Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google's Safe Browsing Database or Phishtank Database). More checks will follow in the upcoming versions.
When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans:
LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg or .eml file and/or add an incident report.
When a user forwards an email to LUCY all the domains and IP's from the mail header & body are extracted. For each IP and domain LUCY will then lookup public databases like google's safe browsing or phishtank, if any threat was reported:
The current sources are:
More sources will be added with each new major release. Lucy will query those sources directly from the location where the software is installed. No data is transmitted back to our infrastructure.
The LUCY admin can also quickly just manually investigate the WHOIS records from the IP's by clicking on the help symbol:
Lucy offers more filter and view options:
The reported emails can be categorized by status:
The status can be set by the LUCY administrator after clicking on the detail of a reported Email. If you don't want any further notification, please set a status of the open tickets or disable the checkbox on LUCY: