The phishing submission object represents some email metadata related to an Expel alert. It can further link to other metadata in the form of attachments/URLs/headers for that submission record. It's roughly analogous to a vendor alert, but can also exist in tandem with a vendor alert. For example, a Proofpoint TAP-based Expel alert has a vendor alert containing threat information and a phishing submission record containing the email information from the Proofpoint TAP alert.