Getting Started with Managed Phishing Response

16 Jan 2026
7 Minutes to read

Getting Started with Managed Phishing Response

Updated on 16 Jan 2026
7 Minutes to read

Article summary

Did you find this summary helpful?

Thank you for your feedback!

This guide provides step-by-step instructions for integrating our Managed Phishing Response solution with your reporting button. The process includes:

Assigning roles to give your team access to features
Connecting your reporting button to a Red Canary
Configuring automations for your reported phishes
Viewing reported phishes in the Red Canary portal

Prerequisites

Before you begin, make sure you have the following:

You’re an Admin-level user (needed for Steps 1-2)
You have a Microsoft Exchange or Google Workspace email environment
You’re using a supported inbox reporting button:
- KnowBe4 Phish Alert (PAB)
- Proofpoint PhishAlarm
- Outlook Report (Built-In)

1 Red Canary | Assign Roles to Your Security Team

Assign appropriate user permissions to members of your security team to access Managed Phishing Response. Permissions are role-specific and determine access to capabilities based on your team member’s responsibilities. See the table below for details.

Role	Description	Permissions
Analyst Viewer	Allows users view-only access of reported phishes	View reported phishes and their assessment View automation triggers and playbooks
Analyst	Builds upon Analyst Viewer, allowing users to change assessments and add comments to reported phishes	View reported phishes and their assessment View automation triggers and playbooks Modify assessments for reported phishes Add comments to a reported phish’s activity timeline
Admin	Grants users advanced permissions to configure Reported Phish Collectors	Access the Phishing>Settings page to create and manage Collectors for reported phishes Create and manage automated triggers and playbooks for reported phishes Note Your content gAdmin users must also be assigned the Analyst or Analyst Viewer role to access the Phishing and Phishing > Settings pages in your portal.
Responder	Allows users to configure automations for reported phishes	Create and manage automated triggers and playbooks for reported phishes
Technical Contact	Allows users to configure automations for reported phishes	Create and manage automated triggers and playbooks for reported phishes

To assign user roles:

Click the user icon at the top right of your Red Canary portal, then click Users & Roles.
Search for a user. If you need to add a new user, enter their email address in the top bar and click Invite.
Assign roles to the user by toggling a role name. Untoggle the role to remove it from the user.

2 Red Canary | Create a Collector

A Collector is a dedicated email address that receives user-reported emails from your reporting button. Once connected, all future reported emails will automatically be forwarded to Red Canary for assessment.

Note
Most organizations only need one Collector, but you should create additional Collectors if you use more than one reporting button or have multiple email environments.

In the Red Canary portal, go to Phishing > Settings and click New Collector.
On the New Collector page, select one Email Environment and one Reporting Product, then use the Description field to add any context relevant to your user-reported phishing workflows.
Click Save.
On the Settings page, locate the new Collector in the list:
1. Copy the Collector Address.
2. Click Setup Instructions and follow the button-specific steps shown in the slide-out panel.

3 Red Canary | Configure Automated Notifications and User Feedback

Set up automated notifications to give end-user feedback and keep your team informed about phishing activity. Red Canary uses triggers and playbooks to configure alert notifications and give users feedback on their reported emails.

Recommendations

We recommend configuring two types of notifications:

Notification #1: Phish: Email your security team and end users when a phishing email is a confirmed Phish.
Notification #2: Not a Phish: Email your security team when an email is confirmed Not a Phish.

While additional internal notifications such as Slack or Teams can be configured, we recommend email alerts as the minimum default setup.

Supported Interpolation Variables

The following variables are supported for reported phishing playbooks, which you’ll use when customizing the notifications.

Attribute	Example	Description
Assessment	`$ReportedPhish.assessment`	The Assessment of the reported phish, either `tbd`, `phish`, or `not a phish`
Assessment Summary	`$ReportedPhish.assessment_summary`	The reasoning behind or additional notes around the Assessment
Collected At	`$ReportedPhish.collected_at`	The time when the reported phish was collected by Red Canary
Collector Description	`$Collector.description`	Details about the reporting environment associated with the Collector that collected the reported phish
Collector Email Environment	`$Collector.email_environment`	The email environment where the reported phish collected by the Collector originated
Collector ID	`$Collector.id`	The unique Red Canary identifier for the Collector that collected the reported phish
Collector Reporting Product	`$Collector.reporting_product`	The reporting product used to report the reported phish collected by the Collector
Email From	`$ReportedPhish.email_from`	The sender of the reported email
Email Message ID	`$ReportedPhish.email_message_id`	The Message ID of the email (from the `Message-ID` header)
Email Origination Date	`$ReportedPhish.email_origination_date`	The Origination Date of the email (from the `date` header, in UTC)
Email Reply To	`$ReportedPhish.email_reply_to`	The reply to address of the reported email
Email Subject	`$ReportedPhish.email_subject`	The subject of the reported email
Email To	`$ReportedPhish.email_to`	The recipients of the reported email
Previous Assessment	`$ReportedPhish.previous_assessment`	The previous Assessment of the reported phish before it was changed
Reported Phish ID	`$ReportedPhish.id`	The unique Red Canary identifier of the reported phish
Reporting User Email	`$ReportedPhish.reporter_email`	The email address of the user who reported the phish

Notification #1: Phish

Set up notifications to alert both your team and the user who reported the email whenever an email is confirmed as a phishing attempt (Assessment status=Phish).

