Assuming you encourage your users to report suspected phish, how do you handle it after they report?
Some of the things I do...
Determine whether it is truly a phish, or spam, or legit business use.
If phish, block email address at global perimeter and thank user for reporting.
If spam, let user know that although unsolicited (assuming this since they reported it in the first place), the email appears to be a legit service/offering. I then attach a doc which shows them how to block the address in their personal quarantine, if they wish. I prefer this method rather than encouraging them to use the unsubscribe option in the email itself, due to the potential of that being the point of the attack.
I always thank the user for submitting/reporting in any case, to build a healthy relationship between security/users. Sure, this leads to a select few users being 'report-happy', but so far it is manageable, and preferred.
Curious what others are doing.
Also, outside of the perimeter services/heuristics, is anyone using anything like PhishTank? https://www.phishtank.com