Ask the Community
Groups
Phish911 Feature Guide - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="1-overview">1. Overview</h3> <p>Phish911 is a powerful feature in Graphus that allows recipients to report and instantly quarantine phishing/suspicious emails to their IT department (or SOC) for review and follow-up action. It helps organizations act swiftly on these emails which otherwise is a time consuming and error prone process.</p> <h3 data-id="2-prerequisite">2. Prerequisite</h3> <p>A dedicated inbox is required for this feature. Depending on how the feature is configured, recipients will either forward suspicious emails or use Outlook buttons to report suspicious emails into this inbox. This inbox should not be used for regular email communication. We suggest that a new inbox be created for this purpose (e.g. reportphish@<your-org-domain.com> or phishingreport@<your-org-domain.com>). Also, do not use alias or group email addresses for this inbox.</p> <h3 data-id="3-types">3. Types</h3> <p>There are three ways this feature can be set up by the admin. The admin should communicate the type of remedial action to the recipient depending on the option chosen.</p> <h4 data-id="3-1-option-1-graphus">3.1 Option 1: Graphus</h4> <p>This is the first option in the dropdown menu. Once the admin selects and sets this option, the recipient can simply forward the suspicious phishing email to the dedicated configured mailbox.</p> <h4 data-id="3-2-option-2-phishing-awareness-training">3.2 Option 2: Phishing Awareness Training</h4> <p>This is the second option in the dropdown menu. Once the admin selects and sets this option, the recipient can click the special purpose button (for example, button may be labeled as Phish Alert Report) in the individual mail meant for reporting the suspicious phishing emails. The email is then sent automatically to the dedicated email inbox. The special purpose button meant for reporting suspicious phishing emails is configurable by the admin. As such, any label can be given to it.</p> <h4 data-id="3-3-option-3-microsoft-365-report-phishing">3.3 Option 3: Microsoft 365 Report Phishing</h4> <p>This is the third option in the dropdown menu. Once the admin selects and sets this option, the recipient can click the special purpose button (Report Message button in this case) in the individual email meant for reporting suspicious phishing emails. The email is then sent automatically to the dedicated email inbox. Microsoft 365 Report Phishing is a feature in Graphus that will help customers to use Phish911 Report using Microsoft add-in. This will help recipients directly report suspicious emails from Microsoft Outlook or its Web equivalent Outlook on the Web.</p> <h3 data-id="4-setup">4. Setup</h3> <p>The simple setup for this feature can be performed by an admin on the Graphus portal.</p> <ol><li>Login to the <strong>Graphus</strong> portal and navigate to the <strong>Settings</strong> page (<a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fcloud.graph.us%2Fsettings">https://cloud.graph.us/settings</a>).</li> <li> Scroll down to <strong>Phish911 Configuration</strong> section and set the following: <ol><li>Set the feature as <strong>On</strong>.</li> <li>Select the type of User Report. Select <strong>Graphus, Phishing Awareness Training, or Microsoft Office 365 Report Phishing.</strong></li> <li>Enter the dedicated inbox email address.<br><p><em>Note: If the type is <strong>“Phishing Awareness Training” </strong>or <strong>"Microsoft Office 365 Report Phishing" </strong>then the email address will be the same as the one used for these services.</em></p> </li> </ol></li> <li>Scroll down to the end of the page and click the <strong>Save Changes</strong> button.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/J3YDL2UHODEP/phish911-graphus-option-png.png" alt="phish911_graphus_option.PNG" class="embedImage-img importedEmbed-img"></img></li> </ol><h3 data-id="5-microsoft-365-report-phishing">5. Microsoft 365 Report Phishing</h3> <p>Graphus’ Phish911 feature gives you an edge on remediating phishing emails reported from Microsoft Outlook <strong>Report Message/Phishing</strong> button. Once a recipient reports a phishing email by clicking the Report Message button, a Phish911 alert is generated in Graphus for further analysis and remedial action by the admin.</p> <p>The following paragraphs describe the type of setup to be done for Microsoft 365 Report Phishing option – the third type of configuration available in the Phish911 Configuration section of the Settings page of Graphus.