Microsoft 365 Phishing Reporter

Microsoft 365 Phishing Reporter Guide

In this article, we demonstrate the deployment of the Phishing Reporter for an Office 365 admin account, as well as the client side when reporting an email. Admins of the CYBERAWARE SECURITY portal can also observe the changes of reporting through Email Campaign results and their generated Reports.

1. Navigate to Plugins:

2. Let’s manage the Plugin Configuration by clicking on it:

3. Enter an email address in the first box. That mailbox will be used to receive all recipient reported emails that were not part of the Email Campaigns. Essentially, it will filter out scheduled phishing campaigns intended for training/testing purposes, to distinguish emails that could potentially be real phishing attempts.

As stated, you may add multiple addresses separated by a comma.

4. Here, you can specify the behaviour of the plugin after an email has been submitted as a phishing attempt:

5. For this example, we are choosing to automatically move the reported email to the spam/junk folder of the Outlook.

6. Tick the following box to prompt recipients to provide a reason for reporting an email:

7. If you are satisfied with the configuration, click on Save changes:

8. As we can see, the settings have been updated!

9. Once the configuration process is done, let’s actually install the required reporter tool. Click on the following link to access the Integrated Apps section under your Microsoft 365 admin centre.

You should get the following output:

10. As guided by the installation process, select the option to Upload custom apps:

11. Choose the option Provide link to manifest file:

12. Copy the link provided under the 2nd installation step and paste it in the text box for validation:

13. Click on Validate.

14. As we can see, the manifest file has been validated as expected!

15. You can now select Next to proceed:

16. If this is a testing deployment, you should select the button indicated below:

For this instance, we will not be selecting that option.

17. To enable the phishing reporter plugin for all users of the platform, select the Entire organization option. Otherwise, you can specify either yourself or the users/groups that should have this feature available.

Note that if you’ve selected the entire organisation, there will be needed approximately 12 hours for Outlook’s tools to update and Phishing Reporter to appear as expected.

18. Press on the Next button to proceed.

19. Once again, click on Next. You will reach the Finish step:

20. Finally, select Finish deployment to conclude the process:

21. As we can see, the deployment is completed!

22. Let’s have a look from the Outlook’s side of things. In the Home tab, you will find that a Report a phishing mail tool was eventually added. Click on the specified button:

23. When we click on the Report a phishing mail button, we get the following option:

24. Click on Send report to finalise. In this instance, we will report this email using the default reason called Suspicious content. As always, a recipient may select the appropriate reason for their case. When selecting the Other reason option, a user will be asked to provide a description of the issue as well.

25. As we can see, the report has been submitted as expected!

26. We can also observe that the email has been moved into the Junk Email folder:

27. When clicking on it, we can view the following:

28. If the email reported was part of a phishing campaign, reporting such email will trigger an update on the results of said campaign, indicating that the email has been reported:

29. On the other hand, if the email was not part of a campaign and has been reported, the email address that was added during the configuration step will receive an email containing an eml file so it can be viewed/analysed later. If the recipient has added a description during the reporting procedure, it will also be included: