Navigating Phishing Reports in Red Canary

This guide outlines the portal’s key components and features for reported phishes, where you can view and modify phish assessments, collaborate with team members, and maintain detailed audit trails.

Note

Users must have an Analyst or Analyst View role to view and manage phishing reports.

View All Reported Phishes

In your Red Canary portal, click Phishing to view all a list of all user-reported phishing emails. From here, you can filter and share reports on demand.

Navigate a Reported Phish

On the Phishing page, click on a report to view its details.

Assessment Header Card

The Assessment Header provides a holistic summary of the reported phishing email and its assessment status to help you quickly gauge the situation.

This card includes:

• Reported Phish Details:

  • Displays the subject line of the reported phish.

  • Shows the "From" address (email sender).

  • Displays the reporter's email address (the user who reported the phishing email).

  • Indicates the date and time the email was collected, in UTC.

• Colored Header Border:

  • Red Border: Email assessed as a Phish.

  • Blue Border: Email assessed as Not a Phish.

  • Gray Border: Email assessment status is TBD (awaiting assessment).

Reported Email Card

The Reported Email contains essential metadata to help analyze the origin and authentication of the phishing email.

This card includes:

• Email Metadata:

  • From: Displays the sender's email address

  • Auth-Results and Auth-Results-Orig: Provides email authentication results (SPF, DKIM, DMARC checks)

  • ARC-Auth-Results: Shows authentication chain results if applicable

  • To: Displays the recipient's email address

  • Subject: Displays the subject line

  • Reply-To: Indicates the address replies will be directed to

  • Return Path: Displays the address used for bounce messages

Message URLs Card

The Message URLs card helps identify suspicious content by breaking down domains and URLs found in the reported phishing email.

This card includes:

• Email Domains:

  • Displays "From" and "Reply-To" domains.

  • Highlights unique or mismatched domains with visual borders and numbering/lettering for grouping.

• URLs in Email:

  • Groups URLs by host domain.

  • Displays each URL, along with any associated text within the email.

  • Includes hoverable popovers to view full URL details.

• Domain Helpers:

  • Quick links to external tools for investigation:

    • Whois: View domain registration details.

    • Shodan: Gather IP intelligence.

    • VirusTotal: Scan domains or URLs for threats.

Attachments Card

The Attachments card displays information about any files included in the reported phishing email, enabling file-based analysis.

This card includes:

• Attachment Details:

  • File Name: Name of each attachment.

  • File Type: Indicates the type of file (e.g., PDF, DOCX, ZIP).

  • File Size: Shows the size of the file in bytes.

  • Link: Click to see a detailed attachment view within the Email Message card.

Email Message Card

The Email Message card provides an in-depth, organized view of the reported phishing email. A tabbed layout ensures ease of navigation while supporting thorough analysis.

This card includes:

• Headers Tab:

  • Displays complete multipart/mixed headers, including routing metadata.

  • Essential for identifying email paths and detecting header manipulation.

• Summary Tab:

  • Content-Transfer-Encoding: Explains encoding methods (e.g., base64, quoted-printable).

  • Content-Type: Specifies the rendering format (text/plain, text/html).

  • Highlights URLs in plain text for efficient link analysis.

• Body Tabs:

  • text/html Body: Displays formatted email content as seen by the recipient.

  • text/html <body>: Focuses on raw content within the <body> tag, removing additional markup.

• Attachments Tab:

  • Dedicated tabs for file types like PDFs and images information displayed:

    • Content-Description: Brief description from the metadata.

    • Content-Disposition: Indicates display intent (inline or downloadable).

    • Content-ID: Unique identifier for referencing internal content.

    • Content-Transfer-Encoding: Specifies encoding methods (e.g., base64).

    • Content-Type: MIME type of the file (e.g., PDF, PNG).

    • MD5 & SHA256 Hashes: Cryptographic hashes for verifying or correlating files.

    • Strings Dropdown: Extracts readable strings for identifying embedded URLs or text.

    • Render Dropdown: Provides safe preview rendering of images and PDFs.

Right Panel Cards

The right panel organizes essential data for managing and updating the assessment efficiently.

This card includes:

• Dropdown Assessment Button:
  

  • Located at the top of the panel.

  • Updates the assessment status (TBD, Not a Phish, Phish).

  • Supports reassessment where necessary.

• Attributes Card:
  

  • Assessment: Displays the current status.

  • Summary: Explains reasoning for assessment and provides user details of the last update.

  • Last Claimed By: Tracks the user who last took responsibility for assessment.

  • Last Claimed At/Collected At: Shows timestamps (UTC) for claiming/collecting the email.

  • Collected By: Identifies the collector name.

  • Origination: Displays details of the email's original delivery time.

  • Message ID: Unique identifier for tracking the email across systems.

• Stats Card:
  

  • Displays timestamps for assessment lifecycle events:

    • Collected At: Timestamp for email collection.

    • Claimed At: Timestamp for claim activity.

    • Assessment First Set At: Timestamp for first assessment.

    • Assessment Last Set: Timestamp for last assessment update.

Activity Timeline

The Activity section at the bottom of the reported phish offers a collaborative timeline of events and user-added comments related to the assessment. Users can use the pre-built tabs to view different levels of information on the timeline.

• Activity: This tab displays a summarized list of assessment updates, along with all user comments. This includes activities performed by our platform and analysts, such as the Email Analyzer completing its analysis of attachments, the Phishing Triage Agent completing its analysis of suspicious features, and our analysts claiming the reported phish to finalize their assessment.

• Comments: This tab displays a list of user-added comments only, which can be added by your team or Red Canary’s team at the top of the timeline.

  Note

  • Users must be assigned the "Analyst" role to comment on a reported phish.

  • Users with the "Analyst Viewer" role can only view comments.

  • Red Canary’s team is not notified of any comments added by your team. While it’s possible for our team to comment on a reported phish if deemed necessary, this is not always the case.

• Automations: This tab displays the execution status and detailed information about automations that were triggered by the reported phish. While these activities are summarized on the Activity tab, the Automations tab provides a more detailed breakdown of each automation.

• History: This tab displays a complete log of all updates made to the assessment of the reported phish, including changes to the assessment summary.