User-reported phishing with VMRay's abuse mailbox

Defend your inbox against abuse mailbox threats. Discover the best practices and technologies to stop malicious emails in their tracks!

94% of breaches are due to phishing attacks

Many enterprise phishing solutions today rely on known static threat libraries and AI analytics to identify suspicious patterns of behavior.

When email gateway detection results are inconclusive, a small percentage of malicious and damaging emails still manage to get through into the enterprise.

In large Enterprises with hundreds or even thousands of mailbox recipients, the number of potentially harmful phishing attacks reported by end-users can quickly reach unmanageable quantities.

Phishing campaigns are becoming more difficult to detect

Threat actors are increasingly using advanced techniques to ensure malicious emails evade primary phishing detection methodologies.

Manual triage is time consuming

Manual analysis of suspicious phishing emails for further triage by the SOC team can take up to an hour for a single email.

Third-Party Analysis is Required

Re-analyzing suspicious emails that bypass primary detection controls require deeper analysis by a third-party sandbox solution to better identify any possible threat.

The benefits of User-reported Phishing with VMRay

VMRay’s safe detonation and Machine Learning (ML) driven phishing analysis provides a definitive verdict with greater visibility into an email’s malicious actions.

Industry-leading detection of advanced cyber threats

Best-in-class reputational, static, and dynamic analysis of phishing and credential harvesting related email attacks.

Safe detonation and deep analysis

VMRay’s deep content inspection, recursive link analysis, file attachment verdicts, Smart Link, and other detected web objects can quickly identify emails with malicious intent.

Shine a light on phishing blind spots

Automated responses to end-user submissions reduces phishing related calls to the SOC and speeds the triage process without utilizing critical SOC team resources.

The VMRay solution for user-reported phishing

VMRay’s Abuse Mailbox enables SOC teams to create a dedicated mailbox hosted by VMRay, allowing each organization’s employees to become part of the “detection fabric” of the enterprise.

Educate Users on Phishing Threats

End-user education has become an invaluable resource for helping to spot new and previously unseen phishing campaigns and malicious email threats.

Bridging The Technology Gap

User-reported phishing leverages the human element to bridge the gap left by the failure of point phishing solutions to identify advanced email attacks.

Auto-Forwarding of Phishing Threats

Via an Outlook plugin, any suspicious emails can be sent to VMRay’s abuse mailbox by the end-user for a deep, third-party assessment with safe detonation and rapid analysis without direct involvement of scarce SOC resources.

Playbook Integration Further Automates Analysis

When orchestrated using a SOAR Playbook, a primary phishing solution can flag “suspicious” emails and automatically forward them via the SOAR to VMRay for further investigation and deeper analysis.

Start analyzing phishing threats with VMRay's abuse mailbox

Further resources on phishing detection

Navigating email security challenges

User-reported Phishing: How it works

Automating phishing triage

Demystifying Abuse Mailbox: FAQs

1. How is VMRay’s User Reported Phishing feature different from other vendor solutions?

User Reported Phishing helps organizations identify malicious emails that have bypassed their perimeter email security or point phishing solution. Through a combination of end-user education and technology, malicious emails can be identified and forwarded by the end-user to an Abuse Mailbox.


The difference between VMRay’s User Reported Phishing and other vendor solutions stops there. Other vendor solutions require a SOC Analyst to then manually triage the email to identify if it is malicious or not. The results of the process may take hours or days depending on the volume of emails received by the Abuse Mailbox.


VMRay differentiates against other solutions by automatically triaging and analyzing the email threat to determine if it is malicious or benign. If malicious, the SOC team is notified along with the analysis and extracted IOCs to mitigate the threat within minutes and the end-user informed. All without using SOC Team resources.

Integrating with an EDR/XDR/SOAR solution is the easiest way to implement Abuse Mailbox automation. Email threats that have bypassed perimeter email security and phishing solutions can be identified by end users educated in spotting email threats.


Once forwarded to the Abuse Mailbox and analyzed by VMRay, the EDR/XDR/SOAR integrated with VMRay can take automated response actions based on predefined playbooks or workflows if the reported email is a legitimate threat.


The IOCs extracted from the analysis can be used to create email policies, firewall rules, and detection signatures to mitigate current and any subsequent attacks.

The VMRay platform is hardened against direct attacks and constantly assessed for vulnerabilities and exposures that would allow a bad threat actor to penetrate the system. The VMRay Platform allows customers to create a completely isolated environment for analyzing advanced phishing threats, without the risks posed by open-source tools and services. With On-Premises deployments, customers can ensure their data never leaves the network.


VMRay offers two data center locations, one in the EU and the other in the US, to our customers. While located in different regions, both are ISO27001 compliant, meet GDPR and California Data Privacy Act standards for data protection and privacy, and meet the Singapore Monetary Authority guidelines for cloud services for the financial sector. Our customer data is protected in accordance with some of the strictest data privacy laws in the world.

Abuse Mailbox is compatible with any email system. Reported emails are forwarded to an Abuse Mailbox on the VMRay platform and automatically analyzed upon receipt. The results of the email attack analysis are then sent to the SOC team in addition to a notification of malicious or benign sent to the end user, typically within minutes.

Phishing attacks are responsible for 91-94% of successful breaches according to many industry leaders. Malware authors have developed many different methods to bypass static detection controls or methods that exceed the capabilities of vendor phishing solutions. For example, recursive embedded links in documents that go many levels deeper than the default settings of the detection control is a common tactic. Using QR-Codes that when scanned, lead to malicious websites with malware booby-trapped webpages.


VMRay’s Labs team work hard to keep up with the constantly changing threat landscape and the attack chain methods used by bad threat actors. Once a new Advanced phishing attack method is identified, VMRay updates YARA rules and Machine Learning engines to accurately identify these threats.