Login
        Contents x
        Managed Phishing Response FAQ
        • 20 Aug 2025
        • 1 Minute to read
        • PDF
        Contents

        Managed Phishing Response FAQ

        • Updated on 20 Aug 2025
        • 1 Minute to read
        • PDF
        Article summary

        Can identity response actions be triggered and executed for reported phishes?

        Identity response actions visible in the playbook action setup cannot be executed from reported phish assessments. For example, attaching the action Suspend Entra ID User to a reported phish trigger with user email addresses defined in trigger conditions will not successfully execute the action.

        Can I get reported phish notifications through Slack, Teams, etc?

        Yes. You can add automated actions to playbooks to notify your team of reported phish information using third-party systems such as Slack, Teams, or Webhooks. Simply add the action to a playbook, then customize the fields using your desired [reported phish object attributes](link to “Customize Response Notifications” in the Getting Started doc).

        Are reported phishes accessible over Red Canary’s API?

        Yes. Red Canary’s API allows you to fetch a list of all reported phishes and view the details for any reported phish assessment. See Getting Started with Red Canary REST API.

        What do the numbers/letters with colored borders represent in the Message URLs card?

        The Message URLs Card on a Reported Phish helps identify suspicious content by breaking down domains and URLs found in the reported phishing email. The card displays the "From" and "Reply-To" domains, using borders with numbers and letters to highlight unique or mismatched domains. The borders group domains visually for quick comparison, whereas the numbers and letters indicate different domain groups for easier identification.

        How do I change a completed Assessment for a reported phish in my portal?

        Users with the Analyst role enabled can manage reported phish assessments alongside Red Canary’s team. This includes setting a “TBD” assessment to “Phish” or “Not a Phish”, as well as changing a completed assessment to another result (including back to “TBD”). To change an assessment in your portal:

        1. Click on the assessment dropdown on any reported phish page.

        2. Select the assessment: TBD, Not a Phish, or Phish.

        3. Modify the Assessment summary.

        4. Click Save.

        Note

        Changing a completed assessment can re-trigger automated playbooks depending on the conditions set within your reported phish automation triggers. For example, if you change an assessment already completed by Red Canary, Red Canary’s team will get notified to review the updated assessment. This helps us improve quality and ensures we agree with the updated assessment. Depending on the change, our team may provide feedback or insight into our initial decision by commenting on the reported phish's activity timeline.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout