If you know that an incoming email is legitimate, and not actually a spear phishing attack, you can report it as a false positive. Reporting false positives helps to improve Barracuda Networks' artificial intelligence. Emails that you deem to be legitimate are also transferred from the recipient's Junk Email folder back into the recipients' inboxes, provided that the user did not delete or move those emails before you took action.
To report a false positive:
- On the RealTime AI page, in the Spear Phishing Attacks list, locate the email you think was a false positive. Click the More Details icon on the far right of the list to check the contents of the email.
- If you think this email is not actually a threat, click the Report False Positive icon on the far right of the list.
- Choose an action to take for this specific email. Then click Yes, Report False Positive to report the email.
- Do not add this sender to my allowed senders (recommended) – The safest option, because future emails from this sender will still be reviewed and not allowed to bypass security evaluation.
- Add the domain to my allowed senders – For all senders in a particular domain, not just a single sender.
- Add the address to my allowed senders – For the single, individual sender who sent this email. This is the second safest option, because it only allows one individual sender to bypass security evaluation.
- To help the Barracuda team know why you think this email is a false positive, select the option that best describes this email. Select the Other option to enter a reason that is not already presented. Then click Submit.
- The system displays a Thank You message, to let you know your information was received. Click Close to close that browser tab and continue working.
The system will learn, improving its AI, based on your input. Note that changes based on your feedback are not immediate.
You can also report false positives based on an account takeover alert. Refer to Account Takeover Alerts for more information.
Note that if you click Delete All Attacks, as described in Removing Attacks Found during a Barracuda Email Threat Scan, emails you reported as False Positives are not deleted.
Mistakenly Reporting a False Positive
If you mistakenly report an email as a false positive, there is no need to alert Barracuda.
You might want to take the following actions:
- Move the email back to the Junk email folder – If the email you marked as a false positive was previously moved to users' Junk email folders, as opposed to being deleted, marking it as a false positive moves it back to users' inboxes. If the email is truly a threat and you will likely want to remove it from users' inboxes. If you have Barracuda Networks' Incident Response, you can create an incident to remove the email from users' inboxes.
Barracuda Networks' Incident Response is available with Barracuda Email Protection Premium and Premium Plus plans. - Update the allowed senders list – As part of the false positive report, you might have added the domain or address to the allowed senders list. If the email is truly a threat, remove the domain or address from the allowed senders list. Follow the instructions in How to Allow Senders to remove the erroneous entry.
- Resend deleted mail with Email Gateway Defense – If you are also using Email Gateway Defense, you can redeliver email that was deleted by Barracuda Impersonation Protection. For more information, refer to Understanding the Message Log in the Email Gateway Defense documentation.
Note that Microsoft, by default, deduplicates emails with the same message ID. Emails you redeliver from your Email Gateway Defense Message Log can be silently dropped by Microsoft for deduplication. Exempt the sender or domain in Email Gateway Defense – If you are also using Email Gateway Defense, when an email is incorrectly blocked by the Machine Learning classifiers, report the email via the Message Log or Barracuda's Email Protection Outlook Add-In. This enables our threat analyst and engineering teams to use customer feedback directly to improve the efficacy of our products. In addition to making a sender exemption for those specific email addresses or domains in Impersonation Protection, you can exempt specific email addresses or domains from machine learning threat detection by adding an exemption under the Machine Learning tab in Email Gateway Defense. However, it's important to note that adding an exemption does not guarantee that an email will be delivered, as it could still be blocked by other layers of the product. For more information, refer to Machine Learning in Email Gateway Defense.
Machine learning classifiers in Email Gateway Defense are retrained on a frequent basis to reduce incorrectly blocked and incorrectly delivered emails. However, the data set that is used to retrain the models must represent the totality of emails submitted by customers. For this reason, not every single email which is submitted as a false positive will have an impact on the retraining.