Getting Started with Managed Phishing Response

This guide provides step-by-step instructions for integrating our Managed Phishing Response solution with your reporting button. The process includes:

Assigning roles to give your team access to features
Connecting your reporting button to a Red Canary
Configuring automations for your reported phishes
Viewing reported phishes in the Red Canary portal

Prerequisites

Before you begin, make sure you have the following:

You’re an Admin-level user (needed for Steps 1-2)
You have a Microsoft Exchange or Google Workspace email environment
You’re using a supported inbox reporting button:
- KnowBe4 Phish Alert (PAB)
- Proofpoint PhishAlarm
- Outlook Report (Built-In)

1 Red Canary | Assign Roles to Your Security Team

Assign appropriate user permissions to members of your security team to access Managed Phishing Response. Permissions are role-specific and determine access to capabilities based on your team member’s responsibilities.

User Roles and Permissions

Role	Description	Permissions
Analyst Viewer	Allows users view-only access of reported phishes	View reported phishes and their assessment View automation triggers and playbooks
Analyst	Builds upon Analyst Viewer, allowing users to change assessments and add comments to reported phishes	View reported phishes and their assessment View automation triggers and playbooks Modify assessments for reported phishes Add comments to a reported phish’s activity timeline
Admin	Grants users advanced permissions to configure Reported Phish Collectors	Create and manage automated triggers and playbooks for reported phishes Access the Phishing > Settings page to create and manage Collectors for reported phishes Note Admin users must also be assigned the Analyst or Analyst Viewer role to access the Phishing and Phishing > Settings pages in your portal.
Responder	Allows users to configure automations for reported phishes	Create and manage automated triggers and playbooks for reported phishes
Technical Contact	Allows users to configure automations for reported phishes	Create and manage automated triggers and playbooks for reported phishes

To assign user roles:

Click the user icon at the top right of your Red Canary portal, then click Users & Roles.
Search for a user. If you need to add a new user, enter their email address in the top bar and click Invite.
Assign roles to the user by toggling a role name. Untoggle the role to remove it from the user.

2 Red Canary | Create a Collector

A Collector is a dedicated email address that receives user-reported emails from your reporting button. Once connected, all future reported emails will automatically be forwarded to Red Canary for assessment.

Note
Most organizations only need one Collector, but you should create additional Collectors if you use more than one reporting button or have multiple email environments.

In the Red Canary portal, go to Phishing > Settings and click New Collector.
On the New Collector page, select one Email Environment and one Reporting Product, then use the Description field to add any context relevant to your user-reported phishing workflows.
Click Save.
On the Settings page, locate the new Collector in the list:
1. Copy the Collector Address.
2. Click Setup Instructions and follow the button-specific steps shown in the slide-out panel.

3 Red Canary | Configure Automations for Reported Phishes

Set up automated triggers and playbooks to quickly close the loop with reporting users and inform your team of reported phish activities. Triggers define when an automation should begin and can be limited by conditions. They connect to playbooks that group actions you want to take to achieve a goal. These actions can be customized with variables interpolated in at runtime.

Reported Phish Triggers and Conditions

The following triggers are available for reported phishes:

When a Reported Phish is collected
When a Reported Phish assessment changes
When a Reported Phish hasn’t been assessed for 2 hours

The following conditions are available for all reported phish conditions:

Reported Phish Assessment
Reported Phish Previous Assessment
Reported Phish Assessment Summary
Reported Phish Reporting User Email
Reported Phish Email Subject
Reported Phish Email From
Reported Phish Email Reply To
Reported Phish Email To
Reported Phish Collector ID
Reported Phish Collector Email Environment
Reported Phish Collector Reporting Product
Reported Phish Collector Description
Time Day of Week
Hour of Day

Supported Playbook Actions and Variables

The following playbook actions are available for reported phishes:

Send Slack Message
Send Microsoft Teams Message
Invoke Webhook or API
Send Syslog Message
Send Email
Call Phone Numbers
Send SMS Message

The following interpolation variables are available for reported phishes:

