Number |
The number assigned to the user-reported phishing email. |
Subject |
The subject of the email. The subject rule is useful in simulated phishing
campaigns or tests. In this case, organizations send deceptive emails to their own
staff to test their response to phishing and similar email attacks. In
simulated phishing email tests, if the Microsoft Outlook email client with the
Wombat plugin is being used, the user can click the Report
Phish button to report the phishing email. The email is sent to
the Security Operations team with Simulated Phishing
appended to the Subject of the email. This is used to identify the email as a
simulated phishing email. |
From |
The email address from where this phishing email originated. This information
is available if the phishing email is forwarded as .EML file attachment or if the
original headers are embedded in the email. If the user forwarded the phishing
email directly, the From address may not be available. |
Reported by |
The email id of the user who reported this phishing email. Click the
Information icon to view additional details. |
Message id |
The id assigned to the message. |
Matched URP rule |
The User Reported Phishing rule that is to be applied on this email. Click
the Information icon to view additional details. |
 As you can see, in this example, the Condition
field shows that the ToRule is applied on this email and a security incident is
created. See Set up ingestion rules for User Reported Phishing for more information on
defining email matching rules. |
State |
When a new phishing email record is created in the
sn_si_phishing_email table, the State field is set to
New. When this email record is converted to a security
incident (see Transform user-reported phishing emails to security incidents), the State field is
updated to Processed. |
Header origin |
This field indicates how the email headers originated or how the user
reported the phishing email:
- Email Header: The user forwarded the phishing email
to the security operations team.
- Email Text Body:
- The user clicked on the Report Phish option (if
the Wombat plugin has been configured with the email client).
- Based on the User Reported Phishing rule defined, the phishing email is
forwarded to the security operations team.
- EML Attachment Header:
- Attachment: The user forwarded the email as an attachment (.EML
file).
- Service catalog submission: The user downloaded the email as a .EML file
to the desktop and then uploaded it to a specified location. The security
incident is then created from the email.
- EML Attachment Body:
- The user clicked on the Report Phish option (if
the Wombat plugin has been configured with the email client).
- Based on the User Reported Phishing rule defined, the phishing email is
forwarded as an attachment to the security operations team.
|
Security Incident |
This field is blank when the user-reported-phishing email is first reported.
When the Transform user-reported phishing emails to security incidents flow has been executed,
this email is converted to a security incident record and the number of this
record is displayed here. |
Raw headers |
This field shows the complete header information extracted from the email as
defined in the Define User Reported Phishing properties page. The headers
are parsed into key value pairs and displayed in the Phishing Email Headers list.
|
 |
Body |
This is the body of the user-reported phishing email. |