Getting Started with Managed Phishing Response
- 06 Feb 2026
- 6 Minutes to read
- PDF
Getting Started with Managed Phishing Response
- Updated on 06 Feb 2026
- 6 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
This guide provides step-by-step instructions for integrating our Managed Phishing Response solution with your reporting button. The process includes:
Assigning roles to give your team access to features
Connecting your reporting button to a Red Canary
Configuring automations for your reported phishes
Viewing reported phishes in the Red Canary portal
Prerequisites
Before you begin, make sure you have the following:
You’re an Admin-level user (needed for Steps 1-2)
You have a Microsoft Exchange or Google Workspace email environment
You’re using a supported inbox reporting button:
KnowBe4 Phish Alert (PAB)
Proofpoint PhishAlarm
Outlook Report (Built-In)
1 Red Canary | Assign Roles to Your Security Team
Assign appropriate user permissions to members of your security team to access Managed Phishing Response. Permissions are role-specific and determine access to capabilities based on your team member’s responsibilities.
User Roles and Permissions
Role | Description | Permissions |
|---|---|---|
Analyst Viewer | Allows users view-only access of reported phishes |
|
Analyst | Builds upon Analyst Viewer, allowing users to change assessments and add comments to reported phishes |
|
Admin | Grants users advanced permissions to configure Reported Phish Collectors |
|
Responder | Allows users to configure automations for reported phishes |
|
Technical Contact | Allows users to configure automations for reported phishes |
|
To assign user roles:
Click the user icon at the top right of your Red Canary portal, then click Users & Roles.
Search for a user. If you need to add a new user, enter their email address in the top bar and click Invite.
Assign roles to the user by toggling a role name. Untoggle the role to remove it from the user.
2 Red Canary | Create a Collector
A Collector is a dedicated email address that receives user-reported emails from your reporting button. Once connected, all future reported emails will automatically be forwarded to Red Canary for assessment.
Note
Most organizations only need one Collector, but you should create additional Collectors if you use more than one reporting button or have multiple email environments.
In the Red Canary portal, go to Phishing > Settings and click New Collector.
On the New Collector page, select one Email Environment and one Reporting Product, then use the Description field to add any context relevant to your user-reported phishing workflows.
Click Save.
On the Settings page, locate the new Collector in the list:
Copy the Collector Address.
Click Setup Instructions and follow the button-specific steps shown in the slide-out panel.
3 Red Canary | Configure Automations for Reported Phishes
Set up automated triggers and playbooks to quickly close the loop with reporting users and inform your team of reported phish activities. Triggers define when an automation should begin and can be limited by conditions. They connect to playbooks that group actions you want to take to achieve a goal. These actions can be customized with variables interpolated in at runtime.
Reported Phish Triggers and Conditions
The following triggers are available for reported phishes:
When a Reported Phish is collected
When a Reported Phish assessment changes
When a Reported Phish hasn’t been assessed for 2 hours
The following conditions are available for all reported phish conditions:
Reported Phish Assessment
Reported Phish Previous Assessment
Reported Phish Assessment Summary
Reported Phish Reporting User Email
Reported Phish Email Subject
Reported Phish Email From
Reported Phish Email Reply To
Reported Phish Email To
Reported Phish Collector ID
Reported Phish Collector Email Environment
Reported Phish Collector Reporting Product
Reported Phish Collector Description
Time Day of Week
Hour of Day
Supported Playbook Actions and Variables
The following playbook actions are available for reported phishes:
Send Slack Message
Send Microsoft Teams Message
Invoke Webhook or API
Send Syslog Message
Send Email
Call Phone Numbers
Send SMS Message
The following interpolation variables are available for reported phishes:
Attribute | Example | Description |
|---|---|---|
Assessment |
| The Assessment of the reported phish, either |
Assessment Summary |
| The reasoning behind or additional notes around the Assessment |
Collected At |
| The time when the reported phish was collected by Red Canary |
Collector Description |
| Details about the reporting environment associated with the Collector that collected the reported phish |
Collector Email Environment |
| The email environment where the reported phish collected by the Collector originated |
Collector ID |
| The unique Red Canary identifier for the Collector that collected the reported phish |
Collector Reporting Product |
| The reporting product used to report the reported phish collected by the Collector |
Email From |
| The sender of the reported email |
Email Message ID |
| The Message ID of the email (from the |
Email Origination Date |
| The Origination Date of the email (from the |
Email Reply To |
| The reply to address of the reported email |
Email Subject |
| The subject of the reported email |
Email To |
| The recipients of the reported email |
Previous Assessment |
| The previous Assessment of the reported phish before it was changed |
Reported Phish ID |
| The unique Red Canary identifier of the reported phish |
Reporting User Email |
| The email address of the user who reported the phish |
Recommended Setup
As a starting point, Red Canary recommends three different automations to help you streamline response to reported phishes. Each uses the same base trigger, but applies different conditions and playbooks.
.png?sv=2022-11-02&spr=https&st=2026-02-22T15%3A10%3A46Z&se=2026-02-22T15%3A20%3A46Z&sr=c&sp=r&sig=gal81R8A1GYmB3PU4XCOnW5sPG0jbEOborycffw%2B6jE%3D)
Automation 1: Notify Your Team of a Confirmed Phish
Ensure your team is informed whenever a reported phish is assessed and confirmed to be phishing.
In your Red Canary portal, navigate to Automation.
On the Automation page, click Configure new trigger.
Select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish > Assessment > is > Phish.
Click Connect playbook and select Create a new playbook.
Click Add Action, then select Send Email and configure:
To: Enter email addresses for your security team
Subject: Customize the subject (e.g., “Red Canary Confirmed Phish Assessment”)
Template: Select “Reported Phish Summary”
Once you’re done editing the automated email, click Save.
Example: Email Configuration for “Phish” Escalations
The following image shows a sample Send Email configuration:
Example: Reported Phish Summary Template
The following image shows how the template renders as an email notification:
Automation 2: Notify Reporters When They Catch a Phish
Send timely feedback to close the loop with users when they report an email that’s confirmed as a Phish.
On the Automation page, click Configure new trigger.
Select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish > Assessment > is > Phish.
Click Add condition and set it to Reported Phish > Previous Assessment > is not present.
Click Connect playbook, then select Create a new playbook.
Click Add Action, then select Send Email and configure:
From: Set a custom sender address users will recognize
To:
$ReportedPhish.reporter_emailSubject: Customize the subject (e.g., “You caught a Phish!”)
Template: Select “Custom Freeform Email with Markdown rendered into HTML”
Message: Customize the email using markdown and interpolation variables
Once you’re done editing the automated email, click Save.
Example: Email Configuration for “Phish” Feedback
Automation 3: Notify Reporters When Their Email is Not a Phish
Send timely feedback to close the loop with users when they report an email that is Not a Phish.
On the Automation page, click Configure new trigger.
Select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish > Assessment > is > Not a Phish.
Click Add condition and set it to Reported Phish > Previous Assessment > is not present.
Click Connect playbook, then select Create a new playbook.
Click Add Action, then select Send Email and configure:
From: Set a custom sender address users will recognize
To:
$ReportedPhish.reporter_emailSubject: Customize the subject (e.g., “Feedback on the email your reported”)
Template: Select “Custom Freeform Email with Markdown rendered into HTML”
Message: Customize the email using markdown and interpolation variables
Once you’re done editing the automated email, click Save.
Example: Email Configuration for “Not a Phish” Feedback
4 Red Canary | View Reported Phishes
View all reports directly in your Red Canary portal. These reports provide full visibility into the email's contents and metadata, both before and after Red Canary completes its Assessment, allowing you to monitor emails that are still pending an Assessment decision. 
To learn more about navigating a reported email, see Navigating Phishing Reports in Red Canary.
Was this article helpful?