4 Safety Rules For Reporting & Analyzing Phishing Emails

4 Safety Rules For Reporting & Analyzing Phishing Emails
June 30, 2016 Arne Defurne

JUNE 2016 –We advise organizations to have people report email phishing and (other security) incidents as much as possible. But why is this needed, and how to do this safely. Remember that emailing malware around the same as playing fire.

Why is reporting phishing emails relevant?

People are your last line of defence: One of the possible objectives of user awareness campaigns and email phishing exercises is to make people your strongest firewall and human detection sensors. Your employees might be your last layer of defense in detecting and reporting a security breach that has bypassed all other technical defenses.

Learn & Adapt: Reporting allows the organization to analyze the incident and take actions if needed. Additionally, lessons learned can be drawn that can result in steps to improve the technical defenses in place.

Reporting & analysing phishing emails has become an essential incident response element in any prioritized layered defence strategy. There will always be some phishing emails that succeed, but there will also always be someone that reported it. you cannot just ignore them.

Be careful, forwarding phishing emails is dangerous!

Typically, the user is trained to report suspicious emails to a central mailbox or helpdesk for further investigation and for metrics tracking. Ideally, users are motivated to forward suspicious emails as attachments (In Outlook via Actions -> Forward as Attachment or shortcut CTRL-ALT-F). Otherwise important technical information, like email headers, is lost. The user should also delete the email after he has reported it. Making all users do this correctly is however practically impossible.

We have seen in several organizations that reporting suspicious emails resulted in infections, because the helpdesk opened them or because they were added in ticketing systems where they became available for other people to open and become infected.

This is why, when reporting suspicious emails, the following new risks should NOT be introduced.

    • Avoid Collateral Damage: The helpdesk should not attach suspicious emails and attachments in internal IT ticketing systems as others might open them and become infected.
    • Don’t use Windows PC’s for analysis: Windows based systems are known to auto-execute content, and most malwares are designed for Windows. There is a serious risk when an URL or attachment is accidentally triggered.
    • Don’t get yourself blacklisted: The suspicious emails should never be forwarded outside of the organisations own email servers. When multiple users forward suspicious emails to another externally managed email system, there security technology might detect the malware and think the sender domain is distributing malware. As a result your organisations might become blacklisted.

The conclusion: Don’t allow untrained people to handle reported phishing emails. In most cases the first line helpdesk is not trained or skilled to safely handle or investigate reported emails. In many cases these people have admin rights which even increases the risk dramatically.

The 4 Key Safety Rules

If you follow these 4 simple rules you will prevent accidental infection.

    • Make it very EASY and SAFE for the user to report and delete suspicious emails. Ideally, he has a one-click button in his (outlook) email client that: (1) Forwards the selected email to a dedicated reporting mailbox, (2) deletes the email from his inbox or moves it to the junk folder and (3) encrypts all potentially dangerous elements of the email with a password before forwarding it.
    • Use a dedicated reporting mailbox that can only be accessed by a limited set of experts that know what they are doing.
    • Security Analyst should use a non-windows (Linux) based computer that has the proper tools installed to automatically inspect the suspicious emails and attachments.
    • The security analyst’s computer should be isolated as much as possible on the network, and only be allowed network access to internet sites or internal security servers it needs to analyze the malware.


Cranium offers an outlook plugin that makes it EASY and SAFE for everyone to report suspicious emails to the (security) helpdesk. The plugin protects all dangerous elements of the email using password protected zips. In addition, the plugin performs an automated analysis, which saves time for the security analyst that needs to investigate the email. Read all about it on our website.