Jump to content
  • Recently Browsing   0 members

    No registered users viewing this page.

Sign in to follow this  
Danny tolnay


Recommended Posts

Assuming you encourage your users to report suspected phish, how do you handle it after they report?
Some of the things I do...

Determine whether it is truly a phish, or spam, or legit business use.

If phish, block email address at global perimeter and thank user for reporting.
If spam, let user know that although unsolicited (assuming this since they reported it in the first place), the email appears to be a legit service/offering. I then attach a doc which shows them how to block the address in their personal quarantine, if they wish. I prefer this method rather than encouraging them to use the unsubscribe option in the email itself, due to the potential of that being the point of the attack.
I always thank the user for submitting/reporting in any case, to build a healthy relationship between security/users. Sure, this leads to a select few users being 'report-happy', but so far it is manageable, and preferred.

Curious what others are doing.

Also, outside of the perimeter services/heuristics, is anyone using anything like PhishTank? https://www.phishtank.com

  • Like 2

Share this post

Link to post

We largely do the same. For confirmed phishing attempts, we'll look to see if others received email with the same subject lines.

Links and attachments get analyzed using various tools.

If there is a link, we look to see if the user has hit it in our proxy logs. We'll also see if anyone else hit it or has hit it in the last whatever months. We then add that link to our blocklist in the proxy.

if there is an attachment, we blocklist it in our EDR solution for client systems. Typically, though, we get this automatically by the time we've scanned it and added it. (Our vendor not only has EDR and email security tools, but automated malware/file/URL analysis that feeds those.)

If the email looks somewhat legit and comes from someone we as a business have worked with in the past, we'll do a little digging to see if they've maybe just suffered a breach/BEC and this email has been compromised. This comes in pretty regularly as we deal with law firms and small businesses and insurance agencies. We encourage the end user to contact them to verify the email legitimacy.

If things still look legit, we'll let the user know things look ok. This usually comes with some extra questions like whether they usually get emails like this, or they know the sender, etc. Sort of hunting for that, "Oh, yeah, this isn't totally unsolicited."


For spam, we largely just drop it when it comes in the same way that we get phishes reported. The email team drops lots of spam, has their own spam button (which just submits to Cisco), and even has an "Unsubscribe" button on things that look like marketing. Full disclosure: I don't think that Unsubscribe part is a good idea, but I can't say I've seen it be detrimental. Despite the Spam button, we still get people reporting spam as phishing due to convenience or being unaware of the differences. Our training isn't that great (yet).



One thing I wanted to make note of, and I was reminded about it from your point about being friendly. I want people to talk to the security team. In fact, one of my bigger metrics when we do quarterly phish testing is tracking those people who fail the test, but still report the email. Those people are my gold star people. I want them to not fail. But to also still involve security? Please, more.


Share this post

Link to post

Great points, thanks!

We largely do all of the same things that you mentioned as well. I don't currently add the hashes to our EDR, but I really like that idea and I'll start implementing it as well.

I try not to ask too many questions of the user unless the situation truly calls for it, mostly because I want them to see us as extremely approachable. I'm curious about your gold star people, do you do anything besides track them? Do you take any actions on the metrics? For instance, i'm considering implementing a '3 strikes' rule, where we'll then place them in a 'restricted internet' group, which would tie their internet usage to more business critical usage while restricting more leisurely types of sites.

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Members online now

    No members to show

  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy