PhishMe for Analyst
August 15, 2021

PhishMe for Analyst

Sarthak Chand | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Verified User

Overall Satisfaction with Cofense PhishMe

We use Cofense PhishMe for capturing the user-reported phish emails. The console is used in a Security Operations Center environment for 24x7x365. Basically, the information security team handles the administration and reported the email triaging part. The Cofense PhishMe plugin is installed on the email client of all the users so that they can report a suspicious email directly from their email client.

We triage the suspicious/malicious reported emails thereby using the different fields it provides like headers, body, URLs, and attachments section. We write custom Yara rules for easy automation.

It addresses the main concern that emails have become a major vector for malicious attacks and making user awareness and after that catching the bad guys we need assistance from a Cofense PhishMe like tool.
  • It gives clear-cut segregation of different parts of an email, header, text and HTML body, URL, attachments, HTML preview and some analytical insight like "similar reports." This distinctive approach actually helps reduce data overload during an analysis.
  • The URLs captured here pass through an automatic reputation check [in our case VirusTotal] and add a tag of the reputation. If it is a well-known bad URL the tag helps us take the decision fast.
  • For creating automation rules on the reported emails the "Recipes" section is really helpful. We can create easy recipes [or rules ] to handle a huge flow of reports and also we can create more sophisticated rules depending on the Cyber intelligence feed to catch the really bad currently less known attack attempts by malicious emails.
  • The "Threat Indicators" section is also useful to use as a threat intelligence source to check the URLs for their maliciousness.
  • Need to add more OSINT APIs to check the reputation of embedded URLs and the hash of attached files.
  • "Screen Capture" of the embedded URL links [after clicking on the embedded URL where the URL takes the user] will be really helpful for triaging basic credential harvesting attack scenarios.
  • Integration of ProofPoint email gateway to Phishme triage will help us determine the number of email flow from a suspicious sender. This will reduce the requirement of opening another console just to check the number of emails from a particular sender.
  • From a normal user's perspective, it's an easy and fast, very very user-friendly phishing email reporting structure. No need to remember any email address, no need for sophisticated handling of malicious emails while sending/ reporting. Just a click and it is done.
  • From the admin and analyst point of view: Easy and clutter-free triaging pane, IOC reputation check facility, Rules and Recipes section for automation and focused triaging, Notification to the reporter based on the triaging done is really a helpful feedback loop.
  • Overall: Simple to handle, less learning curve, well managed, less administration time, fewer issues, less maintenance time.
I have not used similar kinds of products previously. So this is hard for me to compare anyone here. But as long as I used PhishMe I loved it. The ease of use, the neat designs, and distinct tabs help reduce the clutter. The learning curve to get comfortable with the tool is very less, so we can start using PhishMe early.

Do you think Cofense PhishMe delivers good value for the price?


Are you happy with Cofense PhishMe's feature set?


Did Cofense PhishMe live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Cofense PhishMe go as expected?


Would you buy Cofense PhishMe again?


CrowdStrike Falcon Endpoint Protection, Splunk Enterprise Security (SIEM), RSA NetWitness Orchestrator, Exabeam Fusion, Symantec Data Loss Prevention, Palo Alto Networks Cortex XSOAR (formerly Demisto), Palo Alto Networks Next-Generation Firewalls - PA Series, Titanium Cloud, Zscaler Internet Access, Zscaler Private Access, Amazon GuardDuty, Palo Alto Networks Prisma SaaS (formerly Aperture), Palo Alto Networks Prisma Cloud, Cisco Firepower 1000 Series
Well Suited:
  • Large to small-scale organizations with a dedicated information security team.
  • The admin team will get acquainted with the organization's email trends, user behaviors, false Positive scenarios, and real attack concerns.

Less Appropriate:
  • Service provider companies handling multiple clients.
  • There is no approach for client segregation in PhishMe so this may create some kind of confusion when triaging multiple different organizational client's reported emails on a single pane.