How Phishing Response Works

This topic explains the Phishing Response flow, which is represented by the following diagram:

Phishing Response takes information from several sources:

• Reports of maliciousness from the Agari Phishing Defense product (when available)
• Phish reports from people within your organization
• Agari's own threat feed
• Agari's research into email threats

From these streams, message information from within your organization and across (participating) organizations is parsed, analyzed, scored, and aggregated. This automated flow means that you don't have to:

• Manually retrieve reported messages from a shared reporting mailbox
• Manually review the content of each message individually
• Copy and look up URLs one-by-one in VirusTotal or your choice of commercial threat-intel platform
• Look up attachment names one-by-one to VirusTotal or your choice of commercial threat-intel platform
• Extract and send attachments one-by-one to sandbox analysis software
• Manually discard all reports that were spam
• Manually cleanse Inboxes in your organization of unreported malicious messages
• Manually move to Inboxes messages that were reported and that are legitimate email
• Manually determine if messages are similar and part of the same campaign.

The parsing and matching stages of the flow are what allows Phishing Response to determine which messages are part of the same campaign, organizing those messages into individual campaigns. SOC analysts then have a single point of contact to perform any additional confirmation or analysis before taking actions on the campaign, actions that can include removing related messages from employee Inboxes, actions that can be performed directly from within Phishing Response.