All Collections
PHISH
Initial setup
Report phishing button integration - Microsoft
Report phishing button integration - Microsoft

Use these instructions to ensure your users can report any CybSafe phishing simulation emails.

Robert Shough avatar
Written by Robert Shough
Updated over a week ago

How does it work

Our report phishing button integration for Microsoft works by simply forwarding our simulation email to CybSafe to be included in your reporting stats.

  • It is important to note that only CybSafe's phishing simulations will be counted and tracked in your reporting. We have unique identifiers in our emails to ensure they are only counted.

  • Any emails that are not our own simulation emails will be automatically deleted and will not be counted in your reported statistics.

CybSafe inbox details

The generic inbound email address is report@reportphish.cybsafe.com. The local-part of the email address is customisable to your organisation, it does not have to be called "report".

Integration outline

CybSafe recommends a simple email forwarding approach:

General integration guidelines

  • CybSafe can be used in conjunction with other phishing simulation tools’ “Report email” feature.

  • The CybSafe inbound mailbox scans any forwarded emails for CybSafe phishing, and records the users who correctly identify our simulated phishing attempts.

  • The configuration of this feature can be tailored to suit the customer organisation’s needs.

  • The organisation is to use its native “Report email” feature (mail client dependant), which must have the capability to forward reported emails to a custom email address.

  • If the internal report phishing process relies on individuals forwarding suspect emails to a group inbox, a simple auto-forwarding rule to the CybSafe inbox can be created.

  • For more information on how CybSafe sends phishing, please see: Advanced simulated phishing information.

  • You can review our allow listing instructions here: How to add CybSafe to your allowlist.

Enable the report message or the report phishing add-ins

The first step in this integration is to enable the Report Phishing Add-In for your organisation.

The full Microsoft instructions can be found in the article, Enable the report message or the report phishing add-ins.

For this integration to work successfully CybSafe requires the report phishing add-in for your organisation to be setup.

Once installed and setup you can move onto configuring your report phish button and ensuring the emails are forwarded to the CybSafe report phish mailbox with the instructions below.

How to configure your report phish button

There are two sets of configuration that need to be done to your button to report phishing emails to CybSafe.

  1. Configure the user submissions email address.

  2. Use Mail flow rules to report the phishing emails to CybSafe.

Configure the user submission address for the Microsoft report phish button

You can find all the information from Microsoft in the following article, user reported message settings.

This article will help you to configure the button to send reported phishing emails to Microsoft for analysis and/or to an internal mailbox for analysis.

Once setup correctly you will then need to create a mail flow rule to also report the phishing emails to CybSafe.

Configure the mail flow rules to send reported phishing emails to CybSafe

How you setup the mail flow rule will depend on your settings for the user submissions address as per the instructions above.

You can create the rule to use the Microsoft address or your internal email address as the recipient or both, dependant on your config.

Instructions if a button is configured to report to Microsoft.

When a user clicks on report phish using the native Microsoft button the email is sent to phish@office365.microsoft.com if you have configured the button to report emails to Microsoft.

Using mail flow rules, you will essentially setup a forward from the button for any emails sent to the Microsoft email address to be sent to report@reportphish.cybsafe.com.

i.e. The Recipient is phish@office365.microsoft.com

The following Microsoft article will provide all of the latest advice in setting up a mail flow rule in Exchange Online.
Use mail flow rules to see what your users are reporting to Microsoft in Exchange Online.

See changes in regards to the Microsoft tracking email change.

Instructions if a button is configured to not report to Microsoft, but rather deliver to an internal mailbox.

When a user clicks on report phish using the native Microsoft button the email is sent to your designated internal email address, if you have configured the button to only report emails internally and not to Microsoft.

Using mail flow rules, you will essentially setup a forward from the button for any emails sent to your designated email address to be sent to report@reportphish.cybsafe.com.

i.e. The recipient is your internal email address

The following Microsoft article will provide all of the latest advice in setting up a mail flow rule in Exchange Online.
Use mail flow rules to see what your users are reporting to Microsoft in Exchange Online.

SOC simulated attack triage advice

Use the following information for your SOC team to automate triage of our phishing simulation reports.

In addition to the allow listing signatures, CybSafe emails always contain HTML with this signature format (with an example ID below):

<div title=3D"cs-unique-ref:bf92d7a2-f268-4cd2-bd07-9038663ac8b7;">

Email triage can be automated with a body search for cs-unique-ref

Still have any questions?

If you still have any questions, you can contact the team at support@cybsafe.com and we will be happy to answer any further concerns.

Related Articles
Explainer: Allowlisting, tracking and triaging in PHISH
Phishing logs and statuses
Explainer: Getting started with CybSafe PHISH
Report phishing integration with CybSafe
How-to guide: Change to reporting flow rules following Microsoft change (Q1 2024)
Did this answer your question?