Phishing email forwarding overview

Radiant triages user-reported phishing and business email compromise (BEC) reports as part of its alert triage pipeline. To begin triaging these reports, you forward them from your email platform or phishing reporting tool into a Radiant-managed mailbox. This article covers the prerequisites that apply to every forwarding method, the phishing configuration settings in Radiant, and how to choose the right forwarding method for your environment.

The phishing use case requires a few setup steps that other connectors do not. Most importantly, enabling the domains you want Radiant to monitor and choosing whether to triage junk and spam reports. Complete the steps in this article in order.

Prerequisites

Before you configure phishing email forwarding, confirm the following:

• Admin access to the email platform or reporting tool you plan to use for forwarding.

• An Email Data Connector (Microsoft 365 or Google Workspace) is configured and tested end-to-end. Radiant must be ingesting your email logs before you forward phishing reports.

• The Microsoft Entra ID Data Connector is configured. This feed provides the list of domains your organization owns, which Radiant uses to determine which reports to triage.

An Email Action Connector is recommended but not required. Without one, Radiant ingests and triages phishing reports but cannot execute response actions such as quarantining messages or disabling forwarding rules.

Configure phishing settings in Radiant

Phishing configuration in Radiant has two tabs: Monitored Domains, where you enable the domains Radiant should triage reports for, and Phishing Triage Tuning, where you choose whether to triage junk and spam reports alongside phishing reports.

To open the page, sign in to Radiant Security and go to Settings > Organization > Phishing Configuration.

Enable monitored domains

Radiant only triages reports for domains you explicitly enable. This prevents triage of reports unrelated to your organization, such as messages forwarded from personal accounts.

1

Open the Monitored Domains tab

On the Phishing Configuration page, select the Monitored Domains tab. The tab lists every domain synchronized from your Microsoft Entra ID data feed, along with the user count and the source data connector.

2

Toggle on each domain you want monitored

For each domain you want Radiant to monitor, toggle Monitor domain on.

Tip: Only enable domains that send or receive email relevant to your organization’s security posture.

Choose how to handle junk and spam reports

The Triage junk/spam emails toggle controls whether Radiant triages junk and spam reports alongside phishing reports. By default, this setting is enabled.

1

Open the Phishing Triage Tuning tab

On the Phishing Configuration page, select the Phishing Triage Tuning tab.

2

Set the Triage junk/spam emails toggle

• Toggle on to triage all forwarded reports, including junk and spam.

• Toggle off to exclude junk and spam reports from triage. Radiant will only triage messages a user explicitly flagged as phishing.

Choose a forwarding method

Choose one method based on your email platform and reporting tool. You only need to configure one of the following.

Verify ingestion

After you complete a forwarding setup, confirm Radiant is ingesting and triaging reports correctly:

1. Send a test message to a mailbox in your organization and report it as phishing using your standard reporting tool.

2. Sign in to Radiant Security and check the Alerts and Cases tabs for the triaged report.

If the report does not appear, see the troubleshooting guidance in your platform-specific forwarding article.