Getting Started with Managed Phishing Response

This guide provides step-by-step instructions for integrating our Managed Phishing Response solution with your third-party phishing reporting button. The process includes:

1. Providing your security team with role-based access to the specific features they need.

2. Connecting your reporting button to Red Canary.

3. Configuring automated alerts for your security team and personalized feedback for users who report phishing attempts.

4. Managing reported phishes in Red Canary.

Prerequisites

Before you begin, make sure you have the following:

• You’re an Admin-level user (needed for Step 1 and Step 2)

• You’re using a Microsoft 365 and/or Google Workspace email environment

• You’re using one of the following third-party reporting buttons:

  • KnowBe4 PhishAlert

  • Proofpoint PhishAlarm

1 Red Canary | Grant User Permissions to Your Security Team

First, you need to assign appropriate user permissions to members of your security team to access the Phishing features in Red Canary. Permissions are role-specific and determine access to features based on your team member’s responsibilities.

To assign user roles:

1. Click the user icon at the top right of your Red Canary portal, then click Users & Roles.
   

2. Search for a user. If you need to add a new user, enter their email address in the top bar and click Invite.

3. Assign roles to the user by toggling a role name. Untoggle the role to remove it from the user.

2 Red Canary | Integrate Your Phish Reporting Button

To integrate your reporting button with Red Canary, start by creating a Collector to act as the dedicated email inbox for phishing reports. Then you’ll link the Collector's unique email address to your reporting button. This setup ensures that all reported phishes are automatically forwarded directly to Red Canary.

Note

Most organizations typically need only one Collector. However, you may want to create more than one Collector if you have more than one reporting tool or email platform.

1. In your Red Canary portal, navigate to Phishing > Settings and click New Collector.

2. Add a Collector name, description, and the name of your reporting button provider.

3. Click Save.

   

4. On the Settings page:

   1. Copy the unique email address generated in the Email Inbox column.

   2. Click Setup instructions and follow the steps defined for your provider.
      

      KnowBe4 Phish Alert Instructions

      1. Sign into KnowBe4’s console, then navigate to Account Settings.

      2. Under Account Integrations, click Phish Alert.

      3. Ensure "Enable Phish Alert" is checked and a Phish Alert Instance has already been created.

      4. Update the following configurations in the Phish Alert Button’s account settings:

         • For Send Non-Simulated Emails, add the Red Canary Collector email address copied in the previous step.

         • Uncheck “Exclude original body text from reported emails.”

         • If you allow users to leave comments and disposition, add the Red Canary Collector email address in the Send Dispositioned Emails to Email Forwarding field.

      5. Click Save Phish Alert Settings.

      Note

      If you have multiple Phish Alert Instances active, you must repeat the steps above for each button instance. We recommended that you create separate Collectors for each instance.

      Proofpoint PhishAlarm Instructions

      1. Sign into the Proofpoint Security Education Platform.

      2. Navigate to PhishAlarm > Settings > Admin Communications.

      3. In the Potentially Malicious Email Handling section:

         • Check “Send potential phish emails through Analyzer.”

         • Select Forward to the following email addresses.

         • Add the Email Inbox tied to your Red Canary Collector into the forwarding addresses field.

      4. In the File Delivery Settings section, check all items.

      5. Click Save Changes.

3 Red Canary | Configure Automated Notifications and User Feedback

Once your reporting tool is integrated with Red Canary, set up automated notifications to give end-user feedback and keep your team informed about phishing activity. Red Canary uses triggers and playbooks to configure alert notifications and give users feedback on their reported emails.

Recommendations

We recommend configuring two types of notifications:

• Confirmed Phish Notifications: Email your security team and end users when a phishing email is a confirmed Phish.

• Non-Phish Notifications: Email your security team and end users when an email is confirmed Not a Phish.

While additional internal notifications such as Slack or Teams can be configured, we recommend email alerts as the minimum default setup.

Supported Interpolation Variables

The following variables are supported for reported phishing playbooks, which you’ll use when customizing the notifications.

Configure Notification Type 1: Phish

1. In your Red Canary portal, navigate to Automation.

2. Click Configure new trigger, then select When a Reported Phish assessment changes.

3. Click Add condition and set it to Reported Phish Assessment is Phish.

   

4. Next to the newly created trigger, click Connect playbook, then Create a new playbook.

5. Name the playbook “Phishing Assessment (Phish).”
   

6. Click Add Action, then scroll down and select Send Email.
   
   

7. Add your email details for alerts to your security team using interpolation variables. For example:

8. Click the Template dropdown and select Reported Phish Summary.

   Note

   This template supports notifications of all reports, including emails in a TBD or Not a Phish status. We recommend your security team only get notified of confirmed phishes.

9. Click Save.

10. Click Add Action, then scroll down and select Send Email.

11. Add your email details for sending feedback to users, using interpolation variables. For example:
    

12. Click the Template dropdown and select Custom Freeform Email with Markdown rendered into HTML.

13. Add a custom message using interpolation variables. For example:

    Red Canary has assessed a user reported phishing email and 
    determined it to be a legitimate phishing attempt.
    ## Assessment Overview
    - **Assessment:** $ReportedPhish.assessment
    - **Assessment Summary:** $ReportedPhish.assessment_summary
    - **Reported Phish ID:** [#$ReportedPhish.id](https://demo.my.redcanary.co/
    phishing/reported_phishes/$ReportedPhish.id)
    ### Reported Email Details
    - **Reporting User Email:** $ReportedPhish.reporter_email
    - **Email Subject:** $ReportedPhish.email_subject
    - **Email From:** $ReportedPhish.email_from
    - **Email To:** $ReportedPhish.email_to
    - **Email Reply To:** $ReportedPhish.email_reply_to
    - **Origination:** $ReportedPhish.email_origination_date
    - **Message ID:** $ReportedPhish.email_message_id

14. Check the Send via custom SMTP relay / server (advanced) option. This ensures the email comes from your own server and not Red Canary.

15. Add your SMTP details in the applicable fields. For example:
    

16. Check the Require Approval option if you want someone on your team approve sending the email notification to the user.

17. Click Save.

Configure Notification Type 2: Not a Phish

1. In your Red Canary portal, navigate to Automation.

2. Click Configure new trigger, then select When a Reported Phish assessment changes.

3. Click Add condition and set it to Reported Phish Assessment is Not a Phish.

4. Next to the newly created trigger, click Connect playbook, then Create a new playbook.

5. Name the playbook “Phishing Assessment (Not a Phish).”

6. Click Add Action, then scroll down and select Send Email.

7. Add your email details for sending feedback to users, using interpolation variables. For example:
   

8. Click the Template dropdown and select Custom Freeform Email with Markdown rendered into HTML.

9. Add a custom message using interpolation variables. For example:

   Thank you for your diligence in keeping DEMO safe from cyber threats! 
   The Information Security team has analyzed your potential phishing email submission
   and determined that it does not appear to contain malicious links or attachments.
   Nevertheless, the email may still pose a threat if you do not know the sender, feel
   the email content is suspicious or targeted, or doubt its authenticity.
   If you have additional concerns, or if you believe that you have received this message
   in error, please contact the Information Security team at security@demo.com.
   
   Assessment: $ReportedPhish.assessment
   
   Assessment Summary: $ReportedPhish.assessment_summary

10. Check the Send via custom SMTP relay / server (advanced) option. This ensures the email comes from your own server and not Red Canary.

11. Add your SMTP details in the applicable fields. For example:

12. Check the Require Approval option if you want someone on your team approve sending the email notification to the user.

13. Click Save.

This is how the trigger and playbook for each notification should look:

4 Red Canary | Navigate Reported Phishes in Red Canary

And you’re done! Once Red Canary collects a user-reported email, you can view all reports directly in your Red Canary portal. These reports provide full visibility into the email's contents and metadata, both before and after Red Canary completes its assessment, allowing you to monitor emails that are still pending an assessment decision.