Phish911™ Feature Guide

1. Overview

Phish911™ is a powerful feature in Graphus that allows recipients to report and instantly quarantine phishing/suspicious emails to their IT department (or SOC) for review and follow-up action. It helps organizations act swiftly on these emails instead of engaging in a time-consuming, error-prone process.

2. Prerequisite

A dedicated inbox is required for this feature. Depending on how the feature is configured, recipients will forward suspicious emails or use Outlook buttons to report suspicious emails to this inbox. This inbox should not be used for regular email communication. We suggest that a new inbox be created for this purpose (e.g., reportphish@<your-org-domain.com> or phishingreport@<your-org-domain.com>). Also, do not use aliases or group email addresses for this inbox. 

3. Types

The admin should communicate the type of remedial action to the recipient depending on the option chosen. There are three ways the admin can set up this feature:

  • Graphus
  • Phishing Awareness Training 
  •  Microsoft 365 Report Phishing 
    • Once the user selects the Graphus option in the dropdown menu, the recipient can simply forward the suspicious phishing email to the dedicated configured mailbox.
    • The Phishing Awareness Training and Microsoft 365 Report Phishing perform similar actions. From selecting any of these two options, a user can choose to let recipients forward a suspicious email to the dedicated Phish911 inbox or they can use a third-party plugin to report such emails. Make sure the Phishing Awareness Training option should be used if the user uses a phishing awareness training solution that offers the feature of a report phishing plugin.  Microsoft 365 Report Phishing option should be used by an Outlook user to set up to report phishing emails to Graphus Phish911. 

4. Setup

An admin on the Graphus portal can perform the simple setup for this feature:

  1. Log in to the Graphus portal and navigate the Settings page (https://cloud.graph.us/settings).
  2. Scroll down to the Phish911™ Configuration section and set the following:
    • Set the feature as On.
    • Select the type of User Report. Select Graphus, Phishing Awareness Training, or Microsoft Office 365 Report Phishing.
    • Enter the dedicated inbox email address.

      Note: If the type is Phishing Awareness Training or Microsoft Office 365 Report Phishing, the email address will be the same as the one used for these services.

  3. Scroll down to the end of the page and click Save Changes.

    0.png

5. Microsoft 365 Report Phishing

Phish911™ gives you an edge in remediating phishing emails reported from the Microsoft Outlook Report Message/Phishing button. Once a recipient reports a phishing email by clicking the Report Message button, a Phish911™ alert is generated in Graphus for further analysis and remedial action by the admin.

The following paragraphs describe the type of setup for the Microsoft 365 Report Phishing option, the third type of configuration available in the Phish911™ Configuration section of the Settings page of Graphus.

2.png

5.1 Prerequisite

The Microsoft Report Phishing add-in should be enabled to view the Report Message or Report Phishing add-in buttons for Outlook and Outlook on the Web.

5.2 Setup

  • Stage 1: Enabling the Report Message or the Report Phishing add-ins. Follow the steps given by Microsoft to enable the Report Message or the Report Phishing add-ins in the following link: Enable the Report Message or the Report Phishing add-ins. Go to the Get the Report Message or Report Phishing add-in for your organization section and follow the steps. As you come to step 7, make sure the options depicted in the below screenshot are selected.

    config_add_in.PNG

  • Stage 2: Configuring custom mailbox for Phish911™ emails in the Microsoft Security & Compliance module. This step is mandatory. Otherwise, the Phish911™report in Graphus will not be generated.
    1. Log into the Microsoft admin center with admin credentials.
    2. Go to User submissions - Security & Compliance (office.com).
    3. Select a custom mailbox and enter a dedicated mailbox account. This should be the same email address configured in the Phish911™ Configuration section of the organization’s Settings page in Graphus. Select the My organization's mailbox and Ask me before reporting the message options as shown in the below screenshot.
      Screenshot__718_.pngScreenshot__719_.png
    4. Recipients can now click the Report Message/Report Phish add-in to report Phish911™ mails. After configuration, Report Message will take up to twelve hours to appear in Microsoft Outlook or Outlook on the Web. After twelve hours, please restart Outlook (client) or Outlook on the Web. This is what the Report Message option looks like in Microsoft Outlook (client).

      phish911_outlook.png

      This is how the Report Message option looks like in Outlook on the Web.

      OWA_Phish911.png

      The Junk > Phishing dropdown menu in the following image in Outlook on the Web is another option to flag Phish911™ emails.

      OWA_Phish911_Junk_Button.png

    5. Once the recipient clicks the Report Message button to report a mail as phishing mail, the recipient will see the following message.
      phish911_message.png
    6. The recipient can click Report. This will generate a Phish911 report in Graphus.
    7. The admin can now view the generated Phish911™ email in the Graphus > Phish911™ page in organizational view (https://cloud.graph.us/phishingReport).

5.3  End User Email Notification Template

After you activate the End User Email Notification Template in Outlook (client) or Outlook on the Web, Graphus recommends emailing the end user about the release and explaining how to use the feature. Please review the End User Notification Template attached at the end of this guide to know how to use the feature.

6. What Happens After an Email is Reported?

After an email is reported (regardless of the Phish911 configuration types described above), Graphus immediately quarantines it (moves it to Trash/Deleted Items) for all recipients. Graphus will also send an email notification to the reporter and all admins informing them about the report. This is what the acknowledgment looks like:

phish911_report1.PNG

The reported email will appear in the Graphus portal under the User Reported Emails section (https://cloud.graph.us/phishingReport).

0.0.jpg

An admin can investigate this email by analyzing its metadata, header, and content.

7. What Happens After Analysis of the Email?

The admin clicks the Close button to close this alert. 
0.1.jpg

The Phish911™ Action popup window will open. It will show some basic information about the reported email and ask for two inputs from the admin (both of which are required) based on the analysis performed:

1.PNG

Is EmployeeShield® Applied?

The admin should respond to the question, Is EmployeeShield® Applied? The answer is either Yes or No.

Is Reported Email Malicious, Non Malicious, or Phishing Awareness Training?

The admin should choose the answer to the above question. Based on the analysis, the reported email can be classified as Malicious, Non Malicious, or Phishing Awareness Training. Once the admin provides these two inputs, Graphus takes actions as described in the below matrix:

Is EmployeeShield® Applied? Is Reported Email? Graphus Actions
Yes Malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was a phishing attack.
3.     Keep the email quarantined for all recipients.
No Malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was a phishing attack.
3.     Keep the email quarantined for all recipients. Apply EmployeeShield®.
Yes Non-malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was not a phishing attack.
3.     Unquarantine the email (move it back to inbox) for all recipients.
No Non-malicious 1.     Close the report.
2.     Send notification to reporter and admins that this email was not a phishing attack.
3.     Unquarantine the email (move it back to inbox) for all recipients.
Yes/No Phishing Awareness Training 1.     Close the report.
2.     Send notification to reporter and admins that this was a Phishing Awareness Training email.
3.     Keep the email quarantined for all recipients.


The email notification for reported emails confirmed to be malicious looks as shown below:

phish911_report.PNG

Attachments

Have more questions?

Contact us

Was this article helpful?
1 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section