What is the fastest and correct approach to react to phishing emails hitting an organization? What can and should an admin do, as soon as he sees a phishing email in his Inbox?


There are two use-cases I would like to consider:


  • As an admin, I want to quickly see and react to phishing mails. As of now, I can use the Threat Explorer to search e.g. for the subject of an email, and then trigger a hard delete. This feels laborious. There also seem to be mutiple backends where alerts, actions, incidents and investigations are displayed ( and What is the best approach here?
  • As a user, I want to notify the admin about phishing. This seems to be possible with the "Report message" add-in. However, as an admin I see just reports - there is no way to react like: "Yes, this is phishing" or "No, this is not phishing. You can click on the links"


Edit: further outlined use-cases.