If your organization cannot deploy the CanIPhish Report Phish Outlook Add-in, either due to a compatibility issue (e.g. Outlook 2013/2016) or due to a preference to use Microsoft's add-in, we support an integration that will allow you to track simulated phishing email reports.
Table of Contents
- Step 1. Enable Employee Phish Reporting Functionality
- Step 1. Deploy Microsoft Report Message/Phish Add-in
- Step 2. Create An Email Address For User Submissions
- Step 3. Configure An Email Address For User Submissions
- Step 4. Configure A Mail Flow Rule To Forward Reports To CanIPhish
- Appendix A: Microsoft Report Message/Phishing Add-in Causing False Positives
Step 1. Enable Employee Phish Reporting Functionality
Please ensure that you have first enabled the Employee Phish Reporting functionality under Platform Settings > Phishing Settings > Phishing Reporting.
Step 2. Deploy Microsoft Report Message/Phish Add-in
-
In the Microsoft 365 admin center at https://admin.microsoft.com, expand Show all if necessary, and then go to Settings > Integrated apps. Or, to go directly to the Integrated apps page, use https://admin.microsoft.com/Adminportal/Home#/Settings/IntegratedApps.
-
On the Integrated apps page, select
Get apps.
-
In the Microsoft 365 Apps page that opens, enter "Report Message" in the
Search box.
In the search results, select Get it now in the Report Message entry or the Report Phishing entry to start the Deploy New App wizard.
Note: Although the screenshots in the remaining steps show the Report Message add-in, the steps are identical for the Report Phishing add-in.
-
On the Add users page, configure the following settings:
-
Is this a test deployment?: Leave the toggle at
No.
-
Assign users: Entire organization
-
Email notification: Send email notification to assigned users can remain ticked or be turned off. This setting just notifies employees that the add-in has been installed.
When you're finished on the Add users page, select Next.
-
-
On the Accept permissions requests page, read the app permissions and capabilities information carefully before you select Next.
-
On the Review and finish deployment page, review your settings. Select Back to make changes.
When you're finished on the Review and finish deployment page, select Finish deployment.
A progress indicator appears on the Review and finish deployment page.
-
On the Deployment completed page, you can select view this deployment to close the page and go to the details of the add-in. Or, select Done to close the page.
Step 3. Create An Email Address For User Submissions
When an employee reports an email via the Report Message or Report Phish Add-in, the email will be forwarded as an attachment to a custom mailbox. This mailbox needs to be an address that you control. We recommend using a shared mailbox, which can be created as follows:
- In the Microsoft 365 admin center at https://admin.microsoft.com, go to Teams & groups > Shared mailboxes.
- Click "Add a shared mailbox" and then give the mailbox a name to uniquely identify it (e.g. Phish Report, with an email such as phishreport@<your-domain>.
Step 4. Configure An Email Address For User Submissions
Once a shared email address has been configured, we can proceed with updating the Report Phish or Report Message Add-in to forward user submissions to this email address.
- Go to the User Submissions section of Microsoft 365 Defender. This can be found at: https://security.microsoft.com/securitysettings/userSubmissionor by going to Microsoft 365 Defender and going to Settings > Email & Collaboration > User reported settings.
- Many configurations are optional. The only necessary configurations are highlighted below:
-
Monitor reported messages in Outlook: Ticked
-
Select an Outlook report button configuration: Use the built-in Report button in Outlook
- Reported message destinations: Microsoft and my reporting mailbox OR My reporting mailbox only
-
Add an exchange online mailbox to send reported messages to: Enter the email address of the shared mailbox created in Step 2.
-
Monitor reported messages in Outlook: Ticked
- Click Save once configured.
Step 5. Configure A Mail Flow Rule To Forward Reports To CanIPhish
We use a mail flow rule to forward any emails that are sent to our phish reports shared mailbox (created and configured in Step 2 & 3) to a CanIPhish mailbox. As part of this final step, we will configure the forwarding process to ensure CanIPhish has visibility over the necessary simulated phishing emails.
- Make a note of your CanIPhish Tenant ID. This can be found on the User Profile page of your CanIPhish account. To access this page, login to your CanIPhish account and then click the user icon on the top right of the page, then click View User Profile (https://caniphish.com/User/UserProfile):
- Visit the Exchange Admin Center in Microsoft 365 (https://admin.exchange.microsoft.com/)
- Go to Mail flow > Rules.
- Create a new mail flow rule.
- Specify a name for the rule. This can be anything you choose (e.g. CanIPhish Forward Phish Report).
- In "Apply this rule if", select "The recipient", followed by "is this person", followed by the shared mailbox created in Step 2 & 3.
- Click the "Add condition" button next to the rule just created.
- Under the "And" field heading, select "The subject or body", followed by "subject or body includes any of these words". Then enter the following:
- 3.106.21.22
-
13.237.47.221
- Under the "Do the following" heading, select "Add recipients", followed by "to the Cc box". In the popup box that appears, enter an email address that has your CanIPhish Tenant ID (from step 4.1) in the local part address, with phish-report.com in the domain portion. An example is below:
Example snippet of email address:
Example snippet of mail flow rule entry: - Verify that your mail flow rule looks similar to the below (noting the recipient is your own shared mailbox created in Step 2/3, and your own CanIPhish tenant IDs are used for the other filters) and then click Next:
- Ensure the Rule mode is set to "Enforce" all other values can be left as their default value. Click Next
- Review the final mail flow rule and then press Finish!
- By Default the newly created rule will be Disabled. Once saved, please click on the new rule and make sure to Enable the rule:
You're All Done! If you run into any issues during the setup process, please don't hesitate to contact the CanIPhish support team.
Appendix A: Microsoft Report Message/Phishing Add-in Causing False Positives
When an email is reported using Microsoft's Report Message/Phishing Add-in, Microsoft will sandbox the email and detonate links/attachments within it to understand if the email is, in fact, malicious. The detonation of these payloads can cause false positives, and to counteract this, the team at CanIPhish has built-in logic that attempts to identify and suppress these false positives - however, this is not 100% accurate.
If the guidance in this support article is followed and you're experiencing false positive detonations from Microsoft, please go to Platform Settings > Phish Settings > False Positives and update the configuration to "Exclude Activity" from Microsoft. You can find more information within our False Positive Suppression Guide.
Comments
0 comments
Please sign in to leave a comment.