# Microsoft 365 Phishing Reporter ## Microsoft 365 Phishing Reporter Guide In this article, we demonstrate the deployment of the **Phishing Reporter** for an **Office 365 admin** account, as well as the client side when reporting an email. Admins of the **CYBERAWARE SECURITY** portal can also observe the changes of reporting through **Email Campaign** results and their generated **Reports.** **1.** Navigate to **Plugins:** ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FrozArlQ61hbk88nhIX7Y%2FPhishing_Reporter_Guide_1.png?alt=media\&token=dfad4388-55e3-4dff-a1b9-026b56c44777) **2.** Let’s manage the **Plugin Configuration** by clicking on it: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Fx8A2k3EtMVvCxb5TZwxR%2FPhishing_Reporter_Guide_2.png?alt=media\&token=64ec1d5f-0459-4b3b-b1d9-c5e13630537d) ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FT3l8G5ce2JpUBbpaOY1X%2FPhishing_Reporter_Guide_3.png?alt=media\&token=f05beb00-50fa-42a5-b85b-0dc628c6b32a) **3.** Enter an email address in the first box. That mailbox will be used to receive all recipient reported emails that were not part of the [Email Campaigns](https://docs.cyberawaresecurity.com/admin-portal/email-campaigns). Essentially, it will **filter** out **scheduled** phishing campaigns intended for **training/testing purposes,** to distinguish emails that could potentially be real phishing attempts. ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FIAelwzKFdu4MRus0eLqJ%2FPhishing_Reporter_Guide_4.png?alt=media\&token=c344dc21-bbc4-4de5-9144-b3c2e09fe0b9) As stated, you may add **multiple addresses** separated by a comma. **4.** Here, you can specify the behaviour of the plugin after an email has been submitted as a phishing attempt: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FpJB99fgAZ4eTxVH4IBzZ%2FPhishing_Reporter_Guide_5.png?alt=media\&token=a6e0cb85-91fc-4253-948d-9e36218bba70) **5.** For this example, we are choosing to automatically move the reported email to the **spam/junk folder** of the **Outlook.** ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2F0a67uXNFT9JK0oif3qtK%2FPhishing_Reporter_Guide_6.png?alt=media\&token=74084612-1ec4-442d-bd24-2cf258cdafb1) **6. Tick** the following box to prompt recipients to provide a reason for reporting an email: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FniPrIslIkINYevTVm2Q2%2FPhishing_Reporter_Guide_7.png?alt=media\&token=9f0f1c6c-81ef-4282-ac9e-5b5abc623e4d) **7.** If you are satisfied with the configuration, click on **Save changes:** ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FqPe2uHQn4uQnWjoKE3cY%2FPhishing_Reporter_Guide_8.png?alt=media\&token=48f9c130-ed8e-4455-aa70-3e5bc5a24c77) **8.** As we can see, the settings have been updated! ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FKs3bJlchzZJ2hSWh8u0u%2FPhishing_Reporter_Guide_9.png?alt=media\&token=80f0bf43-9fb0-43e5-aef5-38b749ceaaf8) **9.** Once the configuration process is done, let’s actually **install** the required reporter tool. Click on the following link to access the **Integrated Apps** section under your **Microsoft 365 admin centre.** ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FOqcETQkJ9hZbnHiYeSMG%2FPhishing_Reporter_Guide_10.png?alt=media\&token=ac003f2e-e85a-419f-9582-45c15150b5f1) You should get the following output: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Fq8u90pSYSauhvBIF04Cf%2FPhishing_Reporter_Guide_11.png?alt=media\&token=dc95f294-4a85-4971-9e6f-bd8c957a8ba4) **10.** As guided by the installation process, select the option to **Upload custom apps:** ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FrZfulKUA40F5DF0GcPdk%2FPhishing_Reporter_Guide_12.png?alt=media\&token=9cbef820-aee7-4a1d-8968-1c906d881580) ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FzpST5212HbVq1vri2nS5%2FPhishing_Reporter_Guide_13.png?alt=media\&token=209f0dce-628e-4c50-8b85-456884ce8204) **11.** Choose the option **Provide link to manifest file:** ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FbkEURELcLQhEPi6VTlAC%2FPhishing_Reporter_Guide_14.png?alt=media\&token=9fdb08ce-3f04-40ad-9710-4baf41cca24d) **12.** Copy the link provided under the **2nd installation step** and paste it in the text box for validation: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2F98D0AhkvSTjPKSqDCFzm%2FPhishing_Reporter_Guide_15.png?alt=media\&token=bd9c8f81-70cb-4eee-9149-6199d54b366f) ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FaattEQzzm0S2bsoUpYBL%2FPhishing_Reporter_Guide_16.png?alt=media\&token=092343d0-a46e-450e-8a4d-d85c2f344d8d) **13.** Click on **Validate.** ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Fqx95l2gIf17MWxY1yAdZ%2FPhishing_Reporter_Guide_17.png?alt=media\&token=5cd01671-1086-4ecc-858c-6371a4d7eedb) **14.** As we can see, the manifest file has been **validated** as expected! ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FP4APOK4KdNAkqxxjIhVG%2FPhishing_Reporter_Guide_18.png?alt=media\&token=6abb78c8-02c3-48a9-a4a7-05bf09428640) **15.