Login
        Contents x
        Managed Phishing Response FAQ
        • 25 Nov 2025
        • 1 Minute to read
        • PDF
        Contents

        Managed Phishing Response FAQ

        • Updated on 25 Nov 2025
        • 1 Minute to read
        • PDF
        Article summary

        Can identity response actions be triggered and executed for reported phishes?

        Identity response actions visible in the playbook action setup cannot be executed from reported phish assessments. For example, attaching the action Suspend Entra ID User to a reported phish trigger with user email addresses defined in trigger conditions will not successfully execute the action.

        Why can’t I see reported phishes?

        All users, including Admins, must have an Analyst or Analyst Viewer role to view reported phishes. See Grant User Permissions to Your Security Team for details.

        Can I get reported phish notifications through Slack, Teams, etc?

        Yes. You can add automated actions to playbooks to notify your team of reported phish information using third-party systems such as Slack, Teams, or Webhooks. Simply add the action to a playbook, then customize the fields using your desired [reported phish object attributes](link to “Customize Response Notifications” in the Getting Started doc).

        Are reported phishes accessible over Red Canary’s API?

        Yes. Red Canary’s API lets you list reported phishes, retrieve details, view activity timelines and comments, update an assessment and summary, and add comments. See Getting Started with Red Canary REST API.

        What do the numbers/letters with colored borders represent in the Message URLs card?

        The Message URLs Card on a Reported Phish helps identify suspicious content by breaking down domains and URLs found in the reported phishing email. The card displays the "From" and "Reply-To" domains, using borders with numbers and letters to highlight unique or mismatched domains. The borders group domains visually for quick comparison, whereas the numbers and letters indicate different domain groups for easier identification.

        How do I change the assessment status?

        Users with the Analyst role enabled can change a reported phish assessment to “Phish” or “Not a Phish”. To update an assessment in your portal:

        1. Click on the assessment dropdown on any reported phish page.

        2. Select the assessment: Not a Phish or Phish.

        3. Modify the Assessment summary.

        4. Click Save.

        Note

        • Changing a completed assessment can re-trigger automated playbooks depending on the conditions set within your reported phish automation triggers.

        • If you change a completed assessment, Red Canary’s team will get notified to review the change. This helps us improve quality and ensures we agree with the updated assessment.

        Can Red Canary demystify links obfuscated or protected by email security tools?

        Yes, but this is currently only available for organizations utilizing Proofpoint URL Defense. For these customers, any URL Defense rewritten link is automatically decoded during processing.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout