If you know that an incoming email is legitimate, and not actually a spear phishing attack, you can report it as a false positive. Reporting false positives helps to improve Barracuda Sentinel's artificial intelligence. Emails that you deem to be legitimate are also transferred from the recipient's Junk Email folder back into the recipients' inboxes, provided that the user did not delete or move those emails before you took action.
To report a false positive:
- On the RealTime AI page, in the Spear Phishing Attacks list, locate the email you think was a false positive. Click the More Details icon on the far right of the list to check the contents of the email.
- If you think this email is not actually a threat, click the Report False Positive icon on the far right of the list.
- Choose an action to take for this specific email.
- Do not whitelist this sender (recommended) – The safest option, because future emails from this sender will still be reviewed and not allowed to bypass security evaluation.
- Add the domain to my sender whitelist – For all senders in a particular domain, not just a single sender.
- Add the address to my sender whitelist – For the single, individual sender who sent this email. This is the second safest option, because it only allows one individual sender to bypass security evaluation.
- Add a note to let the Barracuda team know why you think this email is a false positive. For example, you might write that the sender is a vendor you only work with occasionally.
- Click Yes, Report False Positive.
The system will learn, improving its AI, based on your input.
You can also report false positives based on an account takeover alert. Refer to Account Takeover Alerts for more information.
Note that if you click Delete All Attacks, as described in Removing Attacks Found during Email Threat Scan, emails you reported as False Positives are not deleted.
Mistakenly Reporting a False Positive
If you mistakenly report an email as a false positive, there is no need to alert Barracuda.
You might want to take following two actions:
- Moving the email back to the Junk Email folder – If the email you marked as a false positive was previously moved to users' Junk Email folders, as opposed to being deleted, marking it as a false positive moves it back to users' inboxes. If the email is truly a threat and you will likely want to remove it from users' inboxes. If you have Barracuda Forensics & Incident Response, you can create an incident to remove the email from users' inboxes.
- Updating the sender whitelist – As part of the false positive report, you might have added the domain or address to the sender whitelist. If the email is truly a threat, remove the domain or address from the sender whitelist. Follow the instructions in How to Allow (Whitelist) Senders to remove the erroneous entry.