** You can now select **Next** to proceed: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FfWSQRc4RJI7wzGc3V2SO%2FPhishing_Reporter_Guide_19.png?alt=media\&token=4c302bed-3e20-4d9a-a697-ef0f6112b3c3) ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FDSqcLKpz8FFdfOmtDAKs%2FPhishing_Reporter_Guide_20.png?alt=media\&token=b47d4604-c1b1-44b0-9172-21b96d65aff5) **16.** If this is a **testing deployment,** you should select the button indicated below: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FLRmVAT1gU9BHE7luBhRw%2FPhishing_Reporter_Guide_21.png?alt=media\&token=fd3e3196-99e0-43f9-8199-eb6d71d6f226) For this instance, we will not be selecting that option. **17.** To enable the phishing reporter plugin for all users of the platform, select the **Entire organization** option. Otherwise, you can specify either **yourself** or the **users/groups** that should have this feature available. ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FVYQYu0eeQQFZ8m1oo3gq%2FPhishing_Reporter_Guide_22.png?alt=media\&token=52804ba2-f324-4e40-9df4-5f4952a9fb36) Note that if you’ve selected the **entire organisation,** there will be needed **approximately 12 hours** for **Outlook’s tools** to **update** and **Phishing Reporter** to appear as expected. **18.** Press on the **Next** button to proceed. ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FbW2bF5m0ZQ9AX9DcixJ4%2FPhishing_Reporter_Guide_23.png?alt=media\&token=8182cc8c-a44f-46c0-9832-c2f0ba96a791) ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FooVo7LDGhgaN3XGhH065%2FPhishing_Reporter_Guide_24.png?alt=media\&token=229aac10-8009-4eaf-b7a1-fe7e0618bed7) **19.** Once again, click on **Next.** You will reach the **Finish** step: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FDnnYT4DTZO4Gq4Fmv6Sm%2FPhishing_Reporter_Guide_25.png?alt=media\&token=464b52e2-6234-49e1-879d-d4242df8c5fe) ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FWYEaAF9b18p1kr5xOUjq%2FPhishing_Reporter_Guide_26.png?alt=media\&token=0f921be2-0287-434d-b310-0eb9840eec6c) **20.** Finally, select **Finish deployment** to conclude the process: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Frehb8yeLToXlcKUSTfpM%2FPhishing_Reporter_Guide_27.png?alt=media\&token=b09db01a-05d2-4a59-b08c-c99ddc195e1d) **21.** As we can see, the deployment is completed! ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Fc3zrVZ8F61Sei9PCajse%2FPhishing_Reporter_Guide_28.png?alt=media\&token=10a53ead-5ae8-403a-8b7c-92bd1099fb53) **22.** Let’s have a look from the Outlook’s side of things. In the **Home** tab, you will find that a **Report a phishing mail tool** was eventually added. Click on the specified button: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FqhY54A3KTptW74zRrcEZ%2FPhishing_Reporter_Guide_29.png?alt=media\&token=7858f81f-33b2-4aec-8605-e9c09f9e925f) **23.** When we click on the **Report a phishing mail** button, we get the following option: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Ftp27sEOzGKRhQFk5uAbb%2FPhishing_Reporter_Guide_30.png?alt=media\&token=3b0ad9d8-7655-41c7-98f7-5dd59f9650f7) **24.** Click on **Send report** to **finalise.** In this instance, we will report this email using the **default reason** called **Suspicious content**. As always, a recipient may select the appropriate reason for their case. When selecting the **Other reason** option, a user will be asked to provide a description of the issue as well. ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Fk7V3yfRlGyPgDrUC7J7s%2FPhishing_Reporter_Guide_31.png?alt=media\&token=3fe47986-fe42-43fe-a3df-e17c20b9d19c) **25.** As we can see, the report has been submitted as expected! ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2F4rWA3mOD3quByXgjrhJU%2FPhishing_Reporter_Guide_32.png?alt=media\&token=e1a5c5ae-c01a-4538-9d53-c6bc0517bd93) **26.** We can also observe that the email has been moved into the **Junk Email** folder: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FBcu8iGNAY2VfhoYkZ3rd%2FPhishing_Reporter_Guide_33.png?alt=media\&token=9080fcd0-4023-4235-93c8-0e2708b56415) **27.** When clicking on it, we can view the following: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2Fu0JLBDzfKCT7j1OR1ARh%2FPhishing_Reporter_Guide_34.png?alt=media\&token=82f62d6c-2949-44dd-bdb1-4cd5f52b8c57) **28.** If the email reported was part of a phishing campaign, reporting such email will trigger an update on the results of said campaign, indicating that the email has been reported: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FIITEwK20bqmCBjkNZEiq%2FPhishing_Reporter_Guide_35.png?alt=media\&token=03514bc4-bfb5-4d48-981f-fc32737886fa) **29.** On the other hand, if the email was not part of a campaign and has been reported, the email address that was added during the configuration step will receive an email containing an **eml** file so it can be **viewed/analysed** later. If the recipient has added a **description** during the reporting procedure, it will also be included: ![](https://787872742-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FdbDWFUV8KfahpvaDhzuK%2Fuploads%2FvMEo1n74xMq6C6mFgdxB%2FPhishing_Reporter_Guide_36.png?alt=media\&token=cf9a2d90-f2e4-4591-aed8-2a2ad68a25ee)