Automating User-Reported Phishing: Mailbox + Helpdesk Workflow
Build an end-to-end automation that turns user phishing reports into analyzed, triaged, and resolved incidents — without analyst intervention for the majority of cases.
User-reported phishing is one of the most valuable — and most overwhelming — sources of threat intelligence for security teams. Employees who click the "Report Phishing" button provide real-time signals about threats that bypassed email filters. But without automation, each report creates manual work: retrieve the email, analyze headers, check URLs, look up sender reputation, determine if it's malicious, respond to the user, and close the ticket.
Most SOC teams receive hundreds of phishing reports weekly. The majority are false positives (legitimate emails users found suspicious), but buried in the noise are real threats that demand immediate action. This guide shows how to build an automated workflow that handles the entire lifecycle — from user report to resolution — while escalating only the cases that truly need human review.
The Manual Phishing Triage Problem
Typical Manual Workflow
Steps Per Report
- 1.Helpdesk receives ticket from user
- 2.Analyst retrieves reported email from mailbox
- 3.Analyst extracts headers, URLs, attachments
- 4.Analyst checks URLs against threat intel
- 5.Analyst verifies sender domain/SPF/DKIM
- 6.Analyst determines verdict (malicious/safe)
- 7.Analyst responds to user with result
- 8.Analyst closes helpdesk ticket
Time and Cost Impact
Automated Workflow Architecture
The automated workflow connects three systems: the phishing report mailbox, threat analysis engines, and the helpdesk platform. Each reported email flows through analysis stages with automated decisions at each step.
End-to-End Workflow Flow
Trigger Sources
- Outlook Report Message add-in
- Microsoft Defender user submissions
- Shared mailbox (phishing@company.com)
- Helpdesk ticket with attachment
Analysis Components
- URL reputation (VirusTotal, URLhaus)
- Sender domain validation (SPF/DKIM/DMARC)
- Attachment sandboxing
- Header anomaly detection
Automated Analysis Logic
The analysis engine scores each email across multiple indicators. The combined score determines the automated action and whether human review is required.
| Indicator | Weight | Detection Method | Score Impact |
|---|---|---|---|
| Known malicious URL | Critical | Threat intel lookup | +100 (auto-malicious) |
| Malicious attachment | Critical | Sandbox detonation | +100 (auto-malicious) |
| DMARC fail + external | High | Header analysis | +40 |
| Lookalike domain | High | Domain similarity check | +35 |
| Credential harvesting keywords | Medium | NLP content analysis | +25 |
| Urgency language | Medium | Pattern matching | +15 |
| First-time sender | Low | Communication history | +10 |
| Known sender (verified) | Negative | Allowlist + history | -30 |
- Auto-quarantine similar emails
- Block sender domain
- Notify user: threat confirmed
- Create incident for tracking
- Escalate to analyst queue
- Pre-populate analysis data
- Notify user: under review
- Priority based on score
- Auto-close ticket
- Thank user for reporting
- No further action
- Log for metrics
Helpdesk Integration Patterns
The workflow must integrate bidirectionally with helpdesk systems — creating tickets when needed, updating status throughout analysis, and closing with appropriate resolution codes.
Ticket Lifecycle Automation
Supported Platforms
- ServiceNow (REST API)
- Jira Service Management
- Zendesk
- Freshservice
- ConnectWise (PSA)
User Communication Templates
- "Thank you - email verified safe"
- "Under review by security team"
- "Threat confirmed - do not interact"
- "Similar threats blocked org-wide"
Automated Response Actions
When a reported email is confirmed malicious, the workflow can trigger additional containment actions beyond just closing the ticket.
| Action | Trigger Condition | Scope | Approval |
|---|---|---|---|
| Delete from reporter's mailbox | Confirmed malicious | Single user | Auto |
| Search & purge org-wide | Same sender + subject pattern | All mailboxes | Review |
| Block sender domain | Confirmed phishing domain | Transport rule | Auto |
| Add URL to blocklist | Malicious URL detected | Defender tenant | Auto |
| Reset user password | User clicked link + credential page | Reporting user | Review |
| Revoke user sessions | Credential compromise suspected | Reporting user | Auto |
Cascade Detection
When a reported email is confirmed malicious, automatically search all mailboxes for the same message (by Message-ID or sender + subject hash). If found in other mailboxes, trigger remediation for all affected users — not just the reporter. This transforms a single user report into org-wide protection.
User Feedback Loop
A key benefit of user-reported phishing workflows is the feedback loop — users learn whether their reports were accurate, which improves future reporting quality.
Positive Reinforcement
- True Positive: "Great catch! This was a confirmed phishing attempt. We've blocked the sender and removed similar emails from all mailboxes."
- False Positive: "Thank you for reporting. We verified this email is safe. It's from [Company] regarding [Topic]. No action needed."
Reporting Metrics (Per User)
- Total reports submitted
- True positive rate (accuracy)
- Missed phishing (clicked before reporting)
- First reporter bonus (org-wide threat)
Gamification (Optional)
Some organizations implement recognition programs for users who report confirmed threats. This encourages a security-conscious culture.
Key Metrics and Targets
| Metric | Target | Alert Threshold | Measurement |
|---|---|---|---|
| Auto-resolution rate | >75% | <60% | Reports closed without analyst |
| Time to user response | <5 min | >30 min | Report received → user notified |
| False negative rate | <2% | >5% | Malicious marked safe (weekly audit) |
| Analyst time per escalation | <3 min | >8 min | Pre-populated analysis data |
| User report volume | Trending up | Declining | Healthy security culture |
Common Mistakes to Avoid
Problem: Users stop reporting because they never hear back
Fix: Always send response — even for false positives
Problem: False positive purges legitimate business emails
Fix: Require approval for purges affecting >10 users
Problem: Malicious documents slip through URL-only checks
Fix: Always sandbox attachments before verdict
Problem: Model doesn't learn from analyst corrections
Fix: Track analyst overrides, adjust scoring weights
Problem: Users don't understand why email was safe
Fix: Include specific reason (known sender, verified domain)
Problem: Miss users who may be compromised
Fix: Check click logs before closing ticket
Automate Phishing Triage with BitLyft AIR
BitLyft AIR integrates with Microsoft 365, major helpdesk platforms, and threat intelligence feeds to fully automate user-reported phishing workflows. Achieve 80%+ auto-resolution while maintaining analyst oversight for edge cases.