Forwarding the reported emails to your security team's mailbox or even security ticketing system is often crucial part of maintaining your security posture. Emails reported as phishing, spam or even non-spam can be forwarded to your SOC mailbox for further analysis. Hoxhunt also allows various customizations to the format of the forwarded threat report emails.

Setting up threat report forwarding

1. Verify email for forwarding purposes

Before you can set up the forwarding, you need to verify the email address you plan to use for threat report forwarding.

Please complete the verification as described in Email verification for automated email flows and the proceed to the next step.
 

2. Choose forwarding type and forwarding address

In Admin Portal > Settings > Threat Settings, customer admins can specify to which email address(es) phishing, spam or even non-spam reports are forwarded to.

1. Depending on which forwarding you'd like to set up, choose Phishing Forwarding, Spam Forwarding or Non-spam Forwarding. In this example, we will set up Phishing Forwarding.
   
    
2. Next, choose from the list of available verified email addresses the email address(es) to which all email reported as phishing should be forwarded to.
    
3. Click Save.
   NOTE: The changes will take effect immediately. Every email reported as phishing from now on will be forwarded to the defined mailbox address in a specific threat report format (see below).
    

3. Choose the threat report email format

Hoxhunt allows various customizations to the format of the forwarded threat report emails.

NOTE: Formatting settings apply to all forwarding types (Phishing Forwarding, Spam Forwarding and Non-spam Forwarding).

Presets

Default Configuration

This is the standard Hoxhunt forwarding format.

TIP: You can see the formatting specific to the Default Configuration on Custom settings tab.

Proofpoint TRAP

1. Go to Admin Portal > Settings > Threat Settings.
2. Scroll down to Threat Forwarding Format.
3. While on Pre-configured tab, choose Proofpoint TRAP, and click Save.

Proofpoint TRAP compatible format will now be applied to every threat forwarding option you have enabled.

TIP: You can see the formatting specific to the Proofpoint TRAP preset on Custom settings tab.

Abnormal AI

1. Go to Admin Portal > Settings > Threat Settings.
2. Scroll down to Threat Forwarding Format.
3. While on Pre-configured tab, choose Abnormal AI, and click Save.

Abnormal AI compatible format will now be applied to every threat forwarding option you have enabled.

TIP: You can see the formatting specific to the Abnormal AI preset on Custom settings tab.

Microsoft Defender

Hoxhunt has built-in support for Defender's User reported messages format. Simply set up Hoxhunt's Defender integration as described in: Submit reported threats to Defender

My security vendor's preset is missing

If you don't see your security vendor listed, please see "Custom settings" below. 

We are also happy to add you vendor's specific email format to the preset list whenever possible.

Custom settings

Hoxhunt's threat report emails can be customized to support many other security vendors as well. Instead of listing every possible supported vendor, we list each of the formatting options available.

NOTE: Formatting settings apply to all forwarding types (Phishing Forwarding, Spam Forwarding and Non-spam Forwarding).

For clarification:

• Forwarded email refers to the threat forward email carrying the actual email reported by the user (vessel)
• Reported email refers to the actual email reported by the user (cargo)

Forwarded email body content

• Hoxhunt report message
• Original reported email
  
  If Hoxhunt report message has been selected:
• Include email URLs in email body
• Include reporting folder in email body
• Include attachment metadata in body
• Omit hoxhunt reporter notice
  • Example: This is an automatically generated Hoxhunt report. The attached email was reported by [reporterEmailAddress].
• User acted information (visible only when User Acted on Phishing is enabled in Threat Settings)

Forwarded email subject prefix

Determines what appears at the beginning of the original subject line.

• [Hoxhunt Report] original email subject
• [Phish/Spam] original email subject

Forwarded email subject content after prefix

Allows to replace the original subject line.

• Original subject
• Original sender, subject and date
• Example: [Hoxhunt Report] attacker@phish.com|Urgent: Please verify your account|2025-01-15T14:30:00.000Z

Reported email included as an attachment

• Include attachment - Name is attachment.eml
• Include attachment - Attachment name is random string
• Include attachment - Name is [reported_email_subject].eml
• Do not include attachment

Reported email's headers

• No amended headers
• Amended as an attachment (TXT)
• Amended in body (also applied to Defender submission emails)

Additional header options

• Use original message-id in the in-reply-to header
• Use original message-id in the message-id header

Additional options

• User original subject in forwarded email (Proofpoint format)

Frequently asked questions

How do I assign the reported threats to different teams?

Hoxhunt forwards all phishing, respective spam reports to the set of configured mailboxes.

However, if you are using Microsoft Exchange Online, you can set up a mail flow rule that process the email based on the reporting user's AD attributes. For example, you could redirect reported threats to different security mailboxes based on user's country information.

Hoxhunt also provided a more comprehensive Incident Orchestration product to prioritise incoming phishing campaigns based on whether the report is malicious and the severity of the phishing campaign to your organisation, which enables you to set up various workflows for different teams.

How long does it take until an email is forwarded?

Forwarding the reported suspicious email usually happens in under 5 seconds but in some cases it can take several minutes because the forwarding is mainly done via the email server, and the email server can take a while to process the request.

I don't see Non-spam Forwarding option in our Threat Forwarding settings.

Before you can see and set up Non-spam Forwarding (forward emails reported as not spam) you need to request Hoxhunt Support to enable "Report as not spam" option in your Hoxhunt Report add-in. Please note, however, that adding this option may increase the loading times of the reporting add-in. After being enabled, users can report emails as not spam from their Junk folder, and you can configure Non-spam Forwarding if you like.