Phish911 Feature Guide

1. Overview

Phish911 is a powerful feature in Graphus that allows recipients to report and instantly quarantine phishing/suspicious emails to their IT department (or SOC) for review and follow-up action. It helps organizations act swiftly on these emails which otherwise is a time consuming and error prone process.

2. Prerequisite

A dedicated inbox is required for this feature. Depending on how the feature is configured, recipients will either forward suspicious emails or use Outlook buttons to report suspicious emails into this inbox. This inbox should not be used for regular email communication. We suggest that a new inbox be created for this purpose (e.g. reportphish@<your-org-domain.com> or phishingreport@<your-org-domain.com>). Also, do not use alias or group email addresses for this inbox.

3. Types

There are three ways this feature can be set up by the admin. The admin should communicate the type of remedial action to the recipient depending on the option chosen.

3.1 Option 1: Graphus

This is the first option in the dropdown menu. Once the admin selects and sets this option, the recipient can simply forward the suspicious phishing email to the dedicated configured mailbox.

3.2 Option 2: Phishing Awareness Training

This is the second option in the dropdown menu. Once the admin selects and sets this option, the recipient can click the special purpose button (for example, button may be labeled as Phish Alert Report) in the individual mail meant for reporting the suspicious phishing emails. The email is then sent automatically to the dedicated email inbox. The special purpose button meant for reporting suspicious phishing emails is configurable by the admin. As such, any label can be given to it.

3.3 Option 3: Microsoft 365 Report Phishing

This is the third option in the dropdown menu. Once the admin selects and sets this option, the recipient can click the special purpose button (Report Message button in this case) in the individual email meant for reporting suspicious phishing emails. The email is then sent automatically to the dedicated email inbox. Microsoft 365 Report Phishing is a feature in Graphus that will help customers to use Phish911 Report using Microsoft add-in. This will help recipients directly report suspicious emails from Microsoft Outlook or its Web equivalent Outlook on the Web.

4. Setup

The simple setup for this feature can be performed by an admin on the Graphus portal.

  1. Login to the Graphus portal and navigate to the Settings page (https://cloud.graph.us/settings).
  2. Scroll down to Phish911 Configuration section and set the following:
    1. Set the feature as On.
    2. Select the type of User Report. Select Graphus, Phishing Awareness Training, or Microsoft Office 365 Report Phishing.
    3. Enter the dedicated inbox email address.

      Note: If the type is “Phishing Awareness Training” or "Microsoft Office 365 Report Phishing" then the email address will be the same as the one used for these services.

  3. Scroll down to the end of the page and click the Save Changes button.

    phish911_graphus_option.PNG

5. Microsoft 365 Report Phishing

Graphus’ Phish911 feature gives you an edge on remediating phishing emails reported from Microsoft Outlook Report Message/Phishing button. Once a recipient reports a phishing email by clicking the Report Message button, a Phish911 alert is generated in Graphus for further analysis and remedial action by the admin.

The following paragraphs describe the type of setup to be done for Microsoft 365 Report Phishing option – the third type of configuration available in the Phish911 Configuration section of the Settings page of Graphus.

microsoft365_page.PNG

5.1 Prerequisite

Microsoft Report Phishing add-in should be enabled to view Report Message or Report Phishing add-in buttons for Outlook and Outlook on the Web.

5.2 Setup

  1. Stage 1: Enabling Report Message or Report Phishing add-in. Follow the steps given by Microsoft to enable Report Message or Report Phishing add-in. Refer to the following link Enable the Report Message or the Report Phishing add-ins. Go to section Get the Report Message add-in for your organization and follow the steps. While you come to step 7, make sure the options depicted in the below screenshot are selected.

    config_add_in.PNG

  2. Stage 2: Configuring custom mailbox for Phish911 emails in Microsoft Security & Compliance module. This step is mandatory. Otherwise, Phish911 report in Graphus will not be generated.
    1. Login to Microsoft admin center with admin credentials.
    2. Go to User submissions - Security & Compliance (office.com).
    3. Select custom mailbox and enter a dedicated mailbox account. This should be the same email address configured in Phish911 Configuration section of the organization’s Settings page in Graphus.

      user_submission3.png

    4. Recipients can now click Report Message/Report Phish add-in to report Phish911 mails. The buttons shown in the below screenshot will reflect in Microsoft Outlook or Outlook on the Web a few hours after configuration. This is how the Report Message option looks like in Microsoft Outlook (client).

      phish911_outlook.png

      This is how the Report Message option looks like in Outlook on the Web.

      OWA_Phish911.png

      The Junk > Phishing dropdown in the following image in Outlook on the Web is another option to flag Phish911 emails.

      OWA_Phish911_Junk_Button.png

    5. Once the recipient clicks the Report Message button to report a mail as phishing mail, the recipient will see the following message.
      phish911_message.png
    6. The recipient can click Report. This will generate a Phish911 report in Graphus.
    7. The admin can now view the generated Phish911 email in Graphus > Phish911 page in organizational view (https://cloud.graph.us/phishingReport).

6. What Happens After an Email is Reported?

After an email is reported (regardless of the Phish911 configuration types described above), Graphus will immediately quarantine (move it to Trash/Deleted Items) the email for all recipients. Graphus will also send an email notification to the reporter and all admins informing them about the report. This is how the acknowledgement looks like:

phish911_report1.PNG

The reported email will show up in the Graphus portal, under the User Reported Emails section (https://cloud.graph.us/phishingReport).

phish911_reports.PNG

An admin can investigate this email by analyzing its metadata, header, and content of the email.

7. What Happens After Analysis of the Email?

The admin clicks the Close button to close this alert. 
phish911_reports_2.PNG

The Phish911 Action popup window will open. It will show some basic information about the reported email and ask for two inputs from the admin (both of which are required) based on the analysis performed.

phish911_action.PNG

Is EmployeeShield® Applied?

The admin should respond to the question, “Is EmployeeShiled® Applied?” The answer is either Yes or No.

Is Reported Email Malicious, Non-malicious or Phishing Awareness Training?

The admin should choose the answer to the above question. Based on the analysis, the reported email can be classified as Malicious, Non-Malicious or Phishing Awareness Training. Once these two inputs are provided by the admin, Graphus takes actions as described in the below matrix:

Is EmployeeShield® Applied? Is Reported Email? Graphus Actions
Yes Malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was a phishing attack.
3.     Keep the email quarantined for all recipients.
No Malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was a phishing attack.
3.     Keep the email quarantined for all recipients. Apply EmployeeShield®.
Yes Non-malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was not a phishing attack.
3.     Unquarantine the email (move it back to inbox) for all recipients.
No Non-malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was not a phishing attack.
3.     Unquarantine the email (move it back to inbox) for all recipients.
Yes/No Phishing Awareness Training 1.     Close the report.
2.     Send notification to reporter and admins that this was a Phishing Awareness Training email.
3.     Keep the email quarantined for all recipients.


The email notification for reported emails that were confirmed to be malicious looks as shown below:

phish911_report.PNG

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us