Views:

Understand how suspicious a user-reported email is and take appropriate mitigation, remediation, and prevention actions based on detailed analysis.

The analysis details page provides administrators with a comprehensive view of each reported email. From previewing the message and reviewing its classification (such as phishing, spam, or flagged) to identifying top suspicious indicators, administrators can assess the nature of the threat. The screen also enables targeted mitigation of similar historical emails and provides remediation and prevention measures to block future threats. By using this screen, security teams can respond more efficiently to user-reported threats, reduce manual effort, and strengthen protection across the organization.
Learn more about the best practice for using the user-reported email analysis and response feature.
Section
Description and Setting
Email preview
Preview a reported email to examine its basic details, attachments, and body content.
  1. Click View email next to the subject line of the reported email
  2. In the Email details screen, review key information including the sender, recipient, reporter, message ID, and attachment names.
    The attachment list displays only the first 10 attachments.
  3. Use the HTML or Plain text tab to view the email body in your preferred format.
Analysis result
View the analysis result of a reported email, including its classification (phishing, spam, or flagged), a summary of its suspicious characteristics, and the top suspicious indicators during analysis.
Mitigation
View historical emails identified as posing similar threats or risks based on shared indicators found in a reported email.
Depending on your configured setting in Email reporting, the system can apply security actions automatically or allow manual control
  • Automated actions
    The system automatically takes action on an identified email, moving spam to the Junk Email folder or quarantining phishing emails.
    Click Details under Result to view mitigation logs, and click the number under Affected users to see who else received the email.
  • Manual actions
    The system lists identified emails with basic details and recommended actions. You can apply the action individually or in batches.
    After mitigation, click Details under Result to view mitigation logs, and click the number under Affected users to see who else received the email.
A progress bar shows real-time status updates.
To launch a phishing simulation for affected users, click the three-dot menu at the end of each item and select Create Security Awareness Training, the follow the instructions.
Remediation and prevention
View the remediation and prevention measures that the system automatically implements or offers for manual control, based on your configuration in Email reporting.
  • Automated actions
    The system automatically enriches Correlated Intelligence correlation rules to block similar phishing threats and updates anti-spam patterns to catch related unwanted messages. With Correlated Intelligence and Advanced Spam Protection enabled in policy, these enhancements are applied automatically, strengthening detection coverage and reducing manual effort.
    A progress bar shows real-time status updates.
  • Manual actions
    The system identifies the most relevant object from the reported email, such as the sender address, sender domain, URL, or URL domain, and allows you to add it to a monitored list managed by Correlated Intelligence.
    Once added, a detection signal is automatically generated for the object type with a name Monitored <object type> from User-Reported Emails. These signals contribute to a system-generated correlation rule User-Report Driven Threat Detection that helps detect other emails containing the same monitored object. For details about how correlation rules and detection signals work, see Viewing correlation rules and detection signals.
    To manage these detection signals, go to PoliciesGlobal SettingsCorrelated IntelligenceCorrelation Rules and Detection Signals and locate them on the Detection Signals tab. You can find all the objects you add in the analysis details screen.
    To prevent future risks, go to your Advance Threat Protection policy settings and add User-Report Driven Threat Detection as a custom rule under Correlated Intelligence.