Login
        Contents x
        Navigating Phishing Reports in Red Canary
        • 01 Dec 2025
        • 5 Minutes to read
        • PDF
        Contents

        Navigating Phishing Reports in Red Canary

        • Updated on 01 Dec 2025
        • 5 Minutes to read
        • PDF
        Article summary

        This guide outlines the portal’s key components and features for reported phishes, where you can view and modify phish Assessments, collaborate with team members and Red Canary analysts, and maintain detailed audit trails.

        Note

        Users must have an Analyst or Analyst Viewer role to view and manage phishing reports.

        View Reported Phishes

        In your Red Canary portal, click Phishing to view all a list of all user-reported phishing emails. From here, you can filter and share reports on demand.

        Navigate a Reported Phish

        On the Phishing page, click on a report to view its details.

        Assessment Header Card

        The Assessment Header provides a high-level overview of the reported phishing email and its assessment status.

        This card includes:

        • Reported phish details:

          • The subject line of the reported phish

          • The "From" address (email sender)

          • The reporter's email address (the user who reported the phishing email)

          • The date and time the email was collected, in UTC

        • Colored Header Border:

          • Red: The email is assessed as a Phish

          • Blue: The email is assessed as Not a Phish

          • Gray: Email Assessment status is TBD (awaiting assessment)

        Suspicious Feature Badges

        At the top of each reported phishing email, you’ll see yellow badges highlighting any suspicious features within the email that were identified, such as Unexpected Attachments, Generic Greetings, or Impersonation. These badges are assigned by our Phishing Triage Agent, a specialized AI designed to analyze email content and assist analysts in identifying potential phishing threats.

        To view a summary of the Triage Agent’s findings, click the Triage Agent tab.

        Overview Tab

        The Overview tab displays all of the email’s metadata and key details, helping you assess whether the email is a “Phish” or “Not a Phish.” See the sections below for descriptions of each component found in the Overview tab.

        Reported Email Card

        The Reported Email card contains essential metadata to help analyze the origin and authentication of the phishing email.

        This card includes:

        • Email Metadata:

          • From: Displays the sender's email address

          • Auth-Results and Auth-Results-Orig: Provides email authentication results (SPF, DKIM, DMARC checks)

          • ARC-Auth-Results: Shows authentication chain results if applicable

          • To: Displays the recipient's email address

          • Subject: Displays the subject line

          • Reply To: Indicates the address replies will be directed to

          • Return Path: Displays the address used for bounce messages

        Message URLs Card

        The Message URLs card helps identify suspicious content by breaking down domains and URLs found in the reported phishing email.

        This card includes:

        • Email Domains:

          • Displays "From" and "Reply-To" domains

          • Highlights unique or mismatched domains with visual borders and numbering/lettering for grouping

        • URLs in Email:

          • Groups URLs by host domain

          • Displays each URL, along with any associated text within the email

          • Includes hoverable popovers to view full URL details

        • Domain Helpers:

          • Quick links to external tools for investigation:

            • Whois: View domain registration details

            • Shodan: Gather IP intelligence

            • VirusTotal: Scan domains or URLs for threats

        Attachments Card

        The Attachments card displays information about any files included in the reported phishing email, enabling file-based analysis.

        This card includes:

        • Attachment Details:

          • File Name: Name of each attachment

          • File Type: Indicates the type of file (e.g., PDF, DOCX, ZIP)

          • File Size: Shows the size of the file in bytes

          • Link: Click to see a detailed attachment view within the Email Message card

        Email Message Card

        The Email Message card provides an in-depth, organized view of the reported phishing email. A tabbed layout ensures ease of navigation while supporting thorough analysis.

        This card includes:

        • Headers: Displays complete multipart/mixed headers, including routing metadata, which is essential for analyzing delivery paths and identifying header manipulation

        • Summary: Displays the message’s body into Markdown, removing email security banners, demystifying links that were obfuscated/protected by email security tools, and consolidating <table> and extra whitespace

        • Body: Displays the HTML message body in its original view

        • <body>: Displays the message body without the generally unhelpful HTML attributes and tags

        • Attachments: Displays a detailed overview of any file and image attachments included in the reported phish, with each attachment having its own dedicated tab. This includes both the raw metadata of the attachment, as well as rendered images of what the attachment actually looks like.

        Triage Agent Tab

        The Phishing Triage Agent triages each reported phishing email immediately upon collection, summarizing its analysis in the Triage Agent tab. The agent extracts and analyzes email content, flagging any indicators of a potential phishing attempt as a Suspicious Feature. It summarizes its findings and provides an initial triage of the reported phishing email as either being a “Phish” or “Not a Phish”. This helps accelerate our analysts' investigation so they can quickly and efficiently make a final assessment.

        Note

        The Triage Agent tab may show results that contradict the final Assessment set for a reported phish (i.e. the Agent tab shows “Not a Phish” but the Assessment is set to “Phish”). This is expected because the Phishing Triage Agent exists to speed up analyst decisions, not replace them. So while the agent provides a recommendation based on its initial triage of the reported email, the final Assessment is only ever set by Red Canary’s team of experts after they complete their investigation.

        Right Panel Cards

        The right panel organizes essential data for managing and updating the Assessment efficiently.

        This card includes:

        • Dropdown Assessment Button:

          • Located at the top of the panel

          • Updates the Assessment status (Not a Phish, Phish)

          • Supports reassessment where necessary

            Note

            Users with the Analyst role can change the Assessment status if needed.

        • Attributes Card:

          • Assessment: Displays the current status

          • Summary: Explains reasoning for Assessment and provides user details of the last update

          • Last Claimed By: Tracks the user who last took responsibility for Assessment

          • Last Claimed At/Collected At: Shows timestamps (UTC) for claiming/collecting the email

          • Collected By: Identifies the collector name

          • Origination: Displays details of the email's original delivery time

          • Message ID: Unique identifier for tracking the email across systems

        • Stats Card:

          • Displays timestamps for Assessment lifecycle events:

            • Collected At: Timestamp for email collection

            • Claimed At: Timestamp for claim activity

            • Assessment First Set: Timestamp for first Assessment

            • Assessment Last Set: Timestamp for last Assessment update

        Activity Timeline

        The Activity section at the bottom of the reported phish offers a collaborative timeline of events and user-added comments related to the Assessment. You can use the pre-built tabs to view different levels of information on the timeline.

        • Activity: Displays a summarized list of Assessment updates, along with all user comments. This includes activities performed by our platform and analysts, such as the Email Analyzer completing its analysis of attachments, the Phishing Triage Agent completing its analysis of suspicious features, and the final Assessment status.

        • Comments: Displays user-added comments from both your team and Red Canary’s team. New comments can be added at the top of the timeline.

          Note

          • Users with the "Analyst" role can view and comment on a reported phish. Users with the "Analyst Viewer" role can only view comments.

          • Red Canary’s team is not notified of any comments added by your team. While it’s possible for our team to comment on a reported phish if deemed necessary, this is not always the case.

        • Automations: Displays the execution status and detailed information about automations that were triggered by the reported phish. While these activities are summarized on the Activity tab, the Automations tab provides a more detailed breakdown of each automation.

        • History: Displays a complete log of all updates made to the Assessment of the reported phish, including changes to the Assessment summary.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout