HailBytes SAT Tutorial

Phish Triage Queue

Triage user-reported emails, separate real threats from simulations, and turn every report into a measurable security signal.

Overview

When employees report a suspicious email through the HailBytes SAT reporter button (or by forwarding to your reporting mailbox), the message lands in the Triage Queue. SAT auto-classifies known simulation messages from your own campaigns, leaving the real-world unknowns for an analyst to label as phishing, spam, or legitimate. Every classification updates the reporter's accuracy score, which flows back into risk scoring.

Configure Reporting Inbound

  1. Open Settings → IMAP and connect a mailbox (e.g. phish-report@yourcorp.com) over IMAPS.
  2. Set polling interval (default 60s).
  3. Click Validate. SAT logs in, reads one folder, then disconnects.
  4. Deploy the reporter add-in (Microsoft 365 / Google Workspace) so users can one-click report from their inbox.

Triage Workflow

  1. Reports arrive in the queue, deduped by message-id and sender domain.
  2. Auto-match: any message whose tracking ID matches an active simulation is flagged green and credited to the reporter as a correct positive.
  3. Analyst classifies the remainder. Hot keys: P phishing, S spam, L legitimate.
  4. Bulk actions: select multiple, classify in one click. Forward to SOAR via the Sentinel or Splunk integration.
  5. Feedback: reporters who correctly flagged real-world phishing get a positive accuracy bump; misreports lower their score.

Reporter Accuracy

Open Triage → Reporter Accuracy to see which employees report well. The score combines:

  • True positives (correctly reported real phishing or simulation)
  • False positives (legitimate mail flagged as phishing)
  • Time-to-report (faster reports score higher)
  • Volume normalization (heavy reporters aren't penalized for the occasional miss)

API

GET    /api/triage                 # List queue
GET    /api/triage/{id}            # Get one report
PUT    /api/triage/{id}            # Classify (body: {"classification":"phishing"|"spam"|"legitimate"})
DELETE /api/triage/{id}            # Dismiss
GET    /api/triage/accuracy        # Per-reporter accuracy

Tying Triage to Risk & Training

High-accuracy reporters are great candidates for a security champion program; consistently low-accuracy reporters get nudged into a remedial track via risk-based auto-enroll. See also the executive report; reporting rate is one of the headline KPIs.

Next Steps

Risk-Based Auto-Enroll

Automatically assign training to clickers and inaccurate reporters.

View Tutorial →

SIEM Integration

Stream triage decisions to Splunk or Sentinel for SOC visibility.

View Tutorial →

Related Tutorials

Get the Free HailBytes SAT Getting Started Guide

A 7-part email series covering everything from your first deployment to advanced configuration and real-world workflows. One email per day, no spam.