Team: Huntress SAT
Product: Microsoft Office 365
Environment: Windows, Security Awareness Training, exchange online
Summary: Setting up Microsoft reporting feature
This guide will walk you though setting up and adjusting the function of Microsoft's Reporting Feature/Button to send reported Phishing attempts to SAT.
Requirement: The usage of Microsoft's Add-in must be configured and enabled for Outlook. This option has recently moved. Microsoft's guidance to enable the reporting button add-in can be located Here.
Step 1. Creating a Contact in the Exchange Admin Center (EAC)
Sign into Microsofts Exchange Admin Center
- Select Contacts under the Recipients section
- Click the “+Add a New Mail Contact” button
- In the contact fields add the following information
First Name : Phishing
Last name : Report
- Display Name : SAT or Prefered name
- Email : firstname.lastname@example.org
4. Click Save
Step 2. Create a shared mailbox
Shared Mailboxes do not use or require a license.
- Select Mailboxes under the Recipients section
- Click the Add a shared mailbox button
- In the Shared Mailbox fields add the following
Display Name : PhishReport
Email address : PhishReport
@ : Use the Select Domain drop down to select your domain.
Step 3. Hide the shared mailbox from the (GAL) Global Address List
Hiding the address from the (GAL) prevents this address from displaying in the (GAL) for employees.
Select the Share Mailbox that was created in Step 2
Click the Hide Mailbox or Manage Hide from GAL button
Toggle the option from Off to On
Step 4. Set up Forwarding on the Shared Mailbox to the Contact
Now that you have a Contact and a Shared Mailbox created, we need to set up forwarding on the shared mailbox to send email to the contact.
- Click on the Shared Mailbox you created to bring up a Settings Menu
- Select Email Forwarding
3. Toggle “Forward all emails sent to this mailbox to ON
4. In the "Forward to an internal email address section, use the Search Email button to search for the contact that was created earlier.
5. If you want to keep a copy of the email that is sent to our reporting mailbox make sure to check the box next to "Deliver Messages to both forwarding address and mailbox"
6. Click Save
Step 5. Microsofts Reporting Button in Microsoft Defender
This covers setting up Microsofts' Reporting button and adjusting the functionality. This will forward emails directly to SAT and not to Microsoft. This prevents Microsoft from running additional scanning on the email which Triggers Recurring training on Phishing email. Please note that some of these options recently changed
Sign in to Microsoft 365 Defender portal
1. Scroll down on the left column and expand Settings and select Email & Collaboration
2. Select User Reported Settings
3. Select the On/Off button to turn the feature on. If enabled by default, check the box to Monitor Reported messages in Outlook.
4. Select the Use Built-In "Report button option".
5. Under Send Reported Messages to: use the drop-down menu to select My Reporting Mailbox Only.
6. In the email address field put in the Shared mailbox Email address that was created earlier. It would be something like PhishReport@yourdomain.com
7. Uncheck the box for Let users choose if they want to report
9. Scroll down and Toggle OFF the quarantine report message button if listed.
10. Select Save
Step 6. Configure Reporting within SAT
Log into SAT as the domain administrator
Select Settings at the top of the page
Select Phishing in the left menu
Scroll down to Report Phishing Services and enter the Shared Mailbox address created in Step 2. It would be something like PhishReport@yourdomain.com
This Concludes setting up a Reporting button within Microsoft and Reporting feature to Security Awareness Training Reporting Services