GWS Alerts - Phishing User-Reported vs System-Detected Correlation
GWS Alerts Phishing Detection Gap
Query
let userReported =
GWSAlerts_CL
| where AlertType has_any ("User reported phishing", "Suspicious message reported")
| extend Subject = tostring(AlertData.messages[0].subject),
Sender = tostring(AlertData.messages[0].fromHeader)
| project ReportTime = TimeGenerated, Subject, Sender, ReportAlertId = AlertId;
let reclassified =
GWSAlerts_CL
| where AlertType has_any ("Phishing reclassification", "Malware reclassification")
| extend Subject = tostring(AlertData.messages[0].subject),
Sender = tostring(AlertData.messages[0].fromHeader)
| project ReclassifyTime = TimeGenerated, Subject, Sender, ReclassifyAlertId = AlertId;
userReported
| join kind=inner reclassified on Subject, Sender
| extend GapHours = (ReclassifyTime - ReportTime) / 1h
| where GapHours > 0
| project ReportTime, ReclassifyTime, GapHours, Subject, Sender,
ReportAlertId, ReclassifyAlertId
| order by GapHours descExplanation
This query is designed to identify phishing campaigns where users reported suspicious emails before Google's system reclassified them as phishing or malware. It does this by:
- Extracting alerts from Google Workspace where users reported phishing or suspicious messages, capturing details like the time reported, email subject, and sender.
- Extracting alerts where Google reclassified emails as phishing or malware, capturing similar details.
- Joining these two sets of data based on the email subject and sender to find matches.
- Calculating the time gap (in hours) between when a user reported the email and when Google reclassified it.
- Filtering the results to show only cases where the user reported the email before Google's reclassification.
- Displaying the results, sorted by the time gap in descending order, highlighting the detection-gap windows where user reports preceded system detection.
This helps in understanding and improving the timeliness of automated phishing detection systems.
Details

David Alonso
Released: May 7, 2026
Tables
GWSAlerts_CL
Keywords
GWSAlertsAlertTypeAlertDataTimeGeneratedAlertIdSubjectSenderReportTimeReclassifyTimeGapHoursReportAlertIdReclassifyAlertIdGoogleWorkspacePhishing
Operators
lethas_anyextendtostringprojectjoinkind=inneronwhere/>order bydesc
Tactics
InitialAccess
MITRE Techniques