Reacting to phishing emails in a timely manner is critical in the world of Business Email.

Red Sift’s OnINBOX email 'Reporting and Remediation' function now gives end users and admins the ability to react to phishing emails as they are delivered into users' inboxes. By reporting an email, users can leverage the remediation function to not only remove current threats from all users’ mailboxes but also prevent similar threats from ever making it to the user’s inbox in the future.

View the threats that are reported by your users using OnINBOX Manager.

OnINBOX's Reporting and Remediation functionality will display a breakdown of all the reports that have come from end users that still require action.

No Threats, no problem.

With the new Remediation function, it is important to teach users and admins how to properly leverage the feature so they can swiftly report and remove any threats as they are received. As you can see above, there are no reports of malicious/phishy messages from the users, so there is no action required by the admin. But with phishing and impersonation emails at an all-time high, this likely won't be the case for long.

This article aims to educate users and admins on the process of reporting and remediating threats so they can mitigate the danger associated with these emails.

Reporting a suspicious email as an end-user

In this example, one of our users has just received a suspicious message with the subject line 'Give me your bank account details' requesting that they follow the URL and fill out the associated form. Considering the nature of the request, the end-user decides to click the 'report' button so that their IT admin can review it.

After clicking the 'Report' button within the email, the user will be redirected to the OnINBOX user dashboard where they will be presented with the following window. They will then select a 'Reason for Reporting' and also have the option to add 'Comments' explaining to the admin why they decided to report the message.

After the user clicks 'Send' a report will be sent to OnINBOX Manager letting them know that there are 'Unresolved Reports' that require their attention, and the following image will be displayed.

Unresolved User Reports

Now that the user has reported the email, it will be displayed within the 'Reports' section of OnINBOX Manager. From here the admin can decide how they would like to leverage the Remediation function to take action on this particular message.

The admin can click into any of the individual unresolved reports to get a detailed breakdown of the message that was reported.

Report Information

The following details and options are available within the 'Report Information' for any specific user report.

  • The number of times the message was reported, and whether it was reported as a Threat, Spam, or a False positive.

  • A breakdown of the 'Threat Analysis' for the OnINBOX risk indicators.

  • A list of all users who have reported the email.

  • A 'Log' tab displays any remediation rules that have been created for the particular report.

  • A 'Notes' tab allows admins to add any notes related to the remediation choice.

  • A dropdown option for the admin to mark the report as Remediated, Unresolved, or False positive.



Remediating a reported message

The admin can go to the 'Remediation' tab within the Report Information window to decide what action to take for this particular message. They can choose to do one of the following from the 'Action' dropdown:

  • Delete Email

    • 'Delete' will delete this email from the reporter's and all other recipients' inboxes.

  • Add to threat list

    • 'Add to threat list' will add both the sender of this email and the sender’s domain to your organization’s threat list. This will result in all emails from this sender and this domain being marked with a red Trust indicator.

  • Add to trust list

    • 'Add to trust list' will add both the sender of this email and the sender’s domain to your organization’s trust list. This will result in all emails from this sender and this domain being marked with a green Trust indicator.

  • Email Reporter

    • 'Email Reporter' will send an email to either the first reporter or all reporters about the outcome of the remediation.

Delete Email

In this case, the admin has selected the action 'Delete email', which will cause the following window to display. From here they can decide how to configure the remediation rule for this particular report. They can customize the following conditions:

  • Emails From

    • This condition allows the admin to create a rule that will delete emails from the specific sender address AND/OR from the domain of the sender.


  • Emails Containing

    • This condition allows the admin to create a rule that will delete emails based on the specific content that is included within an email.

  • Notify Users

    • This option allows the admin to create a rule that will let the users affected by this change know what they’ve done. You can either customize the email that is sent to the user or select from one of the default templates.

    • Here is an example of what a user receives when this option is set to 'Yes'

  • Resolution

    • Classify the report as ‘Resolved’ or ‘Unresolved’

Once the admin clicks 'Create Rule' the window below will display a preview of any and all messages that will be deleted after the rule is 'Confirmed'

Add to Threat list

In this case, the admin has selected the action 'Add to Threat list', which will display the following window. From here they can decide whether to add just the 'Senders' address or the sending 'Domain' to the organization’s existing Threat list. This will result in all emails from this sender and this domain being marked with a red Trust indicator moving forward.

Add to Trust list

In this case, the admin has selected the action 'Add to Trust list', which will display the following window. From here they can decide whether to add just the 'Senders' address or the sending 'Domain' to the organization’s existing Trust list. This will result in all emails from this sender and this domain being marked with a green Trust indicator moving forward.

Email Reporter

In this case, the admin has selected the action 'Email Reporter', which will display the following window. From here they can decide what they want to be sent in the email to the user(s) who reported the suspicious email, and whether to send an email to the first reporter or all reporters about the outcome of the remediation.

Resolved Reports

From the 'Resolved' tab within the User Reports section, admins can view all of the historical reports that have been remediated and view a detailed breakdown of the action that was taken for the particular report.

Remediation History

The 'History' section within the OnINBOX Manager will display the historical logs of any Remediation that has taken place.

The 'Manual' tab displays all of the messages that had action taken manually upon the initial creation of a Remediation rule.

The 'Automated' tab will display any and all messages that have subsequently had an action taken based upon rules that were already in place.

To find out more about the remediation feature please visit this link.

If you have any questions or need some help please use the Live Chat or contact us using the button below.

Did this answer your question?