Custom Threat Rules (Enterprise)
Custom threat rules let enterprise admins define organisation-specific logic that overrides PhishNet's AI scan score — before an email is classified as clean, suspicious, or phishing. Rules run after all scoring (deterministic checks and LLM analysis) is complete, so they can act on the final computed score as well as the email's content.
How rules work
Each rule has:
- One or more conditions — criteria that are tested against the email (sender domain, subject, phish score, etc.)
- Match logic — whether all conditions must match (AND) or any one is enough (OR)
- An action — what to do when the rule matches
- A priority — lower number = evaluated first. The first matching rule wins; subsequent rules are not evaluated.
Actions
| Action | Effect |
|---|---|
| Allow | Sets the score to 0. The email is classified as clean regardless of what the AI scored it. Use this for trusted internal senders that occasionally trip heuristics. |
| Flag | Raises the score to at least 40 (suspicious). The email is flagged even if the AI thought it was clean. |
| Quarantine | Sets the score to 100. The email is quarantined immediately, regardless of AI output. Use this for high-confidence blocklist entries. |
Managing rules
Go to Enterprise → Threat Rules in the admin dashboard.
Creating a rule
- Click + New rule.
- Enter a name (required) and optional description.
- Set the priority (default 100 — lower numbers run first).
- Choose the match logic: All conditions (AND) or Any condition (OR).
- Choose the action: Allow, Flag, or Quarantine.
- Add one or more conditions using the condition builder.
- Click Create rule.
Editing a rule
Click Edit next to any rule. Changes take effect immediately for all subsequent scans.
Enabling and disabling rules
Use the toggle in the Active column to temporarily disable a rule without deleting it. Disabled rules are skipped during scanning.
Rule priority
Rules are evaluated in ascending priority order (1 before 2, 10 before 100). When two rules could both match the same email, the one with the lower priority number wins.
If you have many rules, keep your most specific or highest-confidence rules at low priority numbers so they are evaluated first.
Conditions
Each condition targets one field of the email and applies an operator and a value.
Available fields
| Field | What it matches |
|---|---|
Sender email | The full from-address (e.g. phishing@evil.com) |
Sender domain | The domain portion of the from-address (e.g. evil.com) |
Display name | The sender's display name as shown in the inbox (e.g. IT Support) |
Subject | The email subject line |
Body text | The first portion of the email body |
Phish score | The numeric threat score (0–100) computed by PhishNet before rules run |
Any URL | True if any URL in the email matches the condition |
Any attachment | True if any attachment filename matches the condition |
Available operators
String fields (all fields except Phish score):
| Operator | Matches when… |
|---|---|
equals | Field exactly equals the value (case-insensitive) |
not equals | Field does not equal the value |
contains | Field contains the value as a substring |
starts with | Field begins with the value |
ends with | Field ends with the value |
matches regex | Field matches the regular expression |
Phish score (numeric):
| Operator | Matches when… |
|---|---|
equals | Score is exactly the value |
not equals | Score is not the value |
≥ | Score is greater than or equal to the value |
≤ | Score is less than or equal to the value |
Example rules
Block a specific domain
Quarantine all email from a known-bad sender domain, regardless of what the AI scored.
| Field | Operator | Value |
|---|---|---|
| Sender domain | equals | evil-lookalike.com |
Action: Quarantine · Logic: All · Priority: 10
Protect against display-name spoofing
Flag any email claiming to be from "IT Support" or "Help Desk" that doesn't come from your internal domain.
Condition 1:
| Field | Operator | Value |
|---|---|---|
| Display name | contains | IT Support |
Condition 2:
| Field | Operator | Value |
|---|---|---|
| Sender domain | not equals | acme.com |
Action: Flag · Logic: All · Priority: 20
Suppress false positives for a trusted partner
A supplier's invoicing system sends automated emails that occasionally trip the AI's urgency heuristics. Allow them unconditionally.
| Field | Operator | Value |
|---|---|---|
| Sender domain | equals | invoices.trustedsupplier.com |
Action: Allow · Logic: All · Priority: 50
Escalate high-score emails from unrecognised domains
Quarantine emails that scored 70 or above and came from a domain with no prior history in your inbox. Combine two conditions with AND logic.
Condition 1:
| Field | Operator | Value |
|---|---|---|
| Phish score | ≥ | 70 |
Condition 2:
| Field | Operator | Value |
|---|---|---|
| Sender domain | not equals | acme.com |
Action: Quarantine · Logic: All · Priority: 30
How rules interact with policies
Custom threat rules run after all org policies (trusted-sender allowlist, domain blocklist) and before the final classify step. The processing order is:
- Deterministic checks (SPF, DKIM, URL heuristics)
- LLM analysis
- Trusted-sender allowlist
- Block known phishing domains (org policy)
- Custom threat rules ← runs here
- Final classification (clean / suspicious / phishing)
If a trusted-sender allowlist entry already set the score to 0, a custom rule can still raise it. Rules operate on whatever score exists at the time they run.
When a rule matches, the scan result will show a custom_rule reason in the threat details — so admins can see in the threat timeline exactly which rule fired and what action it took.
Requirements
- PhishNet Enterprise plan
- Admin or Owner role in the PhishNet admin dashboard