Important: As per the NEW CHANGES from Microsoft, Microsoft now recommends routing phishing simulated reports to a dedicated internal mailbox. So, create a specific mailbox within the organization where all phishing simulation reports will be sent.
IMPORTANT: You don't have to install the Report Message add-in if the option to report an email is already available through the Report button. It implies that the functionality you're looking for is already accessible, so there's no need for additional installation.
But if you see no Report button in your Outlook version, follow Step 1 to Install the Report Message add-in.
Outlook without a report button
Outlook with a report button
Step 1: Install the Microsoft Report Message Add-in from Microsoft Exchange App Store [OPTIONAL]
Get the Report Message add-in Using Microsoft 365 Admin Center.
On your Microsoft 365 admin center, in your left panel, go to Settings > Integrated apps. Click Get Apps. Or you can directly go to the Report Message add-in by clicking here.
On the Microsoft 365 Apps page, in the Search box, type Report Message. In the list of results, find and select Report Message.
Select Get It Now on the app details page.
A Deploy New App section appears. Configure your settings and click Next to go to the next page to complete the setup.
Add users: Select Entire organization from the following values:
Just me
Entire organization
Specific users/groups
Deployment:
a. Accept Permissions Requests: Read the app permissions and capabilities carefully before going to the next page.
Finish deployment: Review and deploy the add-in by selecting Done to complete the setup.
Get the Report Message add-in Using Outlook For Yourself Only.
Log in to your Outlook.
Click on the three dots (More action) from the left side. Select Get Add-ins.
Navigate to Admin Managed Add-ins > search Report Message.
Click Add.
Important: Refresh the page to use the feature after adding the Report Message add-in.
Step 2: Add Mail Contact in the Exchange admin center
After installing the plugin, we now need to add a Right-Hand reporting email contact list
Now, log in to your Admin Exchange Center account and navigate to Recipients > Contacts.
Click Add a mail contact.
In the New Mail Contact pane, type your details:
a) Display Name: The name that would appear on the Contacts page.
b) Alias: Type PhishArm as the Alias name.
c) External email address: Type [email protected] as a contact.
Click Next. The Mail contact information (optional) appears.
Click Next.
The Review mail contact displays the summary of data entered.
Review the data and click Create.
The new contact will take a while to appear on the Contacts page. You can refresh the page or wait for some more time for the contact to occur.
Step 3: Configure Microsoft Plugin
After setting up a mail contact, you must enable the button and set up a few policies and rules from the Microsoft 365 Defender. The following steps guide you on how to enable and configure the rules:
Login to your Microsoft 365 Defender portal and navigate Settings > Email & collaboration > User reported settings.
On the User reported settings page, enable the toggle button.
Select the built-in reporting option, as it is easy to report.
You can configure messaging criteria based on your company’s needs. Select the Customize messages option, choose your preferred language for the prompt, set new messages in each tab, and click save.
Inside the reported email destination, select Microsoft and My reporting mailbox only" or "My reporting mailbox only" from Send reported messages to: field.
Important: Provide the email address of the internal reporting mailbox where these reports will be sent.
6. Click on the Save button.
Now, the Microsoft plugin has been configured.
Step 4: Add Mail flow rules in the Exchange admin center
Rule A - Send only simulation emails to PhishArm.
Emails reported as Phishing and Junk will be redirected to Phisharm. Emails reported as Not junk will stay in the inbox.
The following steps will help you add the Mail flow rules:
Now, navigate to Mail flow > Rules > click + icon (add new rule). You can copy the existing rules for future reference.
From the + icon (add new rule) drop-down, select Create new rule…
In the new rule window, in the Name field, type the rule's name.
From the Apply this rule if… drop-down, select The recipient address includes…
And then click on the edit icon and add your internal mailbox's email address.
Click the plus sign on the right and under Apply this rule if… drop-down, select the option The Subject or body, and in the condition, select subject or body includes any words.
In the specified words or phrases pop-up, add the following two options.
linktologin.com
linktosso.com
Click the plus sign on the right and under Apply this rule if… drop-down, select the option The Subject or body, and in the condition, select subject matches these text patterns.
In the specified words or phrases pop-up, add the following two options.
Phishing and Junk
From the Do the following… drop-down, select Add recipients and from the options, select to the To box.
From the Except if… drop-down, select The subject or body and from the options, select subject includes any of these words.
In the specified words or phrases pop-up, add the following option.
Not junk
Now Click on the Next button and set the following values to
Click on Next and then the Finish button. The rule will appear in the list.
Now, we need to edit this rule further. Click on the rule, and it will open the slider. Enable this rule by clicking the toggle and then clicking on the rule settings. Change the Priority to 0 and click on the save button.
After that, the rule will appear enabled at the top of the list.
The configuration has been successfully set up :)
Rule B - Send Non simulation emails to internal team.
Non- simulated emails reported as only Phishing will go to the security team's email address. And all simulated emails will be redirected to Phisharm.
Now, navigate to Mail flow > Rules > click + icon (add new rule). You can copy the existing rules for future reference.
From the + icon (add new rule) drop-down, select Create new rule…
In the new rule window, in the Name field, type the rule's name.
From the Apply this rule if… drop-down, select The recipient address includes…
And then click on the edit icon and add your internal mailbox's email address.
Click the plus sign on the right and under Apply this rule if… drop-down, select the option The Subject or body, and in the condition, select subject or body includes any words.
In the specified words or phrases pop-up, add the following option.
Phishing
From the Do the following… drop-down, select Add recipients and from the options, select to the To box. And then add your security team's email address.
From the Except if… drop-down, select The subject or body and from the options, select subject includes any of these words.
In the specified words or phrases pop-up, add the following two options.
linktologin.com
linktosso.com
Now Click on the Next button and set the following values to
Click on Next and then the Finish button. The rule will appear in the list.
Now, we need to edit this rule further. Click on the rule, and it will open the slider. Enable this rule by clicking the toggle and then clicking on the rule settings. Change the Priority to 0 and click on the save button.
After that, the rule will appear enabled at the top of the list.