Integrating Microsoft Phishing Reporting

OutThink provides a sophisticated and brand-customizable reporting add-in for both Microsoft Outlook and Gmail. This add-in can be deployed to all users, or just a subset of users, which facilitates them to quickly and easily report both suspicious email messages and OutThink simulations landing in their inbox.

The plug-ins can integrate with your existing SOC workflows, and in the case of the OutThink Reporting Add-In for Outlook, can also be fully integrated with Microsoft Defender.

Some organizations however prefer to use the native Microsoft Phishing Reporting button. This may be due to user familiarization, or in-built workflows or integrations that you prefer to retain. In these cases, OutThink can integrate with the Microsoft Reporting Add-In for Outlook, and ensure that OutThink simulations can still be reported with metrics correctly logged and analyzed across all phishing simulation campaigns.

This is achieved by setting up a Microsoft 365 transport rule which relays user reported simulations arriving at your SOC Inbox to a new dedicated OutThink SOC mailbox. Reported simulations arriving here will be analyzed and the metrics integrated into the campaign statistics.

Configure Defender Advanced Delivery Policy

Before continuing, it is important to ensure that you have first setup a Microsoft Defender Advanced Delivery Policy to ensure that simulation emails land in your users’ inbox. This also ensures that when a user reports a simulation via Microsoft reporting capabilities, the email is detected as a simulation and is marked as such in Microsoft Defender. The configuration steps are described here.

Configure Outlook’s Built-In Reporting Button

  • For Microsoft 365 customers, navigate to the User Reported Settings page of the Email & Collaboration section of the Microsoft 365 Defender portal. This can be accessed directly here.
  • Ensure the “Monitor reported messages in Outlook” option is checked, and the “Use the built-in Report button in Outlook” radio button is selected.

In the Reported Message Destinations section:

  • Ensure that the option “Send Reported Messages to” is set to either My reporting mailbox only or Microsoft and my reporting mailbox.
  • Ensure that your SOC Inbox address is listed under the “Add an exchange online mailbox to send reported messages to” option.

Setup a M365 Transport Rule

This rule will analyse the reported payload to determine if it is an OutThink simulation. If so, then it is copied to your unique OutThink SOC Inbox for analysis. This rule ensures that only genuine OutThink simulations are relayed in this manner, and no other reported email.

  1. Log in to the Microsoft Exchange Admin Center as an administrator, and navigate to Mail Flow -> Rules.
    This can be accessed directly here: https://admin.exchange.microsoft.com/#/transportrules.
  2. Select the + Add a Rule button and select Create a new rule from the drop-down.
  3. Enter the Name such as Forward Reported Simulations to OutThink.
  4. From the Apply this rule if… dropdown, select The recipient and then is this person.
  5. Find the email address of your SOC Inbox, and click Save.
  6. Click the sign to the right of the last rule you applied to create an additional rule.
  7. Under And, in the dropdown select Any Attachment and in the subsequent dropdown, select content includes any of these words.
  8. In the flyout that appears, enter the text that represents your unique Customer Id. This will be a 32-character identifier and can be obtained from your Customer Success Manager, or directly via the Settings section in the OutThink Command Center. Once this is entered, click Save.
  9. In the Do the following section, select Add Recipients and in the subsequent dropdown, select to the Cc box.
  10. In the flyout that appears, enter the unique email address of your OutThink SOC Inbox assigned to you. This can be obtained from your Customer Success Manager, or directly via the Settings section in the OutThink Command Center. Once this is entered, click Save.
  11. Now click Next. On the next page ensure that the rule is enforced, then click Next again, and finally Finish.

Testing Simulation Reporting

In order to test the setup, it is important to send an OutThink phishing simulation to several users, and ask them to report it with the in-built Microsoft Reporting Button.

After a minute or two, the reported simulation should reflect in the metrics of the Campaign Dashboard. Ensure that the users that report the simulation are correctly marked as “Reported” in the campaign.

If the user is not marked as reported, check that your SOC Inbox is recieving the reported emails correctly, and that the transport rule is correctly firing when a simulation is reported.

Was this helpful?

3 / 0