PhishRIP

Below is a diagram of the PhishER workflow. The PhishER platform can help you identify potential email threats in your organization through the automated process of rules, tags, and actions. If an email threat is identified, PhishRIP provides you with the option to remove that threat from the inbox of your users.

Jump to:
How to Initiate a PhishRIP Query

• Find Similar Messages

PhishRIP Queries
PhishRIP Messages

• PhishRIP Actions

How to Initiate a PhishRIP Query

In your PhishER platform, there are three ways to initiate a PhishRIP query: PhishER Inbox Column, Run Drop-down Menu, and Message Details. Click on the drop-down to view the steps for each method. Keep in mind, in order to initiate a PhishRIP query, you must have PhishRIP enabled in your PhishER platform.

Back to top

Find Similar Messages

Each method used to initiate a PhishRIP query will open the Find Similar Messages window.

1. Match Criteria Select at least two match criteria options for your PhishRIP query. PhishRIP will use this information to find all of the matching messages across all of the mailboxes tied to your Microsoft 365 instance.
2. Find messages received in the By default, PhishRIP will find similar messages that were received over the last 24 hours. Click on the drop-down menu to adjust the search window to one of the following options: Last 72 hours, Last Week, or Last Month.
3. Automatically quarantine all found messages Check this option if you would like PhishRIP to quarantine all found messages. If you allow PhishRIP to quarantine all found messages, PhishRIP will move those messages into the quarantine folder of the Microsoft 365 mailbox in which the message was discovered. If a quarantine folder does not already exist, PhishRIP will automatically create a quarantine folder in the Microsoft 365 mailbox in which the message was discovered.
4. Customized Criteria Create a new PhishRIP query by selecting one of the following criteria: Subject, Sender, Recipient, and Attachment and modifying the text field. The Subject field requires a minimum of four characters that were found in the original subject line for the Customized Criteria search to work. The Sender and Recipient fields require that the search is a substring or subdomain of the original email address(es). The Attachment field requires that the search is a substring of the original attachment name and contains a minimum of 3 characters found in the attachment line. The Body field requires that the search is a substring of the original message and contains a minimum of 30 words or 50% of the content found in the original message.
   
   

   The following special characters will not appear in the Body of the Find Similar Messages modal: ", #, $, (), /, <>

Back to top

PhishRIP Queries

The PhishRIP Queries page will display all of the PhishRIP queries initiated inside of your PhishER platform. Each line is an individual query. When a query is selected, you can mark it as Resolved or Unresolved. Click on an individual query ID to open the PhishRIP Messages page.

1. ID A unique string of characters used to identify an individual PhishRIP query.
2. Started The date and time of when a PhishRIP query was initiated.
3. Completed The date and time of when a PhishRIP query completed its mailbox search.
4. SourceID A unique string of characters assigned to the PhishER message used to create a PhishRIP query. If you would like to go to the Source Message Details, you can click on the SourceID link for that query.
5. Found The number of messages that matched the PhishRIP query criteria.
6. Opened The number of found messages that were opened.
7. Originator The first and last name of the user that initiated the PhishRIP query.
8. Status The current state of a PhishRIP query. A query can have a status of Processing, Completed, or Failed.
9. Resolution Indicates if a query was marked as Resolved or Unresolved.
10. Query The match criteria that was selected for the PhishRIP query. If you click on the database icon, the Find Similar Messages window will open and display the originally selected criteria - this allows you to review the exact items that were searched for by the query.

You can filter PhishRIP queries by Processing, Completed, Failed, Resolved, or Unresolved. Use the search bar to filter your PhishRIP queries by using Lucene Query syntax. When a message is selected, you have the option to apply one of the following resolutions: Resolved or Unresolved.

Back to top

PhishRIP Messages

The PhishRIP Messages page will display the matching messages found across all of the mailboxes tied to your Microsoft Microsoft 365 instance.

1. Mailbox Email The email address of the mailbox containing a message that matched the PhishRIP query.
2. Mailbox Name The name of the mailbox containing a message that matched the PhishRIP query.
3. Read Indicates if the message was Read (opened) or Unread (not opened) by the recipient.
4. Discovery Folder The mailbox folder in which the message was found.
5. Subject The text found in the Subject line of the source message.
6. Date Found The date the PhishRIP query discovered the message in the Microsoft Microsoft 365 mailbox.
7. Status The last known status of a PhishRIP message. If the message is available, the message will show as Discovered, Quarantined, Restored, or Deleted. If the message is unavailable, due to actions performed outside of PhishRIP or if the message has been deleted in another query, the status will be shown as Unavailable.
8. Status Updated The date of when the message last had changes applied to it.

You can filter PhishRIP messages by Discovered, Quarantined, Deleted, Pending, or Failed. When a message is selected, the Run drop-down menu will appear and display a list of PhishRIP actions.

Back to top

PhishRIP Actions

When a PhishRIP message is selected, the Run drop-down menu will appear. Depending on the delete option you selected under your PhishRIP settings, the Run drop-down menu will display different options.

Back to top