How to handle false positives (legit emails marked as phishing)?

Investigation: review the flagged message, understand why it was marked, and verify it's genuinely legitimate. Some "false positives" reveal actual problems worth addressing.

Remediation: if truly legitimate, release message to recipient, whitelist sender or pattern to prevent recurrence, and tune detection rules if over-aggressive.

Prevention: work with senders to improve authentication, adjust content that triggers false detection, and provide feedback to security vendors about false positive patterns. Systematic tracking identifies recurring issues.