Skip to main content

How do I integrate the Microsoft Reporting Add-In with Right-Hand PhishArm?

K
Written by Karthek S
Updated today

Overall Flow Diagram

Before You Start

  • You’ll need: Exchange admin and Security admin permissions.

  • What you’ll set up:

    1. a mail contact for PhishArm

    2. Microsoft’s built-in Report button + a reporting (shared) mailbox

    3. Mark that mailbox as a SecOps mailbox (advanced delivery)

    4. An outbound connector (direct report forwarding)

    5. Mail flow rules to route reported messages

Step 1: Add Mail Contact in the Exchange admin center

  1. Now that the plugin is installed, it’s time to set up the Right-Hand reporting email contact.

    To do this, log in to your Exchange Admin Center, then go to Recipients > Contacts to add the reporting email.

  2. Click Add a mail contact.

  3. In the New Mail Contact pane, type your details:

    a) Display Name: The name that would appear on the Contacts page.

    b) Alias: Type PhishArm as the Alias name.

    c) External email address: Type [email protected] as a contact.

  4. Click Next. The Mail contact information (optional) appears.

  5. Click Next.

  6. The Review mail contact displays the summary of data entered.

  7. Review the data and click Create.

    The new contact will take a while to appear on the Contacts page. You can refresh the page or wait for some more time for the contact to occur.

Why this matters: This contact is the external destination for forwarded report emails.

Reference: how to create mail contacts in EAC (official).

Step 2: Configure the Microsoft native report button and the Internal mailbox

Important: As per the NEW CHANGES from Microsoft, Microsoft now recommends routing phishing simulated reports to a dedicated internal mailbox. So, create a specific shared mailbox within the organization where all phishing simulation reports will be collected.

Once the mail contact is set up, the next step is to enable the feature and configure a few important policies and rules in Microsoft 365 Defender.

Follow the steps below to enable the settings and set up the necessary rules:

  1. Log in to your Microsoft 365 Defender portal and navigate to Settings > Email & collaboration > User reported settings.

  2. On the User reported settings page, enable the toggle button.

  3. Select the built-in reporting option, as it is easy to report.

  4. You can configure messaging criteria based on your company’s needs. Select the Customize messages option, choose your preferred language for the prompt, set new messages in each tab, and click save.

  5. Inside the reported email destination, select "My reporting mailbox" from the Send reported messages to: drop-down.

Important: Provide the email address of the internal reporting mailbox where these reports will be sent.

6. Click on the Save button.

Now, the Microsoft plugin has been configured.

Tip: Using the built-in button keeps things simpler and supported across Outlook apps.

Reference: user-reported settings

Step 3: Configure SecOps mailbox

To prevent Microsoft filtering from blocking the reported-message flow, inform Defender that the mailbox is used for Security Operations (SecOps).

  1. Go to Microsoft 365 Defender Portal -> On the left menu click on Email & collaboration -> Click on Policies & rules -> click on Threat Policies.

  2. Under Rules Section, click on Advanced Delivery -> click on SecOps mailbox -> Click Edit.

  3. Inform Microsoft that the newly created mailbox is a “SecOps mailbox” so emails are forwarded correctly and not quarantined or filtered.

    Reference: Microsoft’s guidance on why this is required can be found here.

  4. On the page, click “Add” (or “Edit” if a SecOps mailbox already exists).

  5. Search for and select the newly created mailbox, then click “Add”.

  6. That’s it, this step is complete!

    Reference: Microsoft’s guidance on why this is required.

Step 4: Create The Outbound Connector

You’ll set up a connector from Office 365 → Partner organization that routes via RH Hostname and enforces TLS.

  1. in EACMail flowConnectorsAdd.

  2. From: Office 365 | To: Partner organization.

  3. Name: RH Direct Report Forwarding | Status: On.

  4. Use of connector: Use only when I have a transport rule set up that redirects messages to this connector.

  5. Routing: Route email through these smart hosts:

Note: Ask the Support team to share the RH Hostname with you.

6. Security restrictions: Always use TLS and only accept certificates from trusted CAs.

7. Validate the connector by using reports@phisharm and confirm that Validation is successful.

References: connectors to partners + general connector setup

Step 5: Add Mail flow rules in the Exchange admin center

Rule A - Send all reported emails to PhishArm (Simulation and Non-Simulation).

Rule B - Send Right-Hand simulation emails to PhishArm.

Rule C - Send Non-Simulated Reported Emails To SOC & Simulated Reported Emails to PhishArm.

Step 6: Report the Phishing Email

Now, log in to Outlook and report the email. Below are various ways to report emails from different devices/operating systems. Choose the method that suits you appropriately.

Desktop App- Windows

  1. Open the email you want to report.

    a) From the top menu, click the Report drop-down and select Phishing/Junk. The email will be reported and will appear on the Right-Hand PhishArm dashboard. (In Step 2, if you have selected Ask me before reporting, you’ll be prompted to confirm your actions.)

Desktop App- Mac

  1. Right-click on the email you want to report.

    a) Select Report > Report Phishing/Junk. The email will be reported and will appear on the Right-Hand PhishArm dashboard. (In Step 2, if you have selected Ask me before reporting, you’ll be prompted to confirm your actions.)

Mobile

  1. Open the email you want to report.

    a) Tap on the three dots option.

    b) Tap on Report and then select Phishing/Junk.

    The reported email will now appear in the Right-Hand portal.

Frequently Asked Questions

  1. Why do we need a connector in this setup?


    The connector makes sure that reported emails are routed out of Office 365 and delivered safely to the PhishArm address ([email protected]). Connectors are Microsoft’s supported method to extend mail flow to trusted partners.

  2. Can’t I just set a forward rule?


    Regular forwarding rules work inside your tenant. When you need to send reports to an external system (like PhishArm), you need a connector so Microsoft recognizes it as an allowed, secured route. This avoids the mail being blocked, false positives, or failing TLS checks.

  3. How does the SecOps mailbox avoid false positives?

    By designating the mailbox as a SecOps mailbox in Advanced Delivery, Microsoft ensures:

    • Legitimate test/simulation emails aren’t misclassified as threats.

    • User-reported real emails arrive unchanged for analysis.

    • Security tools don’t create “false positives” by filtering out mail that you actually want your team to investigate.

  4. Why do we need to mark the reporting mailbox as a SecOps mailbox?


    When you don’t mark it, Microsoft’s normal security filters (spam, phishing, junk) can still block, quarantine, or alter user-reported messages. That means your analysts might never see the original, intact email.

  5. How does the connector work with the mail flow rules?


    The mail flow rules act like “filters” that catch reported messages and then hand them off to the connector. The connector then delivers those messages to PhishArm through the secure path (RH Mail Server). Think of the rules as “When to use” and the connector as “How to send.”

  6. Why a smart host?


    A smart host lets you route matching messages through a partner’s system. This is a standard Microsoft pattern for conditional/partner routing.

Did this answer your question?