Skip to main content

Custom Threat Rules (Enterprise)

Custom threat rules let enterprise admins define organisation-specific logic that overrides PhishNet's AI scan score — before an email is classified as clean, suspicious, or phishing. Rules run after all scoring (deterministic checks and LLM analysis) is complete, so they can act on the final computed score as well as the email's content.


How rules work

Each rule has:

  • One or more conditions — criteria that are tested against the email (sender domain, subject, phish score, etc.)
  • Match logic — whether all conditions must match (AND) or any one is enough (OR)
  • An action — what to do when the rule matches
  • A priority — lower number = evaluated first. The first matching rule wins; subsequent rules are not evaluated.

Actions

ActionEffect
AllowSets the score to 0. The email is classified as clean regardless of what the AI scored it. Use this for trusted internal senders that occasionally trip heuristics.
FlagRaises the score to at least 40 (suspicious). The email is flagged even if the AI thought it was clean.
QuarantineSets the score to 100. The email is quarantined immediately, regardless of AI output. Use this for high-confidence blocklist entries.

Managing rules

Go to Enterprise → Threat Rules in the admin dashboard.

Creating a rule

  1. Click + New rule.
  2. Enter a name (required) and optional description.
  3. Set the priority (default 100 — lower numbers run first).
  4. Choose the match logic: All conditions (AND) or Any condition (OR).
  5. Choose the action: Allow, Flag, or Quarantine.
  6. Add one or more conditions using the condition builder.
  7. Click Create rule.

Editing a rule

Click Edit next to any rule. Changes take effect immediately for all subsequent scans.

Enabling and disabling rules

Use the toggle in the Active column to temporarily disable a rule without deleting it. Disabled rules are skipped during scanning.

Rule priority

Rules are evaluated in ascending priority order (1 before 2, 10 before 100). When two rules could both match the same email, the one with the lower priority number wins.

If you have many rules, keep your most specific or highest-confidence rules at low priority numbers so they are evaluated first.


Conditions

Each condition targets one field of the email and applies an operator and a value.

Available fields

FieldWhat it matches
Sender emailThe full from-address (e.g. phishing@evil.com)
Sender domainThe domain portion of the from-address (e.g. evil.com)
Display nameThe sender's display name as shown in the inbox (e.g. IT Support)
SubjectThe email subject line
Body textThe first portion of the email body
Phish scoreThe numeric threat score (0–100) computed by PhishNet before rules run
Any URLTrue if any URL in the email matches the condition
Any attachmentTrue if any attachment filename matches the condition

Available operators

String fields (all fields except Phish score):

OperatorMatches when…
equalsField exactly equals the value (case-insensitive)
not equalsField does not equal the value
containsField contains the value as a substring
starts withField begins with the value
ends withField ends with the value
matches regexField matches the regular expression

Phish score (numeric):

OperatorMatches when…
equalsScore is exactly the value
not equalsScore is not the value
Score is greater than or equal to the value
Score is less than or equal to the value

Example rules

Block a specific domain

Quarantine all email from a known-bad sender domain, regardless of what the AI scored.

FieldOperatorValue
Sender domainequalsevil-lookalike.com

Action: Quarantine · Logic: All · Priority: 10


Protect against display-name spoofing

Flag any email claiming to be from "IT Support" or "Help Desk" that doesn't come from your internal domain.

Condition 1:

FieldOperatorValue
Display namecontainsIT Support

Condition 2:

FieldOperatorValue
Sender domainnot equalsacme.com

Action: Flag · Logic: All · Priority: 20


Suppress false positives for a trusted partner

A supplier's invoicing system sends automated emails that occasionally trip the AI's urgency heuristics. Allow them unconditionally.

FieldOperatorValue
Sender domainequalsinvoices.trustedsupplier.com

Action: Allow · Logic: All · Priority: 50


Escalate high-score emails from unrecognised domains

Quarantine emails that scored 70 or above and came from a domain with no prior history in your inbox. Combine two conditions with AND logic.

Condition 1:

FieldOperatorValue
Phish score70

Condition 2:

FieldOperatorValue
Sender domainnot equalsacme.com

Action: Quarantine · Logic: All · Priority: 30


How rules interact with policies

Custom threat rules run after all org policies (trusted-sender allowlist, domain blocklist) and before the final classify step. The processing order is:

  1. Deterministic checks (SPF, DKIM, URL heuristics)
  2. LLM analysis
  3. Trusted-sender allowlist
  4. Block known phishing domains (org policy)
  5. Custom threat rules ← runs here
  6. Final classification (clean / suspicious / phishing)

If a trusted-sender allowlist entry already set the score to 0, a custom rule can still raise it. Rules operate on whatever score exists at the time they run.

When a rule matches, the scan result will show a custom_rule reason in the threat details — so admins can see in the threat timeline exactly which rule fired and what action it took.


Requirements

  • PhishNet Enterprise plan
  • Admin or Owner role in the PhishNet admin dashboard