Views:

Follow this end-to-end best practice guide to effectively use the user-reported email analysis and response feature, helping security teams streamline threat triage, apply actions confidently, and strengthen email protection.

Organizations face a growing volume of email-based threats, and end users are often the last line of defense. However, without a structured process for analyzing reported emails, security teams can struggle to triage threats efficiently, leading to delayed responses and increased risk exposure. Manual investigation of each report is time-consuming and prone to oversight, especially when similar threats are already present in the environment.
Cloud Email and Collaboration Protection addresses this challenge with its user-reported email analysis and response feature. When users report suspicious emails, the system automatically analyzes the message to determine its threat type, such as phishing, spam, or flagged, and identifies shared indicators like malicious URLs or suspicious senders. It also provides a list of recent emails that share similar suspicious indicators with the reported message, allowing administrators to apply manual or automatic actions to mitigate these threats.
In addition, Cloud Email and Collaboration Protection enhances detection capabilities by learning from the reported email to help prevent recurrence. Administrators can also add relevant objects—such as sender addresses, domains, or URLs—from the reported email to monitored lists used in Correlated Intelligence policies.
Cloud Email and Collaboration Protection also supports sending analysis results of reported emails directly to end users, based on administrator configuration. Whether the email is confirmed as phishing, spam, or flagged for further attention, users receive feedback that reinforces their role in threat detection.
By leveraging this closed-loop analysis and response feature, organizations empower their end users to contribute to threat detection while enabling security teams to respond faster, reduce manual workload, and proactively block future threats. The result is a more efficient and scalable email security workflow that improves visibility and containment across the organization.

Procedure

  1. Set up reporting channels for your users in one of the following ways.
    • Install the Add-in for Outlook in your users' Outlook client to enable one-click reporting of suspicious emails.
    • Enable the warning banner in the corresponding Correlated Intelligence policy to display a cautionary message at the top of the email body flagged as anomalies by predefined correlation rules.
  2. Configure email reporting settings.
    • Allow Cloud Email and Collaboration Protection to automatically analyze reported emails to reduce threat triage time.
    • Choose whether to apply manual or automatic security actions to emails identified as posing similar threats based on the analysis.
    • Choose if you want to send a follow-up email to end users upon successful analysis of a reported email to summarize the results of their feedback.
  3. Review reported email details and access the analysis details screen to view classification, suspicious indicators, email metadata.
  4. Monitor the automated mitigation or apply mitigation actions manually.
    • Monitor the automated mitigation if automated security actions are enabled.
      • The system automatically takes mitigation actions on similar historical emails.
      • Use the progress bar to track real-time status update.
    • Apply mitigation actions manually if manual security actions are enabled.
      Use the analysis details screen to take manual steps:
      1. Examine the reported email, view its classification, and understand why the email was considered suspicious through top indicators.
      2. In the Mitigation actions section, apply recommended actions to similar emails individually or in batches.
  5. Monitor the automated remediation and prevention or apply remediation and prevention measures manually.
    • For reported emails confirmed as phishing or spam, the system automatically applies remediation and prevention measures.
      Use the progress bar to track real-time status update.
    • For reported emails flagged for further attention, use the analysis details screen to take manual steps:
      1. In the Remediation and prevention section, add the most relevant object to the corresponding monitored list managed by Correlated Intelligence.
        This operation automatically creates a detection signal for this object type on the Detection Signals tab under PoliciesGlobal SettingsCorrelated IntelligenceCorrelation Rules and Detection Signals, named Monitored <object type> from User-Reported Emails.
        These signals contribute to a system-generated correlation rule User-Report Driven Threat Detection, which helps detect other emails containing the same monitored object.
        In the signal details screen, you can find all the objects you add in the analysis details screen and manage them as desired.
      2. To proactively block similar threats and risks, go to your Advance Threat Protection policy settings and add User-Report Driven Threat Detection as a custom rule under Correlated Intelligence.
Comments (0)