PhishRIP

Below is a diagram of the PhishER workflow. The PhishER platform can help you identify potential email threats in your organization through the automated process of rules, tags, and actions. 

PhishRIP is a PhishER email quarantine feature that allows your organization to search for user-reported emails across all of the mailboxes tied to your Microsoft 365 or Google Workspace instance. Using PhishRIP, you can prevent active phishing attacks by removing potential email threats from your users' mailboxes.

Jump to:
How to Initiate a PhishRIP Query

• Find Similar Messages

PhishRIP Queries
PhishRIP Messages

• PhishRIP Actions

How to Initiate a PhishRIP Query

In your PhishER platform, there are three ways to initiate a PhishRIP query: PhishER Inbox Column, Run Drop-down Menu, and Message Details. Click on the drop-down to view the steps for each method. Keep in mind, in order to initiate a PhishRIP query, you must have PhishRIP enabled in your PhishER platform.

If a PhishRIP query fails, you can retry the query using the Retry button in the Status column. This option is only visible for Failed queries regardless of Resolved or Unresolved status. Retrying a query will not create a new query.

Back to top

Find Similar Messages

Each method used to initiate a PhishRIP query will open the Find Similar Messages window.

1. Match Criteria Select at least two match criteria options for your PhishRIP query. PhishRIP will use this information to find all of the matching messages across all of the mailboxes tied to your Microsoft 365 or Google Workspace instance.
2. Find messages received in the By default, PhishRIP will find similar messages that were received over the last 24 hours. Click on the drop-down menu to adjust the search window to one of the following options: Last 72 hours, Last Week, or Last Month.
3. Automatically quarantine all found messages Check this option if you would like PhishRIP to quarantine all found messages. The quarantine folders are created when the first query is run and for each query ran after for any new users that may have been added after the last ran query. This action will only happen if the last query was more than 10 minutes prior.
4. Customized Criteria Create a new PhishRIP query by selecting one of the following criteria: Subject, Sender, Recipient, and Attachment and modifying the text field.
   The Subject field requires a minimum of four characters that were found in the original subject line for the Customized Criteria search to work. If the subject contains any quotation marks or special character, you must keep those characters in the query you wish to run. 
   The Sender and Recipient fields require that the search is a substring or subdomain of the original email address(es).
   The Attachment field requires that the search is a substring of the original attachment name and contains a minimum of 3 characters found in the attachment line. You can also use the prefix substring of the attachment name to find similar attachments.
   The Body field requires that the search is a substring of the original message and contains a minimum of 30 words or 50% of the content found in the original message. The following special characters will not appear in the Body of the Find Similar Messages modal: ", #, $, (), /, <>
   
   

   Currently, Microsoft graph does not support searching for blank name attachments or searching for a single asterisk. The asterisk will always be converted to a wildcard when being used as a search. We have also removed the ability to search for blank attachments under both the Actions and Find Similar Messages sections.

Back to top

PhishRIP Queries

The PhishRIP Queries page will display all of the PhishRIP queries initiated inside of your PhishER platform. Each line is an individual query. When a query is selected, you can mark it as Resolved or Unresolved. Click on an individual query ID to open the PhishRIP Messages page.

1. ID A unique string of characters used to identify an individual PhishRIP query.
2. Started The date and time of when a PhishRIP query was initiated.
3. Completed The date and time of when a PhishRIP query completed its mailbox search.
4. SourceID A unique string of characters assigned to the PhishER message used to create a PhishRIP query. If you would like to go to the Source Message Details, you can click on the SourceID link for that query.
5. AttackID A unique string of characters assigned to the PhishRIP message that shares a similar subject or sender to messages that have been recently PhishRIPped.
6. Found The number of messages that matched the PhishRIP query criteria.
7. Opened The number of found messages that were opened.
8. Originator The first and last name of the user that initiated the PhishRIP query.
9. Status The current state of a PhishRIP query. A query can have a status of Processing, Completed, or Failed.
10. Resolution Indicates if a query was marked as Resolved or Unresolved.
11. Query The match criteria that was selected for the PhishRIP query. If you click on the database icon, the Find Similar Messages window will open and display the originally selected criteria - this allows you to review the exact items that were searched for by the query.

You can filter PhishRIP queries by Processing, Completed, Failed, Resolved, or Unresolved. Use the search bar to filter your PhishRIP queries by using Lucene Query syntax. When a message is selected, you have the option to apply one of the following resolutions: Resolved or Unresolved.

Back to top

PhishRIP Messages

The PhishRIP Messages page will display the matching messages found across all of the mailboxes tied to your Microsoft 365 or Google Workspace instances.

You can add more than one Microsoft 365 or Google Workspace instance from your PhishRIP settings. For more information, see our PhishER Settings article.

1. Mailbox Email The email address of the mailbox containing a message that matched the PhishRIP query.
2. Mailbox Name The name of the mailbox containing a message that matched the PhishRIP query.
3. Read Indicates if the message was Read (opened) or Unread (not opened) by the recipient.
4. Discovery Folder The mailbox folder in which the message was found.
5. Subject The text found in the Subject line of the source message.
6. Date Found The date the PhishRIP query discovered the message in the Microsoft 365 or Google Workspace mailbox.
7. PhishRIP Status The last known status of a PhishRIP message. If the message is available, the message will show as Discovered, Quarantined, Restored, or Deleted. If the message is unavailable, due to actions performed outside of PhishRIP or if the message has been deleted in another query, the status will be shown as Unavailable.
8. Status Updated The date of when the message last had changes applied to it.

You can filter PhishRIP messages by Discovered, Quarantined, Deleted, Pending, or Failed. When a message is selected, the Run drop-down menu will appear and display a list of PhishRIP actions.

The selectable actions shown in the Run drop-down menu will depend on the status of the PhishRIP message. If multiple messages are selected, you will only see the actions that can be run on all of the messages.

Back to top

PhishRIP Actions

When a PhishRIP message is selected, the Run drop-down menu will appear. Depending on the delete option you selected under your PhishRIP settings, the Run drop-down menu will display different options.

Back to top