Navigating Reported Phishes in Red Canary

This guide outlines key tools and features of Managed Phishing Response, where you can review and modify Assessments, collaborate with team members, and maintain detailed audit trails.

Note

Users must have an Analyst or Analyst Viewer role to view and manage reported phishes.

View Reported Phishes

In the Red Canary portal, click Phishing to view all reported phishes we’ve collected from your environment. You can filter by specific attributes or date range, and use the download button to export the results.

Navigate a Reported Phish

From the Phishing page, click on the ID for any reported phish to view its details.

Assessment Header Card

The Assessment Header provides a high-level overview of the reported phishing email and its assessment status.

This card includes:

• Reported phish details:

  • The subject line of the reported phish

  • The "From" address (email sender)

  • The reporter's email address (the user who reported the phishing email)

  • The date and time the email was collected, in UTC

• Colored Header Border:

  • Red: The email is assessed as a confirmed Phish

  • Blue: The email is assessed as Not a Phish

  • Gray: Email Assessment status is TBD (awaiting assessment)

Suspicious Feature Badges

At the top of each reported phishing email, you’ll see yellow badges highlighting any suspicious features within the email that were identified, such as Unexpected Attachments, Generic Greetings, or Impersonation. These badges are assigned by our Phishing Triage Agent, a specialized AI designed to analyze email content and assist analysts in identifying potential phishing threats.

To view a summary of the Triage Agent’s findings, click the Triage Agent tab.

Overview Tab

The Overview tab displays all of the email’s metadata and key details, helping you assess whether the email is a Phish or Not a Phish. See the sections below for descriptions of each component found in the Overview tab.

Reported Email Card

The Reported Email card contains essential metadata to help analyze the origin and authentication of the phishing email.

This card includes:

• Email Metadata:

  • From: Displays the sender's email address

  • Auth-Results and Auth-Results-Orig: Provides email authentication results (SPF, DKIM, DMARC checks)

  • ARC-Auth-Results: Shows authentication chain results if applicable

  • To: Displays the recipient's email address

  • Subject: Displays the subject line

  • Reply To: Indicates the address replies will be directed to

  • Return Path: Displays the address used for bounce messages

  • Origination: Displays details of the email's original delivery time

  • Message ID: Unique identifier for tracking the email across systems

The Message URLs card helps identify suspicious content by breaking down domains and URLs found in the reported phishing email.

This card includes:

• Email Domains:

  • Displays "From" and "Reply-To" domains

  • Highlights unique or mismatched domains with visual borders and numbering/lettering for grouping

• URLs in Email:

  • Groups URLs by host domain

  • Displays each URL, along with any associated text within the email

  • Includes hoverable popovers to view full URL details

• Domain Helpers:

  • Icons link to the following external investigative tools, helping you gather critical domain information:

    • Whois: Retrieves domain registration details, including ownership and contact information

    • Shodan: Provides hosting information, such as server location (country and city), IP ownership, and a list of open services or ports

    • VirusTotal: Analyzes suspicious files, domains, IPs, and URLs to detect malware and potential security breaches

Attachments Card

The Attachments card displays information about any files included in the reported phishing email, enabling file-based analysis.

This card includes:

• Attachment Details:

  • The attachment name

  • The file type

  • The file’s size

  • Clickable links to view a details in the main the Email Message card

Email Message Card

The Email Message card provides an in-depth, organized view of the reported phishing email. A tabbed layout ensures ease of navigation while supporting thorough analysis.

This card includes:

• Headers: Displays complete multipart/mixed headers, including routing metadata, which is essential for analyzing delivery paths and identifying header manipulation

• Summary: Displays the message’s body into Markdown, removing email security banners, demystifying links that were obfuscated/protected by email security tools, and consolidating <table> and extra whitespace

• Body: Displays the HTML message body in its original view

• <body>: Displays the message body without the generally unhelpful HTML attributes and tags

• Attachments: Displays a detailed overview of any file and image attachments included in the reported phish, with each attachment having its own dedicated tab. This includes both the raw metadata of the attachment, as well as rendered images of what the attachment actually looks like.

Triage Agent Tab

The Triage Agent tab displays a summary of the Phishing Triage Agent's findings for each reported phishing email, including extracted and analyzed email content and any indicators flagged as a Suspicious Feature. It provides an initial assessment, categorizing the email as a confirmed Phish or Not a Phish, helping to accelerate our analysts' investigations before they set the final Assessment.

Note

The Triage Agent tab may show results that contradict the current Assessment set for a reported email (e.g., the Triage Agent tab shows Not a Phish but the high-level Assessment status is set to Phish). This is expected because the Agent has no ability to set an actual Assessment for any reported phishing email; it only provides a recommendation based on its triage of the email. This ensures humans make the final decision when setting the final Assessment.

Right Panel Cards

The right panel organizes essential data for managing and updating the Assessment efficiently:

• Dropdown Assessment Button:
  

  • Located at the top of the panel

  • Updates the Assessment status (Not a Phish, Phish)

  • Supports reassessment where necessary

    Note

    Users with the Analyst role can change the Assessment status if needed.

• Attributes Card:
  

  • Assessment: Displays the current Assessment status

  • Summary: Explains reasoning for Assessment and provides user details of the last update

  • Last Claimed By: Tracks the user who last took responsibility for Assessment

  • Last Claimed At: Shows when a Red Canary analyst last claimed the email for Assessment

  • Collected At: Shows when Red Canary first collected the reported email for Assessment

  • Collected By: Identifies the Collector that collected the reported email

• Stats Card:
  

  • Displays timestamps for Assessment lifecycle events:

    • Collected At: Timestamp for email collection

    • Claimed At: Timestamp for claim activity

    • Assessment First Set: Timestamp for first Assessment

    • Assessment Last Set: Timestamp for last Assessment update

Activity Timeline

The Activity section at the bottom offers a collaborative timeline of events and user-added comments related to the Assessment. Click the tabs to view activity details like Assessment status changes, Phishing Triage activity, and user comments.

• Activity: Displays a summarized list of Assessment status updates, along with all user comments. This includes activities performed by our platform and analysts, such as the Email Analyzer completing its analysis of attachments, the Phishing Triage Agent completing its analysis of suspicious features, and the final Assessment status.

• Comments: Displays user-added comments from both your team and Red Canary’s team. New comments can be added at the top of the timeline.

  Note

  • Users with the "Analyst" role can view and comment on a reported phish. Users with the "Analyst Viewer" role can only view comments.

  • Red Canary’s team is not notified of any comments added by your team. While it’s possible for our team to comment on a reported phish if deemed necessary, this is not always the case.

• Automations: Displays the execution status and detailed information about automations that were triggered by the reported phish. While these activities are summarized on the Activity tab, the Automations tab provides a more detailed breakdown of each automation.

• History: Displays a complete log of all updates made to the Assessment of the reported phish, including changes to the Assessment summary.