PhishHunter Overview
Table of Contents
Introduction
In order to use PhishHunter learners must use PhishNotify™ to report emails. PhishHunter analyzes links, domains, and files attached to suspicious emails reported by learners and assigns a threat score to every email. This enables organizations to identify which emails are most likely to be malicious and automatically organize them by importance, helping to prioritize responses and quickly mitigate email threats.
There are three main components to PhishHunter:
- Analyst Console: An inbox that contains all the emails reported by learners in the organization using PhishNotify.
- Notifications: Admins can create notifications on this page that can either be sent to learners manually, or sent automatically via a rule in the Orchestration Center.
- Orchestration Center: Allows admins to create rules based on certain values in the headers. These rules can: assign certain threat scores, add tags automatically, as well as send notifications out to the reporter.
Analyst Console
The Analyst Console serves as an inbox that contains all the emails reported by learners using PhishNotify. The Analyst Console has four main sections:
- Inbox: This is where all reported, unreviewed emails are available. The “Important” section of the inbox will contain all emails that have been reviewed and that have a threat score greater than 0%. Any email that is currently under analysis, or has a threat score of 0%, will appear in the “Everything Else” section.
- Reviewed: Any email that has been marked as reviewed will show up in this section. Reviewed emails can be marked as Unreviewed to return them to the Inbox.
- Phishing: Any email that was marked as phishing will show up in this section.
- Trash: Any email that has been deleted will show up in this section. Emails in the trash can be restored if further review is needed.
Click the email’s subject to view the details of a message. Once inside the message, admins can easily and safely investigate the individual components of the message.

Below the four main sections is a listing of all tags that have been created. Click on any tag to see all emails where that tag has been applied.
Reported Email Options
The following actions are available when hovering over an email in the console:
- Delete: Moves the email into the Trash folder in PhishHunter.
- Mark as Reviewed: Moves the email from the inbox and into the “Reviewed” Folder.
- Mark as Phishing Attack: Moves the email from the inbox and into the “Phishing” folder
- Send Notification: Allows an admin to select which notification to manually send to the reporter.
- Edit or Add Tags: Allows for the categorization of threats for further review and analysis in a single queue. Multiple tags can be assigned to a single email so a message can be tagged based on attack type, content, sender, or any custom tag assigned to the message.
Using folders and tags allows messages to be organized for further review, freeing up the inbox for new emails.
Notifications
Notifications allow admins to follow-up with learners after a message has been analyzed. Once a notification has been created, it can be manually triggered from the list view or message view, or the notification can be automated through the Orchestration Center. It is recommended to create at least two notifications: one for safe messages, and one for malicious messages. Additional notifications can be created as needed for different audiences or more customized responses.
To create a PhishHunter notification, navigate to PhishHunter > Notifications > New Notification to launch the notification editor.
- Notification Name: how the notification will be identified by IQ admins when sending to a learner.
- Subject: the subject of the email received by the learner.
- Notification Type: PhishHunter is the only option at this time.
The WYSIWYG editor is used for the body of the email and allows text formatting, hyperlinks, images, tables, and more. The editor also supports variables for customizing the notifications, e.g. inserting the learner’s name into the message. Click here to learn more about notifications, the variables supported, and for a sample notification.
Orchestration Center
Orchestration Center allows PhishHunter actions to be automated. The following actions can be automated based on values in the email headers:
- Modify the email’s threat score
- Admins have the option to increase or decrease by a certain percentage, or to set the malicious score
- Admins have the option to increase or decrease by a certain percentage, or to set the malicious score
- Add one or more tags
- Send notifications to the reporter
- A notification will need to be created prior
- Notification will send once the analysis is fully completed
In the example below, an admin is leveraging a rule from a known malicious sender, spammer@example.com
, and using the rule to set the malicious message score to 90, apply the “spam” tag, and notify the reporter. All of the actions are optional, but at least one must be enabled in order to create the rule.
When adding rules and conditions it is important to understand how the logic works. Multiple rules are processed with OR logic. When a message is processed, the rule will be triggered if any conditions are met e.g. Rule1 OR Rule2. Multiple conditions within a rule are processed with AND logic, meaning that all conditions must be met.
If later rules aren’t needed once a rule condition is met, then enable the setting “Halt execution of subsequent rules” on that rule.