Login
        Contents x
        Navigating Phishing Reports in Red Canary
        • 20 Aug 2025
        • 3 Minutes to read
        • PDF
        Contents

        Navigating Phishing Reports in Red Canary

        • Updated on 20 Aug 2025
        • 3 Minutes to read
        • PDF
        Article summary

        This guide outlines the portal’s key components and features for reported phishes, where you can view and modify phish assessments, collaborate with team members, and maintain detailed audit trails.

        Note

        Users must have an Analyst or Analyst View role to view and manage phishing reports.

        View All Reported Phishes

        In your Red Canary portal, click Phishing to view all a list of all user-reported phishing emails. From here, you can filter and share reports on demand.

        Navigate a Reported Phish

        On the Phishing page, click on a report to view its details.

        Assessment Header Card

        The Assessment Header provides a holistic summary of the reported phishing email and its assessment status to help you quickly gauge the situation.

        This card includes:

        • Reported Phish Details:

          • Displays the subject line of the reported phish.

          • Shows the "From" address (email sender).

          • Displays the reporter's email address (the user who reported the phishing email).

          • Indicates the date and time the email was collected, in UTC.

        • Colored Header Border:

          • Red Border: Email assessed as a Phish.

          • Blue Border: Email assessed as Not a Phish.

          • Gray Border: Email assessment status is TBD (awaiting assessment).

        Reported Email Card

        The Reported Email contains essential metadata to help analyze the origin and authentication of the phishing email.

        This card includes:

        • Email Metadata:

          • From: Displays the sender's email address

          • Auth-Results and Auth-Results-Orig: Provides email authentication results (SPF, DKIM, DMARC checks)

          • ARC-Auth-Results: Shows authentication chain results if applicable

          • To: Displays the recipient's email address

          • Subject: Displays the subject line

          • Reply-To: Indicates the address replies will be directed to

          • Return Path: Displays the address used for bounce messages

        Message URLs Card

        The Message URLs card helps identify suspicious content by breaking down domains and URLs found in the reported phishing email.

        This card includes:

        • Email Domains:

          • Displays "From" and "Reply-To" domains.

          • Highlights unique or mismatched domains with visual borders and numbering/lettering for grouping.

        • URLs in Email:

          • Groups URLs by host domain.

          • Displays each URL, along with any associated text within the email.

          • Includes hoverable popovers to view full URL details.

        • Domain Helpers:

          • Quick links to external tools for investigation:

            • Whois: View domain registration details.

            • Shodan: Gather IP intelligence.

            • VirusTotal: Scan domains or URLs for threats.

        Attachments Card

        The Attachments card displays information about any files included in the reported phishing email, enabling file-based analysis.

        This card includes:

        • Attachment Details:

          • File Name: Name of each attachment.

          • File Type: Indicates the type of file (e.g., PDF, DOCX, ZIP).

          • File Size: Shows the size of the file in bytes.

          • Link: Click to see a detailed attachment view within the Email Message card.

        Email Message Card

        The Email Message card provides an in-depth, organized view of the reported phishing email. A tabbed layout ensures ease of navigation while supporting thorough analysis.

        This card includes:

        • Headers Tab:

          • Displays complete multipart/mixed headers, including routing metadata.

          • Essential for identifying email paths and detecting header manipulation.

        • Summary Tab:

          • Content-Transfer-Encoding: Explains encoding methods (e.g., base64, quoted-printable).

          • Content-Type: Specifies the rendering format (text/plain, text/html).

          • Highlights URLs in plain text for efficient link analysis.

        • Body Tabs:

          • text/html Body: Displays formatted email content as seen by the recipient.

          • text/html <body>: Focuses on raw content within the <body> tag, removing additional markup.

        • Attachments Tab:

          • Dedicated tabs for file types like PDFs and images information displayed:

            • Content-Description: Brief description from the metadata.

            • Content-Disposition: Indicates display intent (inline or downloadable).

            • Content-ID: Unique identifier for referencing internal content.

            • Content-Transfer-Encoding: Specifies encoding methods (e.g., base64).

            • Content-Type: MIME type of the file (e.g., PDF, PNG).

            • MD5 & SHA256 Hashes: Cryptographic hashes for verifying or correlating files.

            • Strings Dropdown: Extracts readable strings for identifying embedded URLs or text.

            • Render Dropdown: Provides safe preview rendering of images and PDFs.

        Right Panel Cards

        The right panel organizes essential data for managing and updating the assessment efficiently.

        This card includes:

        • Dropdown Assessment Button:

          • Located at the top of the panel.

          • Updates the assessment status (TBD, Not a Phish, Phish).

          • Supports reassessment where necessary.

        • Attributes Card:

          • Assessment: Displays the current status.

          • Summary: Explains reasoning for assessment and provides user details of the last update.

          • Last Claimed By: Tracks the user who last took responsibility for assessment.

          • Last Claimed At/Collected At: Shows timestamps (UTC) for claiming/collecting the email.

          • Collected By: Identifies the collector name.

          • Origination: Displays details of the email's original delivery time.

          • Message ID: Unique identifier for tracking the email across systems.

        • Stats Card:

          • Displays timestamps for assessment lifecycle events:

            • Collected At: Timestamp for email collection.

            • Claimed At: Timestamp for claim activity.

            • Assessment First Set At: Timestamp for first assessment.

            • Assessment Last Set: Timestamp for last assessment update.

        • Activity Summary Card:

          • This card includes:

            • Activity details including the User Name, Timestamp, and Description for changes made.

        Activity Timeline

        The Activity timeline at the bottom of the report offers a dynamic, collaborative history of actions performed on the reported email.

        • Full Activity History:

          • Logs all events, such as assessment changes, report claims/unclaims, and collection details.

        • Comments:

          • Analysts can add comments for collaboration. Only Analysts can post comments while Analyst Viewers may read them.

          • Tracks User Name, Timestamp, and Comment Content.

          • Notes from Red Canary's team may appear, but you are not notified when comments are added.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout