All of you are have been contacted by a user about what to do with a suspicious email.
The best thing to do is ask the user to just forward the email to Phishing@spcollege.edu. I monitor that email account (the Security Team helps out too) and if I see something that gets thru our Advanced Threat Protection scan and has something imbedded in it, I get the Security Team involved. One thing you all can help with, if a user reaches out to you about a suspicious DO NOT ask them to forward the email to you. Ask them to forward it to Phishing@spcollege.edu. It is very helpful for us to have the original email. If a bad email is forwarded to you, it makes it harder for the Security Team to remove the email from your inbox, because it was forwarded. Plus it is safer for you not to have it.
This email is used by myself and the Security team to create an IR when we have a potentially harmful email.
So nobody should be sending to that email address because it sets off a series of processes the Security Team and I must follow to protect you and our users. Basically when we find a harmful email in the firstname.lastname@example.org inbox, we open an IR and move as quickly as we can to eradicate the email/threat. This includes scanning the staff and faculty emails for anyone who originally received the email and who read the email. That is why it is important to not forward suspicious emails around. The email is then removed and a report is generated for me. I then create an email that goes out to all the users that read the email asking what they did with the email. Did they delete it, did they click on a link or open an attachment and if they did, did they provide any information to an outside source? When we discover the emails quick enough, it can usually be removed before some users even see it. If a user asks you why I emailed them and they say they did not open it. That is because they are using a Reading Pane which technically is the same as reading the email.