Integrated Microsoft Phish Reporter Button

Ian Finn
Updated

Overview

This guide explains how to configure Microsoft Defender and Exchange to BCC user-reported emails (submitted via the Outlook default add-in) to Phriendly Phishing to provide response back to learners and track reports. 

Step 1 : Create a Mailbox to Receive Report Notifications

Create a dedicated mailbox in Microsoft 365 that will receive the initial report notifications from Microsoft Defender. Example: reports@demonstrationcompany.com . This mailbox will serve as the initial destination for all user-reported messages from the Outlook add-in.

Important Notes :

  • You may already have an inbox set up to receive reported emails from learners. In that case this step is not required and you can use the existing mailbox. 
  • If you are already using the Phriendly Phishing Reporter add-in, it would be the same email used in 'Report phishing emails to: ' setting and a new mailbox is not required.
  • For the User Experience, please read through this guide Integrated Microsoft Phish Reporter Button - Learner Experience

Step 2 : Configure Microsoft Defender User Reported Settings

2.1 Navigate to user Reported Settings

  1. Go to Microsoft Defender portal at http://security.microsoft.com/.
  2. Navigate to System > Settings > Email & collaboration from the left menu.
  3. Select User reported settings.

2.2 Enable Outlook Message Monitoring

  1. Under the Outlook section, ensure the checkbox "Monitor reported messages in Outlook" is enabled.
  2. This allows Microsoft to track and process messages reported by users through the Outlook add-in. PRIntegrate.png

2.3. Configure Reported Message Destinations

  1. Scroll down to Reported message destinations.
  2. In the "Send reported messages to:" dropdown, select "Microsoft and my reporting mailbox" or "My reporting mailbox only". PRin2.png
  3. Under "Add an exchange online mailbox to send reported messages to:", add the mailbox created in Step 1. prin3.png
  4. Click Save

Step 3 : Create Exchange Mail Flow Rule to BCC Phriendly Phishing on reported emails

3.1 Access Exchange Admin Center

  1. Go to Exchange admin center - https://admin.cloud.microsoft/exchange#/ 
  2. Navigate to Mail flow > Rules
  3. Click + Add a rule > Create New Rule

3.2 Configure BCC Rule

Create a new rule with the following settings :

  1. Name : BCC Reported Emails to Phriendly Phishing
  2. Apply this rule if (Click the '+' button to add more conditions) : 
    1. Condition 1 : The recipient → is this person → (use the mailbox created in Step 1, e.g. reports@demonstrationcompany.com). prin5.png
    2. Condition 2 : The subject or body → subject or body matches these text patterns →
      ^(Junk|Phishing):[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\|prin6.png
    3. Why : This regex pattern ensures only reports marked as "Junk" or "Phishing" are BCC'd to Phriendly Phishing. If a user reports an email and then clicks "Undo", the notification subject will start with Not junk: instead, which will NOT match this pattern and therefore will not be BCC'd. 
    4. Subject format examples:

      1. Junk:9d4387fc-41d2-4acd-a8ea-08de3d209bb5|... ✓ (will be BCC'd)

      2. Phishing:9d4387fc-41d2-4acd-a8ea-08de3d209bb5|... ✓ (will be BCC'd)

      3. Not junk:9d4387fc-41d2-4acd-a8ea-08de3d209bb5|... ✗ (will NOT be BCC'd)

  3. Do the following : prin7.png
     

     Details to Add

    • AU : Add recipients → to the Bcc box → (enter report@feedback.phriendlyphishing.com)
    • UK: Add recipients → to the Bcc box → (enter  report@feedback.uk.phriendlyphishing.com)
  4. Except if: (Leave as "Select one" - no exceptions)
  5. Final Configuration should look like below :

3.3 Configure Rule Settings

  1. Click Next and configure the following settings:
  2. Rule mode: Enforce
  3. Severity: Not specified
  4. Match sender address in message: Header
  5. Leave all other checkboxes unchecked (Activate/Deactivate this rule on, Stop processing more rules, etc.)
  6. Click Next then Finish to save the rule.

Step 4: Create Exchange Mail Flow Rule to Block Internal Reports

  This step prevents notification emails about reported internal/company emails from being processed, ensuring only external phishing reports are forwarded.

4.1 Access Exchange Admin Center

  1. Go to Exchange admin center - https://admin.cloud.microsoft/exchange#/.
  2. Navigate to Mail flow > Rules.
  3. Click + Add a rule > Create New Rule.
     

4.2 Configure Rule Conditions

Create a new rule with the following settings :

  1. Name : Remove internal company emails from being reported
  2. Apply this rule if (Click the '+' button to add more conditions): 
    1. Condition 1 : The recipient → is this person → use the mailbox created in Step 1 (e.g., reports@demonstrationcompany.com
    2. Condition 2 : The subject or body → subject matches these text patterns →
      ^(Junk|Phishing):[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\|[^|]*@demonstrationcompany\.com\|

    3. Note :
      - Replace demonstrationcompany.com with your own company domain(s). This regex pattern will match any email address from your domain in the subject line. To block multiple domains, you can use the pattern: \[^|]*@(domain1\.com|domain2\.com\.au|domain3\.au)\| 

      -  If you have multiple domains, you may not be able to include multiple domains within a single condition due to the 128-character limit, create separate rules per domain.
    4. When a user reports an email from your company domain (e.g., user@demonstrationcompany.com), the subject will contain @demonstrationcompany.com, which this regex pattern will match and will delete it.
  3. Do the following : Block the message → delete the message without notifying anyone. PRin8.png
  4. Except if : (Leave as "Select one" - no exceptions)

4.3 Configure Rule Settings

  1. Click Next and configure the following settings:
  2. Rule mode: Enforce
  3. Stop processing more rules: Checked
  4. Severity: Not specified
  5. Match sender address in message: Header
  6. Leave all other checkboxes unchecked (Activate/Deactivate this rule on, Stop processing more rules, etc.)
  7. Click Next then Finish to save the rule.

 Info 
By default, the status of mail flow rule is disabled when you create them. This is done so that you can review the rule one more time before finally enabling it. You can enable the rule after the rule creation is complete.

  • On the Rules page, select the rule by clicking anywhere in the row (do not click the radio button next to the rule name). 
  • In the rule list, check the status column to see whether the rule is currently Enabled or Disabled
  • Clicking the rule opens a details flyout. 
  • At the top of the flyout, use the toggle in the Enable or disable rule section to turn the rule on or off as required.

 

Step 5 : Set Rule Priority

  Once both rules have been set-up you need to ensure that Remove internal company emails from being reported rule has a lower priority value than the rule in Step 3

  1. Go to Mail flow > Rules 

  2. Ensure the "Remove internal company emails from being reported" rule (Step 4) has a LOWER priority number than the "BCC Reported Emails to Phriendly Phishing" rule (Step 3)
    • Lower priority numbers execute first (e.g., Priority 0 runs before Priority 1)
    • The blocking rule must run BEFORE the BCC rule

  3. If needed, use the up/down arrows or drag-and-drop to reorder the rules

     Example correct order

    • Priority 0 : Remove internal company emails from being reported (Step 4)
    • Priority 1 : BCC Reported Emails to Phriendly Phishing (Step 3)

Step 6 : Configure in Phriendly Phishing Platform

  1. Select the Phish Reporter Tab
  2. Select Microsoft Phish Reporter
  3. Enter the Recipient Email address for reported email. (The email set up in step 1 and used in previous steps eg reports@demonstrationcompany.com )
  4. Save Settings. 

  Congratulations ! You have now configured Micorsoft's default SPAM Reporter to integrate with our Phish Reporter.

Related to

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.