Attribute	Example	Description
Assessment	`$ReportedPhish.assessment`	The Assessment of the reported phish, either `tbd`, `phish`, or `not a phish`
Assessment Summary	`$ReportedPhish.assessment_summary`	The reasoning behind or additional notes around the Assessment
Collected At	`$ReportedPhish.collected_at`	The time when the reported phish was collected by Red Canary
Collector Description	`$Collector.description`	Details about the reporting environment associated with the Collector that collected the reported phish
Collector Email Environment	`$Collector.email_environment`	The email environment where the reported phish collected by the Collector originated
Collector ID	`$Collector.id`	The unique Red Canary identifier for the Collector that collected the reported phish
Collector Reporting Product	`$Collector.reporting_product`	The reporting product used to report the reported phish collected by the Collector
Email From	`$ReportedPhish.email_from`	The sender of the reported email
Email Message ID	`$ReportedPhish.email_message_id`	The Message ID of the email (from the `Message-ID` header)
Email Origination Date	`$ReportedPhish.email_origination_date`	The Origination Date of the email (from the `date` header, in UTC)
Email Reply To	`$ReportedPhish.email_reply_to`	The reply to address of the reported email
Email Subject	`$ReportedPhish.email_subject`	The subject of the reported email
Email To	`$ReportedPhish.email_to`	The recipients of the reported email
Previous Assessment	`$ReportedPhish.previous_assessment`	The previous Assessment of the reported phish before it was changed
Reported Phish ID	`$ReportedPhish.id`	The unique Red Canary identifier of the reported phish
Reporting User Email	`$ReportedPhish.reporter_email`	The email address of the user who reported the phish

Recommended Setup

As a starting point, Red Canary recommends three different automations to help you streamline response to reported phishes. Each uses the same base trigger, but applies different conditions and playbooks.

Automation 1: Notify Your Team of a Confirmed Phish

Ensure your team is informed whenever a reported phish is assessed and confirmed to be phishing.

In your Red Canary portal, navigate to Automation.
On the Automation page, click Configure new trigger.
Select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish > Assessment > is > Phish.
Click Connect playbook and select Create a new playbook.
Click Add Action, then select Send Email and configure:
1. To: Enter email addresses for your security team
2. Subject: Customize the subject (e.g., “Red Canary Confirmed Phish Assessment”)
3. Template: Select “Reported Phish Summary”
Once you’re done editing the automated email, click Save.

Example: Email Configuration for “Phish” Escalations

The following image shows a sample Send Email configuration:

Example: Reported Phish Summary Template

The following image shows how the template renders as an email notification:

Automation 2: Notify Reporters When They Catch a Phish

Send timely feedback to close the loop with users when they report an email that’s confirmed as a Phish.

On the Automation page, click Configure new trigger.
Select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish > Assessment > is > Phish.
Click Add condition and set it to Reported Phish > Previous Assessment > is not present.
Click Connect playbook, then select Create a new playbook.
Click Add Action, then select Send Email and configure:
1. From: Set a custom sender address users will recognize
2. To: $ReportedPhish.reporter_email
3. Subject: Customize the subject (e.g., “You caught a Phish!”)
4. Template: Select “Custom Freeform Email with Markdown rendered into HTML”
5. Message: Customize the email using markdown and interpolation variables
Once you’re done editing the automated email, click Save.

Example: Email Configuration for “Phish” Feedback

Automation 3: Notify Reporters When Their Email is Not a Phish

Send timely feedback to close the loop with users when they report an email that is Not a Phish.

On the Automation page, click Configure new trigger.
Select When a Reported Phish assessment changes.
Click Add condition and set it to Reported Phish > Assessment > is > Not a Phish.
Click Add condition and set it to Reported Phish > Previous Assessment > is not present.
Click Connect playbook, then select Create a new playbook.
Click Add Action, then select Send Email and configure:
1. From: Set a custom sender address users will recognize
2. To: $ReportedPhish.reporter_email
3. Subject: Customize the subject (e.g., “Feedback on the email your reported”)
4. Template: Select “Custom Freeform Email with Markdown rendered into HTML”
5. Message: Customize the email using markdown and interpolation variables
Once you’re done editing the automated email, click Save.

Example: Email Configuration for “Not a Phish” Feedback

4 Red Canary | View Reported Phishes

View all reports directly in your Red Canary portal. These reports provide full visibility into the email's contents and metadata, both before and after Red Canary completes its Assessment, allowing you to monitor emails that are still pending an Assessment decision.

To learn more about navigating a reported email, see Navigating Phishing Reports in Red Canary.