Microsoft's Reporting Feature/Button Guide

Team: Huntress SAT 
Product: Microsoft Office 365
Environment: Windows, Security Awareness Training, exchange online
Summary: Setting up Microsoft reporting feature 

This guide will walk you though setting up and adjusting the function of Microsoft's Reporting Feature/Button to send reported Phishing attempts to SAT.

Requirement: The usage of Microsoft's Add-in must be configured and enabled for Outlook. This option has recently moved. Microsoft's guidance to enable the reporting button add-in can be located Here.

Step 1. Creating a Contact in the Exchange Admin Center (EAC)

Sign into Microsofts Exchange Admin Center

1. Select Contacts under the Recipients section
2. Click the “+Add a New Mail Contact” button
3. In the contact fields add the following information

• First Name : Phishing

• Last name : Report

• Display Name : SAT or Prefered name
• Email : report@phish.mycurricula.com

  4.  Click Save

Step 2. Create a shared mailbox

Shared Mailboxes do not use or require a license.

1. Select Mailboxes under the Recipients section
2. Click the Add a shared mailbox button
3. In the Shared Mailbox fields add the following

• Display Name : PhishReport

• Email address : PhishReport

• @ : Use the Select Domain drop down to select your domain.

Step 3. Hide the shared mailbox from the (GAL) Global Address List

Hiding the address from the (GAL) prevents this address from displaying in the (GAL) for employees.

1. Select the Share Mailbox that was created in Step 2

2. Click the Hide Mailbox or Manage Hide from GAL button

3. Toggle the option from Off to On

4. Select Save

   

Step 4. Set up Forwarding on the Shared Mailbox to the Contact

Now that you have a Contact and a Shared Mailbox created, we need to set up forwarding on the shared mailbox to send email to the contact.

1. Click on the Shared Mailbox you created to bring up a Settings Menu
2. Select Email Forwarding

 4.    In the "Forward to an internal email address section, use the Search Email button to search for the contact that was created earlier.

• report@phish.mycurricula.com

  5.    If you want to keep a copy of the email that is sent to our reporting mailbox make sure to check the box next to "Deliver Messages to both forwarding address and mailbox"

  6.   Click Save

Step 5. Microsofts Reporting Button in Microsoft Defender

This covers setting up Microsofts' Reporting button and adjusting the functionality. This will forward emails directly to SAT and not to Microsoft. This prevents Microsoft from running additional scanning on the email which Triggers Recurring training on Phishing email. Please note that some of these options recently changed

Sign in to Microsoft 365 Defender portal

1. Scroll down on the left column and expand Settings and select Email & Collaboration

2. Select User Reported Settings 

3. Select the On/Off button to turn the feature on. If enabled by default, check the box to Monitor Reported messages in Outlook. 

4. Select the Use Built-In "Report button option".

  5.   Under Send Reported Messages to: use the drop-down menu to select My Reporting Mailbox Only.

  6.   In the email address field put in the Shared mailbox Email address that was created earlier. It would be something like PhishReport@yourdomain.com

  7.   Uncheck the box for Let users choose if they want to report

  9.   Scroll down and Toggle OFF the quarantine report message button if listed. 

  10.  Select Save

Step 6. Configure Reporting within SAT

1. Log into SAT as the domain administrator

2. Select Settings at the top of the page

3. Select Phishing in the left menu

   

4. Scroll down to Report Phishing Services and enter the Shared Mailbox address created in Step 2. It would be something like PhishReport@yourdomain.com

5. Click Update

   

This Concludes setting up a Reporting button within Microsoft and Reporting feature to Security Awareness Training Reporting Services