IntegralDefense / ACE

Analysis Correlation Engine
Apache License 2.0
26 stars 10 forks source link

Always remediate from phish reporter's inbox #226

Closed automationator closed 5 years ago

automationator commented 5 years ago

Sometimes a user will report an email as a phish but ACE has no record of them receiving the email in the first place, whether due to it being forwarded internally, a shared mailbox, etc.

In these cases, the email remediation button does not list the phish reporter's address as one available to remediate. The phish report itself should serve as record of the user receiving the email, thus allowing us to remediate it from their inbox.

KarmaPenny commented 5 years ago

I think the way to do this is to have the email_analyzer add the reporting user as a recipient in the search archive so that they appear in the list of options when remediating

KarmaPenny commented 5 years ago

Also in the meantime you can still manually remediate these emails via the cmdline

unixfreak0037 commented 5 years ago

I'm going to close this because PhishMe already moves the reported phish into the Junk folder, and the user has already shown they find it suspicious, so it's no longer a threat. Thus it's not super critical to actually remediate it, I'd rather we spend time elsewhere.

At some point we can redesign the way ACE handles email remediation, at which point this issue will resolve on its own.