User Reported Phishing

The Challenge with Existing Processes & Solutions

High Volume

As user awareness increases, and solutions like “Report a Phish” plugins make it easier for users to report suspicious emails, the volume of user reported phishing emails continues to grow. The growing volume, along with the fact that typically < 1% of user reported phish are actually malicious, makes it hard to keep up using manual analysis processes and tools.

Weak Signal

Even when they aren’t actually phishing, user reported phishing emails often contain URLs and/or file attachments that can look similar to what an attacker might use. And since attackers hide behind legitimate filesharing and other services with clean reputations it can be hard to tell what might lead to a threat unless you go and visit the page.

Large Surface

The combination of high volume and weak signal means that there is a lot of surface area to cover looking for threats which are often hidden behind multiple layers of indirection. Since these are typically threats that have been delivered to users, which means they have made it past existing security controls, it is critical to detect them as quickly as possible.

How TwinWave Helps

Employee reported phishing emails can be automatically forwarded to the TwinWave platform using our email gateway, or, if you have a SOAR solution in place that is already collecting user reported phishing emails, you can use the TwinWave API to submit the emails to TwinWave for analysis.

When TwinWave analyzes a user reported phishing email that comes “wrapped” in an email from the reporting service, the platform extracts out the original email, analyzes that for attachments & URLs and performs full attack chain following for each of the objects discovered in the email.

Integrating TwinWave into existing workflows and security tools is easy.

Attack Chain Example

In this case an employee reported a suspected phishing email which was automatically forwarded to the TwinWave platform for analysis.

The reported email contained multiple links which were extracted and automatically analyzed. One of the links went through a redirect and landed on a page that required a click to download a file.

TwinWave clicked and downloaded the file which was a zip file that the platform automatically extracted and submitted the file from the archive for analysis which turned out to be a malicious JavaScript file.

Benefits of Using TwinWave


Sending all user reported phishing emails to TwinWave reduces the chance that something important falls through the cracks due to limited analysis resources. TwinWave’s email gateway makes it easy to integrate with existing phish reporting solutions like Proofpoint, KnowBe4, etc.

Analysis Depth

Our dedicated email analysis engine provides analysis of the email itself while also extracting out any embedded URLs or attached files. Any discovered URLs and files are automatically injected into the system for further analysis which includes our full attack chain following automation.


TwinWave’s attack chain following automatically performs actions required for full attack chain execution. This increased analysis of a threat’s surface area combined with our layered detection approach using a wide range of techniques results in very high detection rates for both credential phishing and malware threats.