usecure

A Phish Alert Report email notification will be sent to your specified email addresses when a user reports a suspected phishing email outside of a simulation. 

NOTE: This requires the Forward Suspected Phishing Emails setting to be enabled on your <a href="https://help.usecure.io/en/articles/5903526-set-up-the-phish-alert-button" rel="nofollow noopener noreferrer" target="_blank">Phish Alert Button settings</a>.

The notification email will include (depending on your Phish Alert settings):

<a href="#h_b37c62f59f">Summary details</a>

<a href="#h_e3b513045f">EML attachment</a>

- <a href="#h_b37c62f59f">Summary details</a>
- <a href="#h_e3b513045f">EML attachment</a>

Here are what the summary components of the report email mean.

- User who submitted the suspected phishing email

- The date/time the email was received in UTC

- This is the unique identifier generated by the outgoing email server or client
- It can be used in an Exchange message trace

- This ID is assigned by Exchange when it processes an email. This corresponds to the X-MS-Exchange-Organization-Network-Message-Id message header
- This can be used to <a href="http://help.usecure.io/en/articles/6909308-manually-submitting-suspected-phishing-emails-to-microsoft-365-defender">manually submit an email</a> to Microsoft for analysis as a suspected phish via the Microsoft 365 Security portal

- Recipient 
 - User who submitted the suspected phishing email
- Sender
 - The sender of the phishing email
- Subject
 - The subject of the phishing email
- Received At
 - The date/time the email was received in UTC
- Message ID
 - This is the unique identifier generated by the outgoing email server or client
 - It can be used in an Exchange message trace
- Network Message ID
 - This ID is assigned by Exchange when it processes an email. This corresponds to the X-MS-Exchange-Organization-Network-Message-Id message header
 - This can be used to <a href="http://help.usecure.io/en/articles/6909308-manually-submitting-suspected-phishing-emails-to-microsoft-365-defender">manually submit an email</a> to Microsoft for analysis as a suspected phish via the Microsoft 365 Security portal

There will also be a table summarising the suspected email’s attachments if present.

NOTE: This requires the Include Suspected Email as EML file attachment setting to be enabled in your <a href="https://help.usecure.io/en/articles/5903526-set-up-the-phish-alert-button" rel="nofollow noopener noreferrer" target="_blank">Phish Alert Button settings</a>.

The report notification will include an EML file attachment containing a reproduction of the suspected phishing email. 

The notification’s body will inform you of the method used to construct the EML file. We currently offer 2 message data retrieval approaches.

- This is the data provided by the Outlook Add-in. It provides enough data to give the summary in the notification and the body of the suspected email but in a sanitised form. It can’t provide message headers or attachments. The EML may appear strange when opened as a result.

- We use the authorisation provided at add-in install or during sideloading testing to retrieve message data provided Retrieve Message Data via the MS Graph API on Behalf of a User using SSO is enabled.
- This will include a less sanitised version of the email body, its message headers and attachments if the Include Suspected Email's Attachments in EML File option is enabled.

- Office JavaScript API
 - This is the data provided by the Outlook Add-in. It provides enough data to give the summary in the notification and the body of the suspected email but in a sanitised form. It can’t provide message headers or attachments. The EML may appear strange when opened as a result.
- MS Graph API
 - We use the authorisation provided at add-in install or during sideloading testing to retrieve message data provided Retrieve Message Data via the MS Graph API on Behalf of a User using SSO is enabled.
 - This will include a less sanitised version of the email body, its message headers and attachments if the Include Suspected Email's Attachments in EML File option is enabled.

The EML generation process takes a graceful degradation approach so that if the MS Graph load fails we fallback to the Office JavaScript API data.

IMPORTANT NOTE: You should only open the EML file in a sandboxed environment such as Windows Sandbox or a VM.

Summary Details

EML attachment