PhishNotify and Quarantine

#1

Table of Contents

Introduction

PhishNotify integrates with either Outlook or Gmail and allows users to report suspicious emails to your response teams without the risks associated with forwarding emails. When learners report emails they will either receive confirmation that the reported message was a PhishSim email, or that the message was not part of a simulation. When a non-simulation email is reported the message can be reviewed in the quarantine for up to 14 days.

Install PhishNotify

PhishNotify is available as a an add-on for Outlook or Gmail. To get started, browse to PhishNotify & PhishHunter > PhishNotify setup. Instructions are available here for each version:

2023-11-14%2017_20_09-Infosec%20IQ_%20Initech%20PhishNotify%20%E2%80%94%20Mozilla%20Firefox
2023-11-14 17_20_09-Infosec IQ_ Initech PhishNotify — Mozilla Firefox.png1417×586 44 KB

Legacy

Click “See more” to access the legacy Outlook client version of PhishNotify. This version of PhishNotify is no longer under active development, and the XML version should be used whenever possible.

Configure PhishNotify Behavior

2023-11-14%2017_30_46-Infosec%20IQ_%20Initech%20PhishNotify%20%E2%80%94%20Mozilla%20Firefox
2023-11-14 17_30_46-Infosec IQ_ Initech PhishNotify — Mozilla Firefox.png1368×412 41.7 KB

Next you’ll configure what happens with reported emails.

  • Save email contents and attachments: The email and all attachments will be available in quarantine for up to 14 days.
  • Bypass Infosec IQ: Learners will still receive feedback on reported messages, but no part of the email will be permanently stored in Infosec IQ. This is typically used in conjunction with the PhishNotify integrations feature.
  • Only save metadata: The email will not be available in Infosec IQ, but you’ll be able to see the sender, recipient, and subject line.

The next section determines what happens to the message in the user’s inbox once it’s reported.

2023-11-14%2017_38_53-Infosec%20IQ_%20Initech%20PhishNotify%20%E2%80%94%20Mozilla%20Firefox
2023-11-14 17_38_53-Infosec IQ_ Initech PhishNotify — Mozilla Firefox.png768×254 13.6 KB

The final section allows you to customize the messages that are displayed to learners when reporting emails.

2023-11-14%2017_42_14-Infosec%20IQ_%20Initech%20PhishNotify%20%E2%80%94%20Mozilla%20Firefox
2023-11-14 17_42_14-Infosec IQ_ Initech PhishNotify — Mozilla Firefox.png774×552 43 KB

Return to Table of Contents

Quarantine

Navigate to PhishNotify & PhishHunter > Quarantine to see the list of reported emails. Quarantine allows you to review user-reported emails. Email contents will be stored for 14 days, after which time you will only be able to see sender, recipient, and subject line. Click the download button to export a csv file of all emails in quarantine.

Manage Quarantined Emails

From the message list, clicking the menu will give you a list of available actions that can be performed on that message:

  • Preview: Displays a preview of the reported email in your browser. You can also download attachments or click Show Original to view the email source code.
  • Download: Download a copy of the reported email as an eml file including all attachments.
  • Delete: Deletes the message from quarantine.

Return to Table of Contents

Reported email filters

Reported email filters are great for keeping clutter out of quarantine. For example if users continually report internal emails, or emails from a popular shopping website, you can create a rule that will filter these emails from quarantine. Rules can be added based on the email subject, the value of a header in the email, or both. You can also add multiple rules to do more sophisticated filtering, as well as create multiple conditions per rule. Note that multiple conditions will be processed with AND operators, and multiple rules will be processed as OR operators. Click Add Rule to get started.

  • Name: provide a name that helps you identify the rule.
  • Condition Type: you can choose between Subject or Header. The Subject option is great for basic filtering, whereas the Header option is more advanced and requires inspection of email headers.
  • When the Subject/Header: select is, contains, starts with, or matches (regex)
  • Value: enter the condition.

2023-11-14%2018_17_34-Infosec%20IQ_%20Initech%20PhishNotify%20%E2%80%94%20Mozilla%20Firefox
2023-11-14 18_17_34-Infosec IQ_ Initech PhishNotify — Mozilla Firefox.png1429×1099 74 KB

Return to Table of Contents

Reported email summaries

Reported email summaries can be sent to users at your organization to keep them informed of reported emails. Email summaries can be sent daily, weekly, or monthly.

2023-11-14%2018_23_21-Infosec%20IQ_%20Initech%20PhishNotify%20%E2%80%94%20Mozilla%20Firefox
2023-11-14 18_23_21-Infosec IQ_ Initech PhishNotify — Mozilla Firefox.png1429×1047 80.9 KB

PhishNotify Integrations

PhishNotify integrations allow you to integrate reported emails into your organization’s existing incident response workflows. When an email is reported to PhishNotify, Infosec IQ can send a notification to another email address with the reported message attached. This article will cover the Custom option.

For more information about the pre-configured integrations, see Integrate PhishNotify with Microsoft Defender.

2023-11-14%2018_28_20-Infosec%20IQ_%20Initech%20PhishNotify%20%E2%80%94%20Mozilla%20Firefox
2023-11-14 18_28_20-Infosec IQ_ Initech PhishNotify — Mozilla Firefox.png1429×1393 90.8 KB

  • Email destination: Enter the email address(es) to receive notifications. Multiple email addresses can be entered separated by commas.
  • Subject line: The subject line of the notification.
  • Attachment format: Reported emails can be attached in either eml or txt format.

Return to Table of Contents