PhishNet Harpoon helps security and IT administrators search across connected Microsoft 365 and Google Workspace mail environments, discover matching messages, and take bulk remediation actions such as quarantine, restore, and permanent delete. Harpoon is designed for tenant-wide discovery and controlled bulk actions, with a full audit trail for accountability and compliance reviews.
- Who should use Harpoon?
- Mail integrations and API Permissions
- Quarantine folder or label (recommended)
- Create a new search query (step by step)
- Query details
- Working with results
- Remediation actions
- How to start a search from a reported message (PhishNet Mailbox)
- How to clone a query
- How to view the audit trail
Who should use Harpoon?
Harpoon is intended for administrators and security teams who need to:
- Hunt for suspicious or malicious email across many mailboxes at once
- Respond to phishing or malware campaigns using consistent search criteria
- Quarantine, restore, or delete messages in bulk after review
- Record remediation activity for audits and incident management
Before you begin
Mail integrations
Harpoon searches mail that is connected to your organisation in Phishing Tackle. You need at least one supported mail integration:
If no supported integrations are configured, the New search query button will be disabled and you will see a warning that mail integrations must be connected first.
Multiple mail tenancies: If your organisation has more than one connected mail tenancy (for example, separate Microsoft 365 tenants), each appears in the Run search on list when creating a query. You can search one tenancy or all of them at once.
Azure Active Integration API Permissions
To connect an Azure Active Integration, your application registration requires specific Microsoft Graph application permissions. A Global Administrator must grant admin consent to these permissions before Harpoon can perform searches or remediation actions across your tenancy.
User.Read.All (Application): Required for search and discovery capabilities. Used to enumerate users and mailboxes to scan.
Mail.Read (Application): Required for search and discovery capabilities. Used to read and search messages across mailboxes.
Mail.ReadWrite (Application): Required for quarantine (move) capabilities. Used to move messages and create the quarantine folder or label per mailbox.
Mail.ReadWrite (Application): Required for restore capabilities. Used to move messages back to the original folder.
Mail.ReadWrite (Application): Required for permanent delete capabilities. Used to delete messages from the mailbox.
Mail.ReadWrite.Shared (Application): Optional, required for shared mailboxes if needed. Used to access shared mailbox scenarios.
Quarantine folder or label (recommended)
Before running quarantine actions, we recommend configure the name of the folder where quarantined messages should go:
Go to Setup > Organisation > Settings.
Open the PhishNet (SOAR) section.
Find Harpoon quarantine folder / label.
Enter a name, or leave blank to use the default: PhishNet Quarantine.
Click Save.
Notes:
On Microsoft 365, quarantined messages are moved to a mailbox folder with this name.
On Google Workspace, quarantined messages receive a label with this name.
If the folder or label does not exist, it is created automatically when needed.
The name can be up to 255 characters and cannot match reserved system folder names (for example, Inbox, Sent Items, Junk Email).
Permissions
You must be signed in with an account that has access to PhishNet and Harpoon in the main navigation. If you cannot see the Harpoon menu, contact your organisation administrator or Phishing Tackle support.
Search queries list
Go to PhishNet -> Harpoon -> Search queries to see every search your organisation has run.
The table includes:
| Column | Description |
|---|---|
| View/Delete | Open the query details and results or delete query |
| Status | Current state of the search or action job (see Status reference) |
| Mail integration | Which mail tenancy was searched |
| Criteria | Summary of what was searched for |
| Auto Q. | Whether automatic quarantine was enabled for this search |
| Discovered | Number of matching messages found |
| Quarantined | Number of messages moved to quarantine |
| Deleted | Number of messages permanently deleted |
| Started / Completed | When the search began and finished (UTC) |
| Initiated by | Who started the search |
The list refreshes automatically while searches are in progress. You may leave the page and return later.
If you see a yellow banner stating 'The Harpoon service is temporarily unavailable', data may be out of date. Wait a few minutes and refresh, or contact support if the message persists.
Create a new search query (step by step)
- Go to PhishNet → Harpoon → Search queries.
- Click New search query.
- Configure the Create query window (see below).
- Click Review and confirm.
- On the Confirm Harpoon query screen, review the summary.
- Click Create query and start search.
Matching begins immediately in the background. You may navigate away; open the query later from the list to view results.
Step 1 — Open the Create query window
Step 2 — Mail integration
Run search on
- All integrations (N) — runs the same search criteria once per connected mail tenancy. You will get one query per tenancy.
- A specific integration — limits the search to that tenancy only (for example, one Microsoft 365 tenant).
