The Phishing Report AI Response turns your employees into your strongest defense. When they report suspected phishing, the AI agent instantly analyzes the email, identifies real threats, and responds with personalized security guidance - helping your team learn to spot attacks before they click.
This feature requires DNS Setup to be completed first so Ocean can send emails from your corporate domain. Accessing Configuration
Navigate to Settings → AI Response → Phishing reports tab in the Ocean portal.
Until DNS setup is complete, replies are sent from soc-automation@ocean.security. After setup, responses will come from your corporate domain.
Configuration Options
Enable AI Response
Toggle Enable phishing reports response to activate automatic responses to employee abuse reports. When enabled, AI Response analyzes reported emails and sends educational responses explaining whether the email was safe or malicious.
Based on the set configuration, when Ocean confirms a reported email is malicious, Echo automatically searches for all copies sent to other employees in your organization and removes them silently — affected recipients are not notified.
| Option | Behavior |
|---|
| All Recipients | Remove the malicious email from every mailbox that received it. This is the recommended setting for maximum protection. |
| Reporter Only | Remove the email only from the reporting employee’s mailbox. Other recipients are not affected. |
Setting Remediation Scope to Reporter Only means other employees who received the same phishing email remain exposed to the threat. Use this setting only if you have a specific reason to limit remediation scope.
Mailbox Configuration
| Field | Description |
|---|
| Abuse mailbox | The mailbox where employees forward suspected phishing emails (e.g., abuse@yourcompany.com). AI Response monitors this mailbox for incoming reports. |
Response Behavior
Who can receive the response controls which employees receive automated responses:
| Option | Description |
|---|
| None | Disable responses entirely - no automatic replies will be sent |
| Specific employees | Only respond to reports from designated users or groups |
| All employees | Respond to reports from anyone in the organization |
| Field | Description |
|---|
| Eligible users | Individual email addresses that will receive responses (comma-separated) |
| Eligible groups | Distribution groups or security groups whose members will receive responses (comma-separated) |
Start with a pilot group of security-aware employees before rolling out to the entire organization.
Response Customization
Customize the sender information for automated responses. The Response illustration panel on the right shows a live preview as you make changes.
| Field | Description |
|---|
| Sender name | Display name shown in the From field (e.g., “Ocean Security”) |
| Sender mailbox | Email address used to send responses. Changing to a different domain requires DNS setup to be completed first. |
When you change the sender mailbox to a different domain, the change will be pending until DNS verification is complete. You’ll see a notification indicating that replies are still being sent from the default address.
Response Preview
The Response illustration panel displays a preview of how automated responses appear to employees. The response template includes:
- From address: Shows the configured sender name and email
- Greeting: Personalized with the employee’s name
- Verdict: Clear statement whether the reported email is safe or malicious
- Email details: Subject, sender, and timestamp of the reported message
- Explanation: AI-generated reasoning explaining why the email is or isn’t a threat
- Next steps: Actionable guidance if the employee remains unsure
- Closing: Appreciation for reporting and encouragement to continue reporting
