Phish911™ Feature Guide

1. Overview

Phish911™ is a powerful feature in Graphus that allows recipients to report and instantly quarantine phishing/suspicious emails to their IT department (or SOC) for review and follow-up action. It helps organizations act swiftly on these emails instead of engaging in a time-consuming, error-prone process.

2. Prerequisite

A dedicated inbox is required for this feature. Depending on how the feature is configured, recipients will forward suspicious emails or use Outlook buttons to report suspicious emails to this inbox. This inbox should not be used for regular email communication. We suggest that a new inbox be created for this purpose (e.g., reportphish@<your-org-domain.com> or phishingreport@<your-org-domain.com>). Also, do not use aliases or group email addresses for this inbox.

If Phish911 is used together with group protection, the admin must add the email address of the dedicated Phish911 inbox to the protected group. Otherwise, Phish911 will not work.  

3. Types

The admin should communicate the type of remedial action to the recipient depending on the option chosen. There are three ways the admin can set up this feature:

  • Graphus: With this option, the recipient can simply forward the suspicious phishing email to the dedicated configured mailbox.
  • Phishing Awareness Training 
  • Microsoft 365 Report Phishing 
    • The Phishing Awareness Training and Microsoft 365 Report Phishing perform similar actions. Each uses a third-party plugin to report suspicious emails. The Phishing Awareness Training option can be used if the phishing awareness training solution offers a report phishing plugin. The Microsoft 365 Report Phishing option can be employed only by organizations using Microsoft 365. The platform offers two plug-in options for reporting suspicious emails. 

4. Setup

An admin on the Graphus portal can perform the simple setup for this feature:

  1. Log in to the Graphus portal and navigate the Settings page (https://cloud.graph.us/settings).
  2. Scroll down to the Phish911™ Configuration section and set the following:
    • Set the feature as On.
    • Select the type of User Report. Select Graphus, Phishing Awareness Training, or Microsoft Office 365 Report Phishing.
    • Enter the dedicated inbox email address.

      Note: If the type is Phishing Awareness Training or Microsoft Office 365 Report Phishing, the email address will be the same as the one used for these services.

  3. Scroll down to the end of the page and click Save Changes.

    0.png
    Note: If Phish911 is used together with group protection, the admin must add the email address of the dedicated Phish911 inbox to the protected group. Otherwise, Phish911 will not work.  

5. Microsoft 365 Report Phishing

Phish911™ gives you an edge in remediating phishing emails reported from the Microsoft Outlook Report Message/Phishing button. Once a recipient reports a phishing email by clicking the Report Message button, a Phish911™ alert is generated in Graphus for further analysis and remedial action by the admin.

The following paragraphs describe the type of setup for the Microsoft 365 Report Phishing option, the third type of configuration available in the Phish911™ Configuration section of the Settings page of Graphus.

2.png

5.1 Prerequisite

The Microsoft Report Phishing add-in should be enabled to view the Report Message or Report Phishing add-in buttons for Outlook and Outlook on the Web.

5.2 Setup

  • Stage 1: Enabling the Report Message or the Report Phishing add-ins. Follow the steps given by Microsoft to enable the Report Message or the Report Phishing add-ins in the following link: Enable the Report Message or the Report Phishing add-ins. Go to the Get the Report Message or Report Phishing add-in for your organization section and follow the steps. As you come to step 7, make sure the options depicted in the below screenshot are selected.

    config_add_in.PNG

  • Stage 2: Configuring custom mailbox for Phish911™ emails in the Microsoft Security & Compliance module. This step is mandatory. Otherwise, the Phish911™report in Graphus will not be generated.
    1. Log into the Microsoft admin center with admin credentials.
    2. Go to User submissions - Security & Compliance (office.com).
    3. Select a custom mailbox and enter a dedicated mailbox account. This should be the same email address configured in the Phish911™ Configuration section of the organization’s Settings page in Graphus. Select the My organization's mailbox and Ask me before reporting the message options as shown in the below screenshot.
      Screenshot__718_.pngScreenshot__719_.png
    4. Recipients can now click the Report Message/Report Phish add-in to report Phish911™ mails. After configuration, Report Message will take up to twelve hours to appear in Microsoft Outlook or Outlook on the Web. After twelve hours, please restart Outlook (client) or Outlook on the Web. This is what the Report Message option looks like in Microsoft Outlook (client).

      phish911_outlook.png

      This is how the Report Message option looks like in Outlook on the Web.

