Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google's Safe Browsing Database or Phishtank Database). More checks will follow in the upcoming versions.

When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans:

• Header Analysis
• Domain Analysis
• Body Analysis

LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg or .eml file and/or add an incident report.

When a user forwards an email to LUCY all the domains and IP's from the mail header & body are extracted. For each IP and domain LUCY will then lookup public databases like google's safe browsing or phishtank, if any threat was reported:

The current sources are:

• https://safebrowsing.googleapis.com/v4/threatMatches:find (port 443)
• http://data.phishtank.com/data/online-valid.csv (port 80)
• DNS BL queries to bl.spamcop.net and zen.spamhaus.org
• CI Army (list) (http://cinsscore.com/) - Network security Block Lists.
• Cybercrime tracker (http://cybercrime-tracker.net/) -

More sources will be added with each new major release. Lucy will query those sources directly from the location where the software is installed. No data is transmitted back to our infrastructure.

The LUCY admin can also quickly just manually investigate the WHOIS records from the IP's by clicking on the help symbol:

Lucy offers more filter and view options:

1. Search: You can search for any text from the mail subject or body. All emails that contain that exact search string will get displayed. This allows you to quickly identify similar attacks, even if the mail sender and recipients are different.
2. Client: Every campaign is associated with a client. This feature is helpful for MSSP's or companies with multiple legal entities to quickly identify submitted reports from different sources.
3. Date: You can use a date or date range to narrow down your search criteria
4. Domain: This field relates to the sender domain used in the reported email (not the user who reports the Email)
5. Minimum Score: The automatic risk score calculated in the system
6. Campaign: If the Email is associated with a specific campaign from LUCY
7. Select all View
8. All fields are sortable
9. Threat Details can be viewed by clicking on the date

The reported emails can be categorized by status:

• Open
• In Progress
• Dismissed
• Simulation
• Real Phishing
• Closed

The status can be set by the LUCY administrator after clicking on the detail of a reported Email. If you don't want any further notification, please set a status of the open tickets or disable the checkbox on LUCY: