Skip to main content

How do I integrate the Microsoft Reporting Button with Right-Hand PhishArm?

K
Written by Karthek S

Overall Flow Diagram

Before You Start

  • You’ll need: Exchange admin and Security admin permissions.

  • What you’ll set up:

    1. a mail contact for PhishArm

    2. Microsoft’s built-in Report button + a reporting (shared) mailbox

    3. Mark that mailbox as a SecOps mailbox (advanced delivery)

    4. An outbound connector (direct report forwarding)

    5. Mail flow rules to route reported messages

Step 1: Add Mail Contact in the Exchange admin center

  1. Now that the plugin is installed, it’s time to set up the Right-Hand reporting email contact.

    To do this, log in to your Exchange Admin Center, then go to Recipients > Contacts to add the reporting email.

  2. Click Add a mail contact.

  3. In the New Mail Contact pane, type your details:

    a) Display Name: The name that would appear on the Contacts page.

    b) Alias: Type PhishArm as the Alias name.

    c) External email address: Type [email protected] as a contact.

  4. Click Next. The Mail contact information (optional) appears.

  5. Click Next.

  6. The Review mail contact displays the summary of data entered.

  7. Review the data and click Create.

    The new contact will take a while to appear on the Contacts page. You can refresh the page or wait for some more time for the contact to occur.


Why this matters: This contact is the external destination for forwarded report emails.

Step 2: Configure the Microsoft native report button and the Internal mailbox

Important: As per the NEW CHANGES from Microsoft, Microsoft now recommends routing phishing simulated reports to a dedicated internal mailbox. So, create a specific shared mailbox within the organization where all phishing simulation reports will be collected.

Once the mail contact is set up, the next step is to enable the feature and configure a few important policies and rules in Microsoft 365 Defender.

Follow the steps below to enable the settings and set up the necessary rules:

  1. Log in to your Microsoft 365 Defender portal and navigate to Settings > Email & collaboration > User reported settings.

  2. On the User reported settings page, enable the toggle button.

  3. Select the built-in reporting option, as it is easy to report.

  4. You can configure messaging criteria based on your company’s needs. Select the Customize messages option, choose your preferred language for the prompt, set new messages in each tab, and click save.

  5. Inside the reported email destination, select "My reporting mailbox" from the Send reported messages to: drop-down.

Important: Provide the email address of the internal reporting mailbox where these reports will be sent.

6. Click on the Save button.

Now, the Microsoft plugin has been configured.

Tip: Using the built-in button keeps things simpler and supported across Outlook apps.

Step 3: Configure SecOps mailbox

To prevent Microsoft filtering from blocking the reported-message flow, inform Defender that the mailbox is used for Security Operations (SecOps).

  1. Go to Microsoft 365 Defender Portal -> On the left menu click on Email & collaboration -> Click on Policies & rules -> click on Threat Policies.

  2. Under Rules Section, click on Advanced Delivery -> click on SecOps mailbox -> Click Edit.

  3. Inform Microsoft that the newly created mailbox is a “SecOps mailbox” so emails are forwarded correctly and not quarantined or filtered.

    Reference: Microsoft’s guidance on why this is required can be found here.

  4. On the page, click “Add” (or “Edit” if a SecOps mailbox already exists).

  5. Search for, and select your created internal mailbox, then click “Add”.

  6. That’s it, this step is complete!

Step 4: Create The Outbound Connector

You’ll set up a connector from Office 365 → Partner organization that routes via RH Hostname and enforces TLS.

  1. in EACMail flowConnectorsAdd.

  2. From: Office 365 | To: Partner organization.

  3. Name: RH Direct Report Forwarding | Status: On.

  4. Use of connector: Use only when I have a transport rule set up that redirects messages to this connector.

  5. Routing: Choose "Route email through these smart hosts"


    The Right-Hand hostname is mx.sendgrid.net

6. Security restrictions: Always use TLS and only accept certificates from trusted CAs.

7. Validate the connector by using [email protected] and confirm that Validation is successful.

Step 6: Report the Phishing Email

Now, log in to Outlook and report the email. Below are various ways to report emails from different devices/operating systems. Choose the method that suits you appropriately.

Desktop App- Windows

  1. Open the email you want to report.

    a) From the top menu, click the Report drop-down and select Phishing/Junk. The email will be reported and will appear on the Right-Hand PhishArm dashboard. (In Step 2, if you have selected Ask me before reporting, you’ll be prompted to confirm your actions.)

Desktop App- Mac

  1. Right-click on the email you want to report.

    a) Select Report > Report Phishing/Junk. The email will be reported and will appear on the Right-Hand PhishArm dashboard. (In Step 2, if you have selected Ask me before reporting, you’ll be prompted to confirm your actions.)

Mobile

  1. Open the email you want to report.

    a) Tap on the three dots option.

    b) Tap on Report and then select Phishing/Junk.

    The reported email will now appear in the Right-Hand portal.

Frequently Asked Questions

Why do we need a connector in this setup?

The connector makes sure that reported emails are routed out of Office 365 and delivered safely to the PhishArm address ([email protected]). Connectors are Microsoft’s supported method to extend mail flow to trusted partners.

Can’t I just set a forward rule?

Regular forwarding rules work inside your tenant. When you need to send reports to an external system (like PhishArm), you need a connector so Microsoft recognizes it as an allowed, secured route. This avoids the mail being blocked, false positives, or failing TLS checks.

How does the SecOps mailbox avoid false positives?

By designating the mailbox as a SecOps mailbox in Advanced Delivery, Microsoft ensures:

  • Legitimate test/simulation emails aren’t misclassified as threats.

  • User-reported real emails arrive unchanged for analysis.

  • Security tools don’t create “false positives” by filtering out mail that you actually want your team to investigate.

Why do we need to mark the reporting mailbox as a SecOps mailbox?

When you don’t mark it, Microsoft’s normal security filters (spam, phishing, junk) can still block, quarantine, or alter user-reported messages. That means your analysts might never see the original, intact email.

How does the connector work with the mail flow rules?

The mail flow rules act like “filters” that catch reported messages and then hand them off to the connector. The connector then delivers those messages to PhishArm through the secure path (RH Mail Server). Think of the rules as “When to use” and the connector as “How to send.”

Why a smart host?

A smart host lets you route matching messages through a partner’s system. This is a standard Microsoft pattern for conditional/partner routing.

How do I enable PhishArm Reporting with the Mimecast Report Button?

By default, emails reported with the Mimecast Report button (Mimecast for Outlook or the Mimecast Personal Portal) do not reach Right-Hand Cybersecurity - even when the Microsoft Report button works. The Microsoft button routes reports through Exchange Online, where your mail flow rule redirects them to PhishArm. The Mimecast button forwards reports only to the recipient set in your Mimecast application settings, so they never reach that rule.

To fix this, point the Mimecast reporting recipient to the same mailbox your Exchange mail flow rule already uses.

Before you begin: Confirm your Exchange Online mail flow rule for PhishArm is in place the same rule that already redirects Microsoft Report button submissions to Right-Hand Cybersecurity.

Steps

  1. Sign in to the Mimecast Administration Console.

  2. Go to Users & Groups > Applications > Common Application Settings > Gateway Settings.

  3. In the Additional Report Spam/Phishing/Malware recipient field, enter the mailbox your Exchange mail flow rule uses.

  4. Apply it to every application setting group, not just the default. Groups with no recipient (for example, SSO, IT, or service account groups) will not forward reports.

  5. Save your changes.

Verify

Report a test simulation with the Mimecast Report button, confirm it under Analysis & Response > Reported Emails, then check that it appears in the PhishArm portal.

Common issues and troubleshooting

Why are some Microsoft-reported emails not appearing in the Right-Hand portal?

Emails reported through the Microsoft Reporting Button may not appear in the portal if the reported email format is changed or wrapped before it reaches Right-Hand cybersecurity.

One common configuration to check is whether Transport Neutral Encapsulation Format, also called TNEF, is enabled for the phisharm.com domain in Exchange Online.

TNEF is a Microsoft email formatting method. If TNEF is enabled, reported messages may not be delivered in a format that Right-Hand cybersecurity can process reliably.


What should I check first?

First, confirm that emails reported through the Microsoft Reporting Button are being sent to the correct reporting destination.

In Microsoft Defender, check the reporting configuration:

  1. Go to Settings > Email & collaboration > User reported settings.

  2. Confirm that Monitor reported messages in Outlook are enabled.

  3. Confirm that the reported item destination is configured correctly.

  4. Confirm that the reporting mailbox or forwarding destination used for Right-Hand cybersecurity is active.

After confirming the reporting destination, check the Exchange Online TNEF setting for phisharm.com.


How do I check whether TNEF is enabled for phisharm.com?

Run the following command in Exchange Online PowerShell:

Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" }

Review the output.

If a remote domain entry exists for phisharm.com, note the value of TNEFEnabled.

The expected value is:

TNEFEnabled : False

If the value is True or not configured, disable TNEF for the domain.


How do I disable TNEF for phisharm.com?

Step 1: Connect to Exchange Online

Open PowerShell and run:

Connect-ExchangeOnline -UserPrincipalName [email protected]

Replace [email protected] with your Exchange Online admin account.


Step 2: Check whether a remote domain entry already exists

Run:

Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" }

If an entry already exists, use the existing identity name in the next step.

If no entry exists, create one.


Step 3: Create a remote domain entry if needed

Run:

New-RemoteDomain -Name "PhishArm" -DomainName "phisharm.com"

Skip this step if a remote domain entry already exists.


Step 4: Disable TNEF for the remote domain

Run:

Set-RemoteDomain -Identity "PhishArm" -TNEFEnabled $false

If your existing remote domain entry uses a different identity name, replace PhishArm with the correct identity.


Step 5: Verify the change

Run:

Get-RemoteDomain -Identity "PhishArm" | Format-List Name,DomainName,TNEFEnabled

The expected result is:

TNEFEnabled : False

What is the expected outcome after disabling TNEF?

After TNEF is disabled for phisharm.com, emails reported through the Microsoft Reporting Button should be processed in a compatible format.

You should expect:

  • Simulated phishing reports to appear in campaign reporting

  • Genuine reported emails to appear in the portal

  • User reporting activity to be tracked correctly

  • Reporting views to reflect reported messages more accurately

Allow time for Microsoft 365 and Exchange Online configuration changes to apply across your tenant.


How do I validate that reporting is working?

To validate the configuration:

  1. Send a test simulated phishing email to a test user.

  2. Ask the test user to report the email using the Microsoft Reporting Button.

  3. Open the Right-Hand cybersecurity portal.

  4. Go to the relevant campaign or reporting view.

  5. Confirm that the reported email appears correctly.

  6. Confirm that the user’s reporting activity is reflected in the campaign results.

If you are testing genuine reported emails, submit a safe test email through the Microsoft Reporting Button and confirm that it appears in the portal.

For information related to this issue, you can refer to this article.

Did this answer your question?