In your Red Canary portal, navigate to Automation.
Click Configure new trigger, then select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish Assessment is Phish.
Next to the newly created trigger, click Connect playbook, then Create a new playbook.
Name the playbook “Phishing Assessment (Phish).”
Click Add Action, then scroll down and select Send Email.
Add your email details for alerts to your security team. For example:
- To: security@domainName.com
- Subject: domainName Validated Email Phish Service
Click the Template dropdown and select Reported Phish Summary.
Example: Confirmed Phish Summary Template
Here’s an example of how the template looks as an email notification:
Click Save.
Click Add Action, then scroll down and select Send Email.
Add your email details for sending feedback to users using supported interpolation variables. For example:
- To: $ReportedPhish.reporter_email
- Reply to: No Reply To email set
- Subject: You caught a phish! $ReportedPhish.email_subject
Click the Template dropdown and select Custom Freeform Email with Markdown rendered into HTML.

Add a custom message using supported interpolation variables. For example:

You caught a phish! Initial analysis of your suspicious email submission has revealed a 
phishing threat. A service ticket for this investigation has been opened on your behalf 
and demo's Information Security team will conduct further investigation. At this time, 
no further action is required on your part. You may receive follow-up communications and
a final notification from the security team once the investigation is complete. 
If you have questions or concerns regarding this matter, you can contact the 
Information Security team at [security@demo.com](mailto:security@demo.com).

**Assessment:** $ReportedPhish.assessment  
**Assessment Summary:** $ReportedPhish.assessment_summary

Thank you for your diligence in keeping demo safe from cyber threats!

Enable Send via custom SMTP relay / server (advanced) to ensure the email comes from your own server and not Red Canary.
Add your SMTP details. For example:
- SMTP From Email Address: security@domainName.com
- SMTP Host: smtp.office365.com
- SMTP Port: 587
- SMTP Username: demo@domainName.com
- SMTP Password: *****
- Enable STARTTLS: True
- SMTP Authentication Method: Plain
(Optional) Enable Require Approval if you want someone on your team to approve sending the email notification to the user.
Click Save.

Notification #2: Not a Phish

Set up notifications to alert both your team and the user who reported the email whenever a reported phishing attempt is verified as a false alarm (Assessment status=Not a Phish).

In your Red Canary portal, navigate to Automation.
Click Configure new trigger, then select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish Assessment is Not a Phish.
Next to the newly created trigger, click Connect playbook, then Create a new playbook.
Name the playbook “Phishing Assessment (Not a Phish).”
Click Add Action, then scroll down and select Send Email.
Add your email details for sending feedback to users, using supported interpolation variables. For example:
- To: $ReportedPhish.reporter_email
- Reply To: No Reply To email set
- Subject: Phishing Email Submission Analysis Complete: $ReportedPhish.email_subject
Click the Template dropdown and select Custom Freeform Email with Markdown rendered into HTML.

Add a custom message using supported interpolation variables.

Example: Custom Freeform Email Message

Thank you for your diligence in keeping DEMO safe from cyber threats! 
The Information Security team has analyzed your potential phishing email submission
and determined that it does not appear to contain malicious links or attachments.
Nevertheless, the email may still pose a threat if you do not know the sender, feel
the email content is suspicious or targeted, or doubt its authenticity.
If you have additional concerns, or if you believe that you have received this message
in error, please contact the Information Security team at security@demo.com.

Assessment: $ReportedPhish.assessment

Assessment Summary: $ReportedPhish.assessment_summary

---

#### Email Restoration
Please note, after reporting a suspicious email by clicking the Phish Alert button in
Gmail, reported emails are moved to the Trash folder. To restore them, follow the 
steps below: 

1. Open Gmail
2. Click "Trash" in the left sidebar
3. Find the reported email
4. Select the email > click "Move to" > choose "Inbox" or desired folder
5. The email will be restored to the selected folder. Note that emails in 
Trash are permanently deleted after 30 days.

Thank you!

Click Save.

4 Red Canary | View Reported Phishes

View all reports directly in your Red Canary portal. These reports provide full visibility into the email's contents and metadata, both before and after Red Canary completes its Assessment, allowing you to monitor emails that are still pending an Assessment decision.

To learn more about navigating a reported email, see Navigating Phishing Reports in Red Canary.

Was this article helpful?

What's Next

Navigating Reported Phishes in Red Canary

Table of contents

Prerequisites
1 Red Canary | Assign Roles to Your Security Team
2 Red Canary | Create a Collector
3 Red Canary | Configure Automated Notifications and User Feedback
4 Red Canary | View Reported Phishes