      OWA_Phish911.png

      The Junk > Phishing dropdown menu in the following image in Outlook on the Web is another option to flag Phish911™ emails.

      OWA_Phish911_Junk_Button.png

    5. Once the recipient clicks the Report Message button to report a mail as phishing mail, the recipient will see the following message.
      phish911_message.png
    6. The recipient can click Report. This will generate a Phish911 report in Graphus.
    7. The admin can now view the generated Phish911™ email in the Graphus > Phish911™ page in organizational view (https://cloud.graph.us/phishingReport).

5.3  End User Email Notification Template

After you activate the End User Email Notification Template in Outlook (client) or Outlook on the Web, Graphus recommends emailing the end user about the release and explaining how to use the feature. Please review the End User Notification Template attached at the end of this guide to know how to use the feature.

6. What Happens After an Email is Reported?

After an email is reported (regardless of the Phish911 configuration types described above), Graphus immediately quarantines it (moves it to Trash/Deleted Items) for all recipients. Graphus will also send an email notification to the reporter and all admins informing them about the report. This is what the acknowledgment looks like:

phish911_report1.PNG

The reported email appears on the organization's Phish911 page. If Graphus determines an email is a phishing training email, the email will be listed on the Phishing Training tab. Emails that are not phishing training emails, will be listed on the Reported as Phishing tab. Separating the phishing training emails allows you to focus on the other reported emails that may need detailed analysis.

Phish911_1.png

An admin can investigate an email by clicking its Report Date link.

7. What Happens After Analysis of the Email?

The admin clicks the Close button to close this alert. 
0.1.jpg

The Phish911™ Action popup window will open. It will show some basic information about the reported email and ask for two inputs from the admin (both of which are required) based on the analysis performed:

1.PNG

Is EmployeeShield® Applied?

The admin should respond to the question, Is EmployeeShield® Applied? The answer is either Yes or No.

Is Reported Email Malicious, Non Malicious, or Phishing Awareness Training?

The admin should choose the answer to the above question. Based on the analysis, the reported email can be classified as Malicious, Non Malicious, or Phishing Awareness Training. Once the admin provides these two inputs and clicks the Close Report button, Graphus takes actions as described in the  matrix below.

Is EmployeeShield® Applied? Is Reported Email? Graphus Actions
Yes Malicious 1. Closes the report.
2. Sends notification to reporter and admins that this email was a phishing attack.
3. Keeps the email quarantined for all recipients.
No Malicious

1. Closes the report.

2. Sends notification to reporter and admins that this email was a phishing attack.
3. Keeps the email quarantined for all recipients. Apply EmployeeShield®.
Yes Non-malicious 1. Closes the report.

2. Sends notification to reporter and admins that this email was not a phishing attack.

3. Unquarantines the email (move it back to inbox) for all recipients.
No Non-malicious 1. Closes the report.
2. Sends notification to reporter and admins that this email was not a phishing attack.
3. Unquarantines the email (move it back to inbox) for all recipients.
Yes/No Phishing Awareness Training 1. Closes the report.

2. Sends notification to reporter and admins that this was a Phishing Awareness Training email.

3. Moves the report to  the Phishing Training tab.

4. Keeps the email quarantined for all recipients.


The email notification for reported emails confirmed to be malicious looks as shown below:

phish911_report.PNG

Attachments

Have more questions?

Contact us

Was this article helpful?
1 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section