Cyber Guru Phishing allows you to detect and log reports made by users (Cyber Defenders) who correctly identify a simulated attack and forward it to the appropriate department.
For these reports to be recognized and valued by the platform, it’s essential to properly configure the forwarding flow so that the so-called "Reported Attacks" can be tracked.
A report will not be logged if the user clicks the link in the email before and only afterwards submits the report.
If your organization uses Google Workspace or Microsoft 365, we recommend you refer to the dedicated sections for specific and optimized reporting configuration.
MICROSOFT 365 Reporting Configuration Guide
GOOGLE WORKSPACE Reporting Configuration Guide
For all other cases, this guide provides general guidelines for routing reports to Cyber Guru, to be used as a reference for properly configuring your company’s systems.
It’s crucial that the reporting flow is filtered so that only simulated phishing messages generated and sent by the platform are sent to Cyber Guru directly to the user, excluding other irrelevant messages or real phishing. Messages not originating from Cyber Guru can be blocked or redirected to the customer’s SOC/CERT for further cybersecurity analysis.
Conditions for forwarding reports to Cyber Guru
For a report to be logged in the Cyber Guru Platform, the following conditions must be met:
- An email must be sent for each report from every user to: defenders@cyberguru.report
- The email being reported can be forwarded directly in the body of the message (in-body message) or sent as an attachment.
- The report, regardless of the method chosen (in-body or attachment), must contain at least the "?rid=" part followed by the RID identifier, a unique alphanumeric code for each campaign, user, and customer.
Examples of correctly logged reports
Below are some example scenarios where the system correctly logs the reports received:
- The user forwards the phishing email to the SOC/CERT, which then forwards it to defenders@cyberguru.report
- The user forwards the phishing email to a ticketing system, and from there it is subsequently forwarded to defenders@cyberguru.report
Examples of INVALID reports
Below are some examples where the system does not correctly log the reports received:
- A list of email addresses is sent
- A list of usernames is sent
- A list of rids is sent
- An email address is sent
- A username is sent
- A RID code is sent without the "?rid=" part
- A set of emails from multiple users is sent
Procedure for automatic routing of reported emails
Each email sent from the platform can be identified by the following elements:
-
DKIM signature on the simulation domain used for the campaign — check that the DKIM signature is valid (
dkim=pass) and that the signing domain (d=) matches an authorized Cyber Guru simulation domain. Available at delivery time. - Source IP address — Unless otherwise agreed: 85.235.135.191. Verifiable at delivery time.
-
?rid=parameter in URLs — unique identifier for campaign, user, and customer. Present in the body of the message, also available after forwarding.
Routing the report
At delivery time: If your mail system allows, set up a mail flow rule that checks the DKIM signature for an authorized Cyber Guru simulation domain and applies a tag to the message, which can later be used for routing the report.
At reporting time: For automatic routing, make sure that:
- the link’s domain belongs to an expected Cyber Guru simulation domain
- the link contains the
?rid=parameter - the RID value is in the format generated by the platform
Messages that meet these criteria should be forwarded to defenders@cyberguru.report. All other reported messages should be handled according to your organization’s security procedures (SOC/CERT).