Team: Huntress SAT
Product: Microsoft Office 365
Environment: Windows, Security Awareness Training, exchange online
Summary: Setting up Microsoft reporting feature
This guide will walk you though setting up and adjusting the function of Microsofts Reporting Feature/Button to send reported Phishing attempts to SAT.
Step 1. Creating a Contact in the Exchange Admin Center (EAC)
Sign into Microsofts Exchange Admin Center
- Select Contacts under the Recipients section
- Click the “+Add a New Mail Contact” button
- In the contact fields add the following information
-
First Name : Phishing
-
Last name : Report
- Display Name : SAT or Prefered name
- Email : report@phish.mycurricula.com
4. Click Save
Step 2. Create a shared mailbox
Shared Mailboxes do not use or require a license.
- Select Mailboxes under the Recipients section
- Click the Add a shared mailbox button
- In the Shared Mailbox fields add the following
-
Display Name : PhishReport
-
Email address : PhishReport
-
@ : Use the Select Domain drop down to select your domain.
Step 3. Hide the shared mailbox from the (GAL) Global Address List
Hiding the address from the (GAL) prevents this address from displaying in the (GAL) for employees.
-
Select the Share Mailbox that was created in Step 2
-
Click the Hide Mailbox or Manage Hide from GAL button
-
Toggle the option from Off to On
-
Select Save
Step 4. Set up Forwarding on the Shared Mailbox to the Contact
Now that you have a Contact and a Shared Mailbox created, we need to set up forwarding on the shared mailbox to send email to the contact.
- Click on the Shared Mailbox you created to bring up a Settings Menu
- Select Email Forwarding
4. In the "Forward to an internal email address section, use the Search Email button to search for the contact that was created earlier.
5. If you want to keep a copy of the email that is sent to our reporting mailbox make sure to check the box next to "Deliver Messages to both forwarding address and mailbox"
6. Click Save
Step 5. Microsofts Reporting Button in Microsoft Defender
This covers setting up Microsofts' Reporting button and adjusting the functionality. This will forward emails directly to SAT and not to Microsoft. This prevents Microsoft from running additional scanning on the email which Triggers Recurring training on Phishing email. Please note that some of these options recently changed
Sign in to Microsoft 365 Defender portal
1. Scroll down on the left column and expand Settings and select Email & Collaboration
2. Select User Reported Settings
3. Select the On/Off button to turn the feature on.
4. Select the Use Built-In "Report button option".
5. Toggle the Microsoft Outlook Report Message button to ON
6. Check the box next to My organization’s mailbox only
7. In the email address field put in the Shared mailbox Email address that was created earlier. It would be something like PhishReport@yourdomain.com
8. Uncheck the box for Let users choose if they want to report
9. Scroll down and Toggle OFF the quarantine report message button
10. Select Save
Step 6. Configure Reporting within SAT
-
Log into SAT as the domain administrator
-
Select Settings at the top of the page
-
Select Phishing in the left menu
-
Scroll down to Report Phishing Services and enter the Shared Mailbox address created in Step 2. It would be something like PhishReport@yourdomain.com
-
Click Update
This Concludes setting up a Reporting button within Microsoft and Reporting feature to Security Awareness Training Reporting Services
Comments
0 comments
Please sign in to leave a comment.