Integrated Microsoft Phish Reporter Button

Overview

This guide explains how to configure Microsoft Defender and Exchange to BCC user-reported emails (submitted via the Outlook default add-in) to Phriendly Phishing to provide response back to learners and track reports. 

Step 1 : Create a Mailbox to Receive Report Notifications

Create a dedicated mailbox in Microsoft 365 that will receive the initial report notifications from Microsoft Defender. Example: reports@demonstrationcompany.com . This mailbox will serve as the initial destination for all user-reported messages from the Outlook add-in.

Step 2 : Configure Microsoft Defender User Reported Settings

2.1 Navigate to user Reported Settings

1. Go to Microsoft Defender portal at http://security.microsoft.com/.
2. Navigate to System > Settings > Email & collaboration from the left menu.
3. Select User reported settings.

2.2 Enable Outlook Message Monitoring

1. Under the Outlook section, ensure the checkbox "Monitor reported messages in Outlook" is enabled.
2. This allows Microsoft to track and process messages reported by users through the Outlook add-in.

2.3. Configure Reported Message Destinations

1. Scroll down to Reported message destinations.
2. In the "Send reported messages to:" dropdown, select "Microsoft and my reporting mailbox" or "My reporting mailbox only".
3. Under "Add an exchange online mailbox to send reported messages to:", add the mailbox created in Step 1.
4. Click Save

Step 3 : Create Exchange Mail Flow Rule to BCC Phriendly Phishing on reported emails

3.1 Access Exchange Admin Center

1. Go to Exchange admin center - https://admin.cloud.microsoft/exchange#/ 
2. Navigate to Mail flow > Rules
3. Click + Add a rule > Create New Rule

3.2 Configure BCC Rule

Create a new rule with the following settings :

1. Name : BCC Reported Emails to Phriendly Phishing
2. Apply this rule if (Click the '+' button to add more conditions) : 
   1. Condition 1 : The recipient → is this person → (use the mailbox created in Step 1, e.g. reports@demonstrationcompany.com).
   2. Condition 2 : The subject or body → subject matches these text patterns →
      ^(Junk|Phishing):[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\|
   3. Why : This regex pattern ensures only reports marked as "Junk" or "Phishing" are BCC'd to Phriendly Phishing. If a user reports an email and then clicks "Undo", the notification subject will start with Not junk: instead, which will NOT match this pattern and therefore will not be BCC'd. 
   4. Subject format examples:

      1. Junk:9d4387fc-41d2-4acd-a8ea-08de3d209bb5|... ✓ (will be BCC'd)

      2. Phishing:9d4387fc-41d2-4acd-a8ea-08de3d209bb5|... ✓ (will be BCC'd)

      3. Not junk:9d4387fc-41d2-4acd-a8ea-08de3d209bb5|... ✗ (will NOT be BCC'd)

3. Do the following :
    

    Details to Add

   • AU : Add recipients → to the Bcc box → (enter report@feedback.phriendlyphishing.com)
   • UK: Add recipients → to the Bcc box → (enter  report@feedback.uk.phriendlyphishing.com)
4. Except if: (Leave as "Select one" - no exceptions)
5. Final Configuration should look like below :

3.3 Configure Rule Settings

1. Click Next and configure the following settings:
2. Rule mode: Enforce
3. Severity: Not specified
4. Match sender address in message: Header
5. Leave all other checkboxes unchecked (Activate/Deactivate this rule on, Stop processing more rules, etc.)
6. Click Next then Finish to save the rule.

Step 4 : Configure in Phriendly Phishing Platform

1. Select the Phish Reporter Tab
   
2. Select Microsoft Phish Reporter
   
3. Enter the Recipient Email address for reported email. (The email set up in step 1 and used in previous steps eg reports@demonstrationcompany.com )
   
4. Save Settings. 

Step 5: Create Exchange Mail Flow Rule to Block Internal Reports

5.1 Access Exchange Admin Center

1. Go to Exchange admin center - https://admin.cloud.microsoft/exchange#/.
2. Navigate to Mail flow > Rules.
3. Click + Add a rule > Create New Rule.
    

5.2 Configure Rule Conditions

Create a new rule with the following settings :

1. Name : Remove internal company emails from being reported
2. Apply this rule if (Click the '+' button to add more conditions): 
   1. Condition 1 : The recipient → is this person → use the mailbox created in Step 1 (e.g., reports@demonstrationcompany.com
   2. Condition 2 : The subject or body → subject matches these text patterns →
      ^(Junk|Phishing):[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\|[^|]*@demonstrationcompany\.com\|
   3. Note : Replace demonstrationcompany.com with your own company domain(s). This regex pattern will match any email address from your domain in the subject line. To block multiple domains, you can use the pattern: \[^|]*@(domain1\.com|domain2\.com\.au|domain3\.au)\| 
   4. When a user reports an email from your company domain (e.g., user@demonstrationcompany.com), the subject will contain @demonstrationcompany.com, which this regex pattern will match and will delete it.
3. Do the following : Block the message → delete the message without notifying anyone.
4. Except if : (Leave as "Select one" - no exceptions)

5.3 Configure Rule Settings

1. Click Next and configure the following settings:
2. Rule mode: Enforce
3. Stop processing more rules: Checked
4. Severity: Not specified
5. Match sender address in message: Header
6. Leave all other checkboxes unchecked (Activate/Deactivate this rule on, Stop processing more rules, etc.)
7. Click Next then Finish to save the rule.