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/T2SMMXW31H2R/microsoft365-page-png.png" alt="microsoft365_page.PNG" class="embedImage-img importedEmbed-img"></img></p> <h4 data-id="5-1-prerequisite">5.1 Prerequisite</h4> <p>Microsoft Report Phishing add-in should be enabled to view Report Message or Report Phishing add-in buttons for Outlook and Outlook on the Web.</p> <h4 data-id="5-2-setup">5.2 Setup</h4> <ol><li> <strong>Stage 1:</strong> Enabling Report Message or Report Phishing add-in. Follow the steps given by Microsoft to enable Report Message or Report Phishing add-in. Refer to the following link <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fenable-the-report-message-add-in%3Fview%3Do365-worldwide">Enable the Report Message or the Report Phishing add-ins</a>. Go to section <strong>Get the Report Message add-in for your organization</strong> and follow the steps. While you come to step 7, make sure the options depicted in the below screenshot are selected.<br><br><p><img src="https://us.v-cdn.net/6032361/uploads/migrated/KT1LNE014HXL/config-add-in-png.png" alt="config_add_in.PNG" width="481" height="417" class="embedImage-img importedEmbed-img"></img></p> </li> <li> <strong>Stage 2:</strong> Configuring custom mailbox for Phish911 emails in <strong>Microsoft Security & Compliance</strong> module. This step is mandatory. Otherwise, Phish911 report in Graphus will not be generated. <ol><li>Login to Microsoft admin center with admin credentials.</li> <li>Go to <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fprotection.office.com%2FuserSubmissionsReportMessage">User submissions - Security & Compliance (office.com).</a></li> <li>Select custom mailbox and enter a dedicated mailbox account. This should be the same email address configured in Phish911 Configuration section of the organization’s Settings page in Graphus. Select <strong>My organization's mailbox</strong> and <strong>Ask me before reporting the message</strong> options as shown in the below screenshot.<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/PBR7JDKFOKE7/user-submission3.png" alt="user_submission3.png" class="embedImage-img importedEmbed-img"></img><br><br></li> <li> Recipients can now click <strong>Report Message/Report Phish</strong> add-in to report Phish911 mails. After configuration, it will take up to twelve hours for <strong>Report Message </strong>to appear in Microsoft Outlook or Outlook on the web. Make sure you restart Outlook (client) or Outlook on the web after twelve hours. This is how the <strong>Report Message</strong> option looks like in Microsoft Outlook (client).<br><br><img src="https://us.v-cdn.net/6032361/uploads/migrated/15KASJO7C2X9/phish911-outlook.png" alt="phish911_outlook.png" class="embedImage-img importedEmbed-img"></img><br><br><p>This is how the <strong>Report Message</strong> option looks like in Outlook on the Web.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/XAFAW9HZSOTA/owa-phish911.png" alt="OWA_Phish911.png" class="embedImage-img importedEmbed-img"></img><br><br>The <strong>Junk > Phishing</strong> dropdown in the following image in Outlook on the Web is another option to flag Phish911 emails.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/B2LQLQHZYZ6I/owa-phish911-junk-button.png" alt="OWA_Phish911_Junk_Button.png" class="embedImage-img importedEmbed-img"></img></p> </li> <li>Once the recipient clicks the <strong>Report Message</strong> button to report a mail as phishing mail, the recipient will see the following message.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/GRUYRYRJC0CW/phish911-message.png" alt="phish911_message.png" class="embedImage-img importedEmbed-img"></img></li> <li>The recipient can click <strong>Report</strong>. This will generate a Phish911 report in Graphus.</li> <li>The admin can now view the generated Phish911 email in <strong>Graphus</strong> > <strong>Phish911</strong> page in organizational view (<a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fcloud.graph.us%2FphishingReport">https://cloud.graph.us/phishingReport</a>).</li> </ol></li> </ol><h4 data-id="5-3-end-user-email-notification-template">5.3 End User Email Notification Template</h4> <p>After you activate the End User Email Notification Template in Outlook (client) or Outlook on the web, Graphus recommend that you send an email to notify the End User about the release and explain how to use the feature. Refer to the End User Notification Template attached at the end of this guide to know how to use the feature.</p> <h3 data-id="6-what-happens-after-an-email-is-reported">6. What Happens After an Email is Reported?</h3> <p>After an email is reported (regardless of the Phish911 configuration types described above), Graphus will immediately quarantine (move it to Trash/Deleted Items) the email for all recipients. Graphus will also send an email notification to the reporter and all admins informing them about the report. This is how the acknowledgment looks like:</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/5ZN339R30NMQ/phish911-report1-png.png" alt="phish911_report1.PNG" class="embedImage-img importedEmbed-img"></img></p> <p>The reported email will show up in the Graphus portal, under the User Reported Emails section (<a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fcloud.graph.us%2FphishingReport">https://cloud.graph.us/phishingReport</a>).</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/I39OGCI422HM/phish911-reports-png.png" alt="phish911_reports.PNG" class="embedImage-img importedEmbed-img"></img></p> <p>An admin can investigate this email by analyzing its metadata, header, and content of the email.</p> <h3 data-id="7-what-happens-after-analysis-of-the-email">7. What Happens After Analysis of the Email?</h3> <p>The admin clicks the <strong>Close</strong> button to close this alert. <br><img src="https://us.v-cdn.net/6032361/uploads/migrated/3O77PAH8OQIO/phish911-reports-2-png.png" alt="phish911_reports_2.PNG" class="embedImage-img importedEmbed-img"></img><br></p> <p>The Phish911 Action popup window will open. It will show some basic information about the reported email and ask for two inputs from the admin (both of which are required) based on the analysis performed.</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/U29WLG4AKD57/phish911-action-png.png" alt="phish911_action.PNG" class="embedImage-img importedEmbed-img"></img></p> <p><strong>Is EmployeeShield® Applied?</strong></p> <p>The admin should respond to the question, “Is EmployeeShiled® Applied?” The answer is either Yes or No.</p> <p><strong>Is Reported Email Malicious, Non-malicious or Phishing Awareness Training?</strong></p> <p>The admin should choose the answer to the above question. Based on the analysis, the reported email can be classified as <strong>Malicious</strong>, <strong>Non-Malicious</strong> or <strong>Phishing Awareness Training</strong>. Once these two inputs are provided by the admin, Graphus takes actions as described in the below matrix:</p> <table border="1"><tbody><tr><td><strong>Is EmployeeShield® Applied?</strong></td> <td><strong>Is Reported Email?</strong></td> <td><strong>Graphus Actions</strong></td> </tr><tr><td rowspan="3">Yes</td> <td rowspan="3">Malicious</td> <td>1. Close the report.</td> </tr><tr><td>2. Send notification to reporter and admins that this email was a phishing attack.</td> </tr><tr><td>3. Keep the email quarantined for all recipients.</td> </tr><tr><td rowspan="3">No</td> <td rowspan="3">Malicious</td> <td>1. Close the report.</td> </tr><tr><td>2. Send notification to reporter and admins that this email was a phishing attack.</td> </tr><tr><td>3. Keep the email quarantined for all recipients. Apply EmployeeShield®.</td> </tr><tr><td rowspan="3">Yes</td> <td rowspan="3">Non-malicious</td> <td>1. Close the report.</td> </tr><tr><td>2. Send notification to reporter and admins that this email was not a phishing attack.</td> </tr><tr><td>3. Unquarantine the email (move it back to inbox) for all recipients.</td> </tr><tr><td rowspan="3">No</td> <td rowspan="3">Non-malicious</td> <td>1. Close the report.</td> </tr><tr><td>2. Send notification to reporter and admins that this email was not a phishing attack.</td> </tr><tr><td>3. Unquarantine the email (move it back to inbox) for all recipients.</td> </tr><tr><td rowspan="3">Yes/No</td> <td rowspan="3">Phishing Awareness Training</td> <td>1. Close the report.</td> </tr><tr><td>2. Send notification to reporter and admins that this was a Phishing Awareness Training email.</td> </tr><tr><td>3. Keep the email quarantined for all recipients.</td> </tr></tbody></table><p><br>The email notification for reported emails that were confirmed to be malicious looks as shown below:</p> <p><img src="https://us.v-cdn.net/6032361/uploads/migrated/ME0SBOD0W7XA/phish911-report-png.png" alt="phish911_report.PNG" class="embedImage-img importedEmbed-img"></img></p> </article> </main>