# Phishing email forwarding overview

Radiant triages user-reported phishing and business email compromise (BEC) reports as part of its alert triage pipeline. To begin triaging these reports, you forward them from your email platform or phishing reporting tool into a Radiant-managed mailbox. This article covers the prerequisites that apply to every forwarding method, the phishing configuration settings in Radiant, and how to choose the right forwarding method for your environment.

The phishing use case requires a few setup steps that other connectors do not. Most importantly, enabling the domains you want Radiant to monitor and choosing whether to triage junk and spam reports. Complete the steps in this article in order.

### Prerequisites

Before you configure phishing email forwarding, confirm the following:

* [ ] Admin access to the email platform or reporting tool you plan to use for forwarding.
* [ ] An **Email Data Connector** (Microsoft 365 or Google Workspace) is configured and tested end-to-end. Radiant must be ingesting your email logs before you forward phishing reports.
* [ ] The **Microsoft Entra ID Data Connector** is configured. This feed provides the list of domains your organization owns, which Radiant uses to determine which reports to triage.

{% hint style="warning" %}
**Important note:** The Microsoft Entra ID data feed is required for the phishing use case to work. Without it, Radiant cannot determine which domains belong to your organization and will not triage forwarded reports.
{% endhint %}

An **Email Action Connector** is recommended but not required. Without one, Radiant ingests and triages phishing reports but cannot execute response actions such as quarantining messages or disabling forwarding rules.

### Configure phishing settings in Radiant

Phishing configuration in Radiant has two tabs: **Monitored Domains**, where you enable the domains Radiant should triage reports for, and **Phishing Triage Tuning**, where you choose whether to triage junk and spam reports alongside phishing reports.

To open the page, sign in to [Radiant Security](https://app.radiantsecurity.ai/) and go to **Settings > Organization > Phishing Configuration**.

#### Enable monitored domains

Radiant only triages reports for domains you explicitly enable. This prevents triage of reports unrelated to your organization, such as messages forwarded from personal accounts.

{% stepper %}
{% step %}

#### Open the Monitored Domains tab

On the Phishing Configuration page, select the **Monitored Domains** tab. The tab lists every domain synchronized from your Microsoft Entra ID data feed, along with the user count and the source data connector.

<div align="left"><figure><img src="/files/CFYu8zpCLqKl7I9k0L7X" alt="" width="203"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### Toggle on each domain you want monitored

For each domain you want Radiant to monitor, toggle **Monitor domain** on.

{% hint style="success" %}
**Tip:** Only enable domains that send or receive email relevant to your organization’s security posture.
{% endhint %}
{% endstep %}
{% endstepper %}

#### Choose how to handle junk and spam reports

The **Triage junk/spam emails** toggle controls whether Radiant triages junk and spam reports alongside phishing reports. By default, this setting is enabled.

{% stepper %}
{% step %}

#### Open the Phishing Triage Tuning tab

On the Phishing Configuration page, select the **Phishing Triage Tuning** tab.

<div align="left"><figure><img src="/files/hr2RaBrl9EUdJcwtAh2z" alt="" width="205"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### Set the Triage junk/spam emails toggle

* Toggle **on** to triage all forwarded reports, including junk and spam.
* Toggle **off** to exclude junk and spam reports from triage. Radiant will only triage messages a user explicitly flagged as phishing.
  {% endstep %}
  {% endstepper %}

{% hint style="info" %}
**Note:** This setting applies regardless of email platform. You do not need to also configure your email platform to suppress junk or spam forwarding — the Radiant toggle is the canonical control.
{% endhint %}

### Choose a forwarding method

Choose one method based on your email platform and reporting tool. You only need to configure one of the following.

<table data-view="cards"><thead><tr><th>Method</th><th>Use this if</th><th data-card-target data-type="content-ref">Target</th></tr></thead><tbody><tr><td><strong>Microsoft 365</strong></td><td>You use Microsoft 365 with the built-in Report Phishing button.</td><td><a href="/pages/SrUTEK5X0ewEw8wtuFhD">/pages/SrUTEK5X0ewEw8wtuFhD</a></td></tr><tr><td><strong>Outlook on the web</strong></td><td>You need per-mailbox conditional forwarding without changing tenant-wide policy.</td><td><a href="/pages/9nTEGwqNPGcAJGjVPSPO">/pages/9nTEGwqNPGcAJGjVPSPO</a></td></tr><tr><td><strong>Google Workspace</strong></td><td>Your organization runs on Google Workspace.</td><td><a href="/pages/TKNiHf30MPZZUSkreFOe">/pages/TKNiHf30MPZZUSkreFOe</a></td></tr><tr><td><strong>KnowBe4 PhishER</strong></td><td>Your users report phishing through the KnowBe4 Phish Alert Button.</td><td><a href="/pages/9U5LMbtoQKDn7B5QdZFo">/pages/9U5LMbtoQKDn7B5QdZFo</a></td></tr><tr><td><strong>Proofpoint PhishAlarm</strong></td><td>Your users report phishing through the Proofpoint PhishAlarm button.</td><td><a href="/pages/7ROTAzrRgelbahdAe9SZ">/pages/7ROTAzrRgelbahdAe9SZ</a></td></tr></tbody></table>

{% hint style="info" %}
**Note:** Microsoft 365 customers using KnowBe4 have two options — the native Microsoft 365 path and the KnowBe4 path. Use the KnowBe4 path if the Phish Alert Button is your standard reporting tool. Use the native Microsoft 365 path if users report through the built-in Microsoft Report Phishing button.
{% endhint %}

### Verify ingestion

After you complete a forwarding setup, confirm Radiant is ingesting and triaging reports correctly:

1. Send a test message to a mailbox in your organization and report it as phishing using your standard reporting tool.
2. Sign in to [Radiant Security](https://app.radiantsecurity.ai/) and check the **Alerts** and **Cases** tabs for the triaged report.

If the report does not appear, see the troubleshooting guidance in your platform-specific forwarding article.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/connectors-and-data-ingestion/phishing-email-forwarding-overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.