Step 3 — Match criteria
Enable at least one criterion using the checkboxes. For each enabled field, enter the text to match.
| Criterion | What it does |
|---|---|
| Subject | Finds messages whose subject line contains the text you enter |
| Sender | Matches the sender address (for example, sender@domain.com) |
| Recipients | Matches recipient addresses |
| Attachments | Matches attachment file names that contain the text you enter |
| Body | Finds messages whose body contains the text you enter |
Tips:
- Use specific strings where possible (unique subject fragments, sender domains, attachment names).
- Broader body searches may return more results and take longer to complete.
- You cannot start a search with all criteria disabled.
Step 4 — Time window
Lookback period limits how far back Harpoon searches mailboxes:
- Last 24 hours
- Last 7 days (default)
- Last 14 days
- Last 21 days
- Last 28 days
Step 5 — Auto quarantine (optional)
If you enable Automatically quarantine all messages this query finds, every discovered message will be quarantined as soon as it is found, without a separate manual action.
Use with care. Auto quarantine is appropriate when you are confident in your criteria (for example, a known-bad sender or attachment name). For exploratory searches, leave this off and review results first.
Step 6 — Review and confirm
Click Review and confirm to open the confirmation screen.
When multiple integrations are selected via All integrations, you may remain on the list and see several new queries—one per tenancy. When a single integration is selected, you are usually taken directly to that query's detail page.
Query details
Open any query from the list (click View or the row) to see full details, live progress, and results.
While a search is running
A blue notice appears: “This query is running (you may leave this page and return later).” The page updates automatically. Counts and status refresh until the search completes.
Search criteria card
Shows the exact subject, sender, recipient, attachment, body, and lookback values used for this query.
Toolbar actions
| Button | Purpose |
|---|---|
| Back to queries | Return to the search list |
| Audit trail | Open the audit log filtered to this query only |
| Clone | Start a new search with the same criteria and mail integration |
| Create Security Incident | Create a security incident record pre-filled from this query (only if security incidents are enabled for your organisation) |
Working with results
Results table
Each row is one matching message in a user’s mailbox.
Columns include:
- Status — Discovered, Quarantined, Deleted, or Action failed
- Mailbox — the mailbox where the message was found
- Received (UTC) — when the message was received
- Sender and Subject
- Read — whether the message had been read
- Error — details if an action could not be completed for that message
Filter by message status
Use the Message status dropdown above the table to show All statuses, Discovered, Quarantined, Deleted, or Action failed only.
Select messages
- Tick individual rows, or use the header checkbox to select all messages on the current page.
- Use pagination to review additional pages before selecting.
Export read recipients (CSV)
Click Export read (CSV) to download mailbox addresses where matching messages were marked as read. This helps identify users who may have opened suspicious mail.
Remediation actions
Above the results table, choose an Action, a Scope, and click Run action. You must confirm the details before any action runs.
Actions
| Action | What it does | Allowed message status |
|---|---|---|
| Quarantine | Moves the message into your organisation’s Harpoon quarantine folder (Microsoft 365) or label (Google Workspace) | Discovered only |
| Restore | Returns a quarantined message to its original mailbox location | Quarantined only |
| Delete | Permanently removes the message from the mailbox | Quarantined only |
Important: Permanent delete cannot be undone. Quarantine first, review, then delete if appropriate.
Scope
- Selected messages — applies only to ticked rows (you must select at least one).
- All eligible in query — applies to every message in the query that is eligible for the chosen action (for example, all Discovered messages when quarantining).
Confirm action
After clicking Run action, a confirmation dialog appears. Read it carefully—especially for Delete and All eligible in query scopes.
Bulk actions run in the background. The query status may show Applying actions or Processing actions while work completes.
How to start a search from a reported message (PhishNet Mailbox)
You can launch Harpoon directly from a message in PhishNet Mailbox when investigating a reported email.
Open the message in PhishNet Mailbox.
Click Create Harpoon Search Query.
Choose which message fields to include in the hunt. At least one must be selected.
Choose the Lookback period.
Click Review and confirm, then Create query and start search.
After the search is created, you are taken to the query details page. The original mailbox message is linked to the Harpoon query (look for the Harpoon icon on that message).
Note: Searches started from Mailbox use your organisation's primary Microsoft 365 connection for reported mail. To search a different mail tenancy, create the query from Search queries and pick the integration under Run search on.
How to clone a query
On an existing query, click Clone to queue a new search with the same criteria and mail integration.
Clone is unavailable if the original query has no searchable criteria or no mail integration.
How to view the audit trail
The Audit trail records Harpoon activity for compliance and investigations.
Organisation-wide view
Go to PhishNet → Harpoon → Audit trail.
Query-scoped view
From a query, click Audit trail to see only events for that search. A banner shows Scoped view — Only events linked to query #N. You can click on the "+" symbol to expand a row for more detail.
Please let us know if you require any further assistance, you can contact our support team by clicking here. Or by sending an email to support@phishingtackle.com