Team: Huntress Managed Security Awareness Training (SAT)
Product: Microsoft Office 365
Environment: Windows, Managed SAT, and Exchange Online
Summary: This guide will walk you through setting up and adjusting the function of Microsoft's Reporting Feature/Button to send reported Phishing attempts to the Managed SAT platform
Requirement: The usage of Microsoft's Add-in must be configured and enabled for Outlook. This option has recently moved. Microsoft's guidance to enable the reporting button add-in can be located Here.
Step 1. Creating a Contact in the Exchange Admin Center (EAC)
Sign into Microsofts Exchange Admin Center
- Select Contacts under the Recipients section
- Click the “+Add a New Mail Contact” button
- In the contact fields add the following information
-
First Name : Phishing
-
Last name : Report
- Display Name : SAT or