What is an incident? IRONSCALES groups suspicious emails into incidents. When a threat is detected — whether by IRONSCALES’ AI, the community, or a user report — similar emails are clustered together into a single incident for review.
The Three Incident Types
1. Unclassified Incidents
These are incidents that need a human decision. IRONSCALES has flagged the email as suspicious but hasn’t found a clear indicator of compromise (IOC). They could come from end-user reports, the IRONSCALES Community, or automated threat detection.
Action needed: Review the incident and classify it as Phishing, Spam, or Safe using the buttons at the top of the incident.
2. Classified Incidents
These incidents have already been classified — either by an admin, by IRONSCALES’ AI engine (Themis), or automatically by the community. They appear here for reference and auditing.
Action needed: None required, but you can reclassify if the original decision was wrong.
3. Challenged Incidents
These are created when an end user disputes a decision. There are two ways this happens:
- Release Request — A user asks for a quarantined email to be released because they believe it was blocked incorrectly.
- End User Report — A user reports an email that was previously classified as safe, believing it is actually malicious.
Action needed: Review the challenged email and reclassify it as Safe, Spam, or close the incident to keep the original phishing classification.
What Do the Classification Buttons Do?
| Button | What It Does |
|---|---|
| Phishing | Marks the incident as an active attack. Emails are moved to quarantine (hidden folder in Exchange/O365, trash in Google Workspace) and remediated across all affected mailboxes. |
| Spam | Marks the email as spam. If configured, emails are moved to the Spam/Junk folder and all affected emails in the incident are remediated accordingly. |
| Safe | Marks the email as legitimate. Any previous remediation is reversed — deleted or quarantined emails are restored to users’ mailboxes. Email integration is required for the reverse action. |
Important: Clicking Safe releases the emails in the current incident, but it does not stop future similar emails from being caught. To prevent that, you must also click Stop Remediation. See our article: How to Release a Quarantined Email and Prevent Future Blocks.
Where Do Incidents Come From?
Incidents can be created by several sources:
- Automated Threat Detection — IRONSCALES’ machine learning detects suspicious patterns (email similarity, BEC protection, sender analysis).
- End User Reports — A user clicks the Report Phishing button in their email client.
- IRONSCALES Community — Other organisations using IRONSCALES have reported the same email as malicious.
- Impersonation Protection — An email attempted to impersonate a VIP user in your organisation.
- Malware & URL Protection — A malicious link or attachment was detected. These are automatically classified as active attacks.
Need help with IRONSCALES?
We deploy, manage, and support IRONSCALES anti-phishing protection for businesses worldwide. If you need expert help securing your inbox, we’d be happy to help.
Speak to an expert