From the Has options, select Any. Then, add the following tags to trigger this action: VT_SCANNED, VT_BYPASSED, VT_HASH_NOT_FOUND, and VT_IGNORED. From the Doesn't Have options, select Any and add the following tags: VT_BAD, PML:CLEAN, PML:SPAM, and PML:THREAT
-
- Select Status. Then, select In Review from the drop-down menu.
- Select Set Priority. Then, select Medium from the drop-down menu.
- Select Set Category. Then, select Unknown from the drop-down menu.
-
Note:To avoid creating a new email template every time this action runs, we recommend that you create this template before setting up the action.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
Subject: PhishER - Email needs review, did not meet ML threshold.
Body: Hello!
Email received by PhishER that did not meet ML thresholds but was scanned by VT.
Email reported by:
[[reporter_name]] - [[reporter_email]]
Email Subject:
[[subject]]
Email sent by:
[[sender_name]] - [[sender_email]]
Please log in and review the email, after the email review use appropriate quick action to disposition email.
** If the email is a threat, make sure to run appropriate PhishRIP(s) ** - Select Specify Recipients. Add the email address of the admin you want to receive the email.
- Select Include PhishER links and tag information.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
PhishRIP Query for Subject and Sender from a Threat Email
If PhishER determines that a message is a threat, this action initiates a PhishRIP query based on the subject line and the sender's email address from the original email.
In the Name field, you can enter "PhishRIP Query for Subject and Sender from a Threat Email".
In the Description field, you can enter "Runs a Quarantine PhishRIP for subject/sender if the email was found bad by PhishML OR VirusTotal [PML Required] [VT Required]".
Use the options in the drop-down tabs to set up this action.
-
Specify Tags: Select this option to trigger this action for specific tags. From the Has options, select Any. Then, add the following tags to trigger this action: PML:THREAT and VT:BAD. From the Doesn't Have options, select All and leave the tags field empty.
-
(Optional) If you use this action and don’t use the Threat Email Notification for Reporter action, you can select the following options:
- Select Status. Then, select Resolved from the drop-down menu.
- Select Set Priority. Then, select Medium from the drop-down menu.
- Select Set Category. Then, select Threat from the drop-down menu.
Important:If you use both actions, you don’t need to select any options for this step because the second action will overwrite the first action for this step. -
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
Select Include this action in the QuickActions bar.
-
You don't need to select an option for this step.
-
- For Match Criteria, select Subject and Sender.
- From the Find messages received in the: drop-down menu, select Last 72 Hours.
- Select Automatically quarantine all found messages.
Threat Email Notification for Reporter
If PhishER determines that a message is a threat, this action notifies the user who reported the original email.
In the Name field, you can enter "Threat Email Notification for Reporter".
In the Description field, you can enter "Sends an email to the original reporter letting them know the email was a threat. Mentions the PAB in the template. [PML Required] [VT Required]".
Use the options in the drop-down tabs to set up this action.
-
Specify Tags: Select this option to trigger this action for specific tags. From the Has options, select Any. Then, add the following tags to trigger this action: PML:THREAT and VT:BAD. From the Doesn't Have options, select All and leave the tags field empty.
-
- Select Status. Then, select Resolved from the drop-down menu.
- Select Set Priority. Then, select Medium from the drop-down menu.
- Select Set Category. Then, select Threat from the drop-down menu.
-
Note:To avoid creating a new email template every time this action runs, we recommend that you create this template before setting up the action.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
Subject: Thank you for reporting - The email you reported was determined to be a phishing email. Great Job!
Body: Hello [[reporter_first_name]],
This is an automated email from your IT Department and PhishER. Please do not use the Phish Alert Button on this email [Orange Hook].
The email that you reported [[subject]] was reviewed by the IT Department and determined to be a phishing email.
Great Job keeping your organization safe. If you have any questions feel free to reach out to your IT Department/helpdesk. - Select Include Original Reporter.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
Spam Email Notification for Reporter
If PhishER determines that a message is spam, this action notifies the user who reported the original email. To use this action, you must configure PhishML and VirusTotal.
In the Name field, you can enter "Spam Email Notification for Reporter".
In the Description field, you can enter "Sends an email to the original reporter letting them know the email was spam. Mentions the PAB in the description. [PML Required] [VT Required]".
Use the options in the drop-down tabs to set up this action.
-
Specify Tags: Select this option to trigger this action for specific tags. From the Has options, select Any. Then, add the following tags to trigger this action: PML:SPAM. From the Doesn't Have options select All. Then, add the following tag to trigger this action: VT_BAD.
-
- Select Status. Then, select Resolved from the drop-down menu.
- Select Set Priority. Then, select Low from the drop-down menu.
- Select Set Category. Then, select Spam from the drop-down menu.
-
Note:To avoid creating a new email template every time this action runs, we recommend that you create this template before setting up the action.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
Subject: Thank you for reporting - The email you reported was determined to be spam
Body: Hello [[reporter_first_name]],
This is an automated email from your IT Department and PhishER. Please do not use the Phish Alert Button on this email [Orange Hook].
The email that you reported [[subject]] was reviewed by the IT Department and determined to be a spam email.
If you have any questions feel free to reach out to your IT Department/helpdesk. - Select Include Original Reporter.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
Threat Email Notification for Admin
If PhishER determines that a message is a threat, this action notifies the designated admin to review the email. To use this action, you must enter email addresses in the Send Email option’s From and Reply To fields.
In the Name field, you can enter "Threat Email Notification for Admin".
In the Description field, you can enter "Sends an email to the admin letting them know an email that was classified as a threat was received. [Email Required] [PML Required] [VT Required]".
Use the options in the drop-down tabs to set up this action.
-
Specify Tags: Select this option to trigger this action for specific tags. From the Has options, select Any. Then, add the following tags to trigger this action: PML:THREAT and VT_BAD. From the Doesn't Have options, select All and leave the tags field empty.
-
- Select Status. Then, select In Review from the drop-down menu.
- Select Set Priority. Then, select High from the drop-down menu.
- Select Set Category. Then, select Unknown from the drop-down menu.
-
Note:To avoid creating a new email template every time this action runs, we recommend that you create this template before setting up the action.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
Subject: PhishER - An email that was classified as a threat has been received.
Body: Hello!
Please log in to PhishER and review this email:
[[subject]]
Email reported by:
[[reporter_name]] - [[reporter_email]]
Email sent by:
[[sender_name]] - [[sender_email]]
Please log in and review the email, after the email review use appropriate quick action to disposition email.
** If the email is a threat, make sure to run appropriate PhishRIP(s) ** - Select Specify Recipients. Add the email address of the admin you want to receive the email.
- Select Include PhishER links and tag information.
- Select Send Email, then create a new custom email template or select the template that you created for this action. For the Subject and Body fields, you can enter your own text or use the text below:
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.
-
You don't need to select an option for this step.