Reported Email Review: Turning Employees Into Sensors

Marcus Chen··8 min read
Reviewing employee-reported emails

Traditional email security relies on filters and policies that operate before an email reaches the inbox. But some threats get through, and when they do, the people best positioned to spot them are the employees reading their own email. The challenge has always been connecting that front-line observation to a security team that can act on it. empowsec's reported email review workflow is built to make that connection systematic: every email reported by an employee through the Outlook or Gmail add-in is captured in full and placed in an admin review queue, where the security team can classify it, analyze it, and use it to build a clearer picture of what is actually targeting the organization.

This article explains how the review queue works, what classification options are available, why captured email metadata matters, and how the combination of human reporting and systematic review gives organizations a threat intelligence capability that inbox filters alone cannot provide.

The Admin Review Queue

Every email reported through the empowsec Outlook or Gmail add-in lands in the admin review queue. This is a centralized list of reported emails that the security team works through, examining each one and deciding how to classify it. The queue view shows the key identifying information for each reported email at a glance: the sender, the subject line, who reported it, and the current status. This summary makes it possible to triage efficiently - an admin can immediately see which reports are from the same sender, whether multiple employees have reported the same email, and which reports are still waiting to be reviewed.

The queue approach is important because it prevents reported emails from falling through the cracks. If there were no centralized queue, reported emails might arrive as forwarded messages in an inbox, where they could be easily lost among other correspondence. A structured queue with status tracking means each report is acknowledged, reviewed, and classified, with a clear record of how every report was handled.

For organizations running phishing awareness programs, the review queue also serves a secondary purpose: it is the mechanism by which simulated phishing reports are distinguished from real ones. When an employee reports a simulation, empowsec recognizes it and provides instant feedback to the employee. When an employee reports an email that is not a simulation, it enters the review queue as a genuine report requiring human review. The queue handles both cases, maintaining a complete record of all employee reporting activity.

app.empowsec.com / security / reported-emails
SenderSubjectReporterStatus
[email protected]Action needed: sign nowj.tanConfirmed threat
[email protected]Your exclusive offer expiresr.leeSpam
[email protected]Q3 benefits enrollmentm.patelFalse positive
[email protected]Invoice #4421 attacheds.kimPending review
The reported email review queue shows sender, subject, reporting employee, and classification status at a glance, letting the security team triage and work through reports efficiently.

Classification: What Each Status Means

When an admin opens a reported email for review, they can classify it into one of the available categories. The categories available in empowsec include confirmed threat, confirmed spam, false positive, and legitimate. Each classification carries a distinct implication for how the report is handled and what happens next.

A confirmed threat classification means the admin has determined the reported email represents a genuine phishing or malicious email. This is the highest-priority classification, because it means the organization is being actively targeted. Confirmed threats give the security team visibility into the specific tactics and sender infrastructure being used in real attacks against the organization. When multiple employees report emails from the same sender, or when an email uses a similar lure to known phishing kits, that pattern becomes visible through the review queue in a way that inbox filtering logs typically do not reveal.

A spam classification means the email is unsolicited commercial email rather than a deliberate targeted attack. While less dangerous than a confirmed threat, high volumes of spam reaching employee inboxes may indicate a gap in filtering that is worth addressing. A false positive classification means the email was legitimate but the employee correctly applied skepticism and reported it - a sign of healthy security awareness that should be recognized as good behavior rather than treated as an error. A legitimate classification is the same conclusion reached with the additional context that the email was expected and appropriate.

These classifications are not just for record-keeping. They feed the risk scoring engine: employees who report genuine phishing threats earn positive risk credit (8 points for a confirmed real threat), while employees who report simulations earn 5 points. Classification determines which events generate positive risk credit, ensuring that the reward goes to the right reporting actions.

Email Headers and Metadata: The Foundation for Analysis

The empowsec add-in captures not just the visible content of a reported email but also its headers and metadata. Email headers are the hidden routing and authentication records that accompany every message: the path it took through mail servers, the IP address of the originating server, the results of sender authentication checks such as SPF, DKIM, and DMARC, and various timestamps that record when each handoff in the delivery chain occurred. This information is often more revealing than the email body itself when assessing whether a message is malicious.

A convincing phishing email might use a plausible sender name and well-formatted HTML content that looks legitimate at a glance. The headers, however, often reveal the reality: an originating IP address in an unexpected geography, a domain that fails DMARC validation, a routing path through infrastructure associated with known spam or phishing operations. An analyst reviewing the captured headers has access to this full picture, which is significantly more useful than the visible email alone.

Storing headers and metadata also creates a record that can be referenced later. If a threat actor uses the same infrastructure across multiple campaigns, earlier reports that were classified at the time may provide context that helps analysts connect new reports to known patterns. The review queue is not just a triage tool for the current moment; it is a growing record of what has been reported, analyzed, and classified, which accumulates value over time as more data becomes available.

Report detail - [email protected]
Reported by [email protected] - 4 July 2026 09:14
From domaindocusign-update.net
SPFFail
DMARCFail
Originating IP185.220.101.47
Confirm threat Mark as spam False positive
The email detail panel shows header analysis - SPF/DMARC results, originating IP - alongside classification buttons, giving the analyst everything needed to make a confident call.

Every Employee as a Human Sensor

The most significant benefit of the reported email review workflow is what it does to the threat detection capability of the organization as a whole. Traditional email security concentrates detection capability at the perimeter: email gateways scan messages before they reach inboxes, applying rules and reputation checks that filter out known threats. But the perimeter is not perfect. Novel phishing campaigns, targeted spear-phishing emails, and emails that exploit trust relationships between known senders often evade perimeter filtering.

When employees have a simple, low-friction way to report suspicious emails, they become an additional layer of detection that operates inside the perimeter. Every employee with the reporting button is, in effect, a human sensor. They see their own inbox, they know the context of their work, and they can recognize when an email is asking for something unusual or coming from an unexpected source - contextual signals that automated filters are not well-positioned to evaluate.

At scale, this creates a network effect. An email that targets one employee may not trigger automated detection, but if that employee reports it and the security team classifies it as a confirmed threat, the organization has gained intelligence about an active campaign. If other employees later receive similar emails and also report them, the connection becomes visible through the review queue. The collective reporting behavior of employees across the organization builds a picture of the threat landscape that complements and extends what perimeter tools can see.

This is the concept empowsec's reported email review workflow is built around: every report submitted, every header captured, and every classification made contributes to a growing body of threat intelligence grounded in what is actually reaching employee inboxes. Combined with the risk scoring credit that rewards reporting behavior, the workflow creates an environment where employees are incentivized to act as part of the security team's extended detection capability rather than passive recipients of threats they are expected to simply avoid.

Tip
Review the queue at least once per week. Confirmed threats that go unclassified provide no risk credit to the reporting employee and no intelligence signal to the team - timely review turns reports into action.

What This Means for Your Team

  • Centralized review queue ensures every employee report is captured, tracked, and classified rather than lost in an inbox or ignored.
  • Full email capture including headers and metadata gives analysts the complete picture needed to make accurate classification decisions, not just the visible email content.
  • Classification options - confirmed threat, spam, false positive, legitimate - create a structured record of what the organization is receiving and how it is being handled.
  • Risk credit for confirmed real threats (8 points) rewards the employees who contribute the most valuable threat intelligence, reinforcing reporting behavior across the organization.
  • Every employee becomes a sensor: the reporting workflow turns employee inbox awareness into an active threat detection layer that complements perimeter filtering.
Share: