Skip to main content

1️⃣ Understanding Inbox

This article explains how Riot’s Inbox module works, its different processing modes, and all its settings to efficiently handle emails reported by your employees.

1️⃣ What is the Inbox module for?

Inbox is Riot’s module that centralizes all emails reported by your employees and allows your security team to process them quickly, with or without AI assistance.

👉 Three main objectives:

  • Simplify and accelerate the processing of suspicious emails reported by employees.

  • Automatically send a follow-up notification to the employee once the ticket has been processed (safe, spam, or malicious).

  • Centralize all malicious emails in one place, with a complete history and usage insights.

With the Block Threat option enabled (see section 5), Inbox can also neutralize an attack across the entire organization from a single report.

2️⃣ How does an email reach Inbox?

There are three ways for a reported email to appear in Inbox:

👉 1. Riot Phishing Reporter (recommended)

An Outlook add-in or Gmail button that allows employees to report an email in one click directly from their mailbox. Compatible with Outlook desktop, web, and mobile, as well as Gmail web and mobile.

👉 2. Native Outlook button

If you prefer using Microsoft’s native “Report” button, we can intercept it so reported emails are automatically sent to Inbox.

👉 3. Email forwarding

The employee forwards the suspicious email to a dedicated receiving address (or an easier-to-remember alias, for example [email protected]). This is the only method that works across all mail clients, including Apple Mail.

👍 Good to know: unlike Outlook, Gmail does not allow third-party tools to intercept reports made through its native “Report phishing” button. Emails reported this way are sent directly to Google and never reach Inbox. For Gmail, you must use the Riot Phishing Reporter or the forwarding method.

👉 What happens when an employee reports an email?

  1. The employee immediately receives a confirmation (an in-product message with the Phishing Reporter, or a confirmation email with the native button or forwarding method).

  2. A ticket is created in Inbox.

  3. If multiple employees report the same email, their reports are merged into a single ticket — only one ticket for the admin to process.

  4. The ticket is then processed according to the configured processing mode (see section 4).

  5. Once processed, the employee receives a follow-up email notification indicating the outcome (safe, spam, or malicious).

3️⃣ Inbox view and ticket processing

When opening the module, you arrive directly in your Inbox.

👉 Navigating the list

  • Search for an email using keywords from the search bar.

  • Filter by open tickets or tickets assigned to you.

  • Sort by latest reported emails or latest Inbox activity.

Each line in the list displays: the email subject, number of reports, applied labels, time since reporting, and a status indicator:

  • 🔵 Blue dot: the email has not yet been processed.

  • Blue checkmark: the email has been processed (“marked as”).

👉 Processing an email

By clicking the preview, you access the content of the reported email. From the “…” menu in the top-right corner, you can:

  • Mark the email as Safe, Spam, or Malicious.

  • Display headers by clicking the blue text.

  • Download the email as a .eml file.

  • Remove the email from the Inbox view.

When AI is enabled, emails marked as malicious are categorized into 3 threat types:

  • Employee impersonation

  • Partner payment fraud

  • Service impersonation

If AI is disabled, the email is simply marked as malicious without any threat categorization.

4️⃣ Choosing a processing mode

Inbox offers three processing modes, configurable under Settings > Threat Analysis:

👉 Manual

All tickets must be reviewed and decided on by administrators. AI is not involved.

👉 Manual with AI suggestions (recommended starting mode)

Tickets are still processed manually, but AI suggests a pre-label (safe, spam, or malicious). You keep full control to validate or modify the suggestion. This mode allows the AI to train on your real-life cases before potentially switching to automatic mode.

👉 Automatic

All tickets are automatically processed by AI. No human action is required — you never have pending tickets.

👍 Good to know: Inbox AI can analyze emails in all languages. It relies on a large language model (LLM) through Azure OpenAI, making multilingual analysis both native and reliable.

👉 How does AI analyze an email?

To label an email as safe, spam, or malicious, the AI combines several signals:

  1. Phishing indicators: spelling mistakes, requests for personal information, urgency tactics.

  2. Technical review: sender, recipient, subject, content, DKIM, DMARC, SPF, SCL.

  3. Sender IP address and domain compared against known malicious IP/domain lists.

  4. Suspicious activity: spoofed sender addresses, mismatched reply-to addresses, etc.

  5. Email headers compared with known fraudulent emails.

  6. Threat intelligence platforms for associated malicious IPs.

  7. Email body and links: suspicious language, urgent requests, questionable links, and security certificates.

5️⃣ Amplifying protection: Block Threat, allowlist & blocklist

Three settings allow you to go beyond simple ticket-by-ticket processing.

👉 Block Threat

When this option is enabled, a single report protects the entire organization:

  • The reported email is immediately moved to spam for the employee who reported it.

  • Once the ticket is confirmed as malicious (manually or by AI), the email is moved to spam for every employee who received it.

  • Future emails from the same attack are automatically moved to spam upon arrival, in real time.

  • If an admin reclassifies the email as safe, the emails are restored to users’ inboxes.

👍 Good to know: an attack is identified by the combination of sender address + subject line. The system handles random variations (names, IDs, random strings) that attackers insert into the subject line to bypass traditional filters. Enabling Block Threat requires read/write permissions on mailboxes.

👉 Allowed senders (allowlist)

Senders or domains added to this list are always considered safe. If an employee reports an email from an allowed sender, the Phishing Reporter immediately informs them that the sender is considered trusted by your organization.

👉 Blocked senders (blocklist)

Senders or domains added to this list are always considered malicious. If an employee reports an email from a blocked sender, the Phishing Reporter immediately informs them that the sender is known to be malicious. With Block Threat enabled, emails from blocked senders are automatically moved to spam upon receipt, without ticket creation or manual review.

6️⃣ Ticket details and activity

The panel on the right side of the screen gives you all the context around the ticket.

👉 Details

The employee(s) who reported the email.

👉 Activity

The complete history of the email processing workflow — especially useful for providing a second opinion or tracking the evolution since the report. You will also find the comment left by the employee when reporting the email.

7️⃣ Configuring admin notifications

Each administrator can configure notifications in their profile:

  • Send right away — an email as soon as a ticket is created, assigned to them, or (depending on configuration) when there is significant reporting activity on an email.

  • Send in digest — a monthly summary email.

👉 Automatic distribution (additional option)

If your team does not have a defined internal process, tickets can be automatically and randomly assigned to a group of administrators (for example, all security admins). Each admin can then choose to receive notifications only when a ticket is actually assigned to them — useful for distributing workload without overwhelming everyone.

👍 Good to know: currently, admin notifications are available only by email. Slack, Teams, and Google Chat are not yet available as admin notification channels.

8️⃣ Insights

From the Insights tab, you can visualize key data extracted from the processing of reported emails:

  • Time period: data automatically updates according to the selected period.

  • Open tickets: number of unprocessed tickets.

  • Usage: percentage of employees who used the Phishing Reporter and/or email forwarding during the selected period.

  • Reporting accuracy: percentage of reported emails actually identified as threats (marked as malicious by an admin or by AI).

  • Threat distribution: for malicious emails, visibility into the breakdown of threats by percentage.

  • Top reporters: employees who reported the highest number of emails effectively identified as malicious.

Statistics can be downloaded as CSV files directly from Inbox and are also accessible through our public API.

👍 Key takeaways

— Inbox centralizes all emails reported by your employees, regardless of the reporting method used (Phishing Reporter, native Outlook button, or forwarding).

— Three processing modes are available: Manual, Manual with AI suggestions, or Automatic.

— AI analyzes emails in all languages and categorizes malicious emails into 3 threat types.

— Block Threat amplifies protection: a single report can neutralize an attack across the entire organization.

— Allowlists/blocklists help streamline and improve the reliability of sender processing.

Related Articles
6️⃣ How to optimize it? — Inbox reminders and notifications
3️⃣ Set Up Riot with Proofpoint and Phish Alarm
1️⃣ Understanding Smishing
1️⃣ Understanding Slash: Detection banners
2️⃣ How to install detection banners (Slash)
Did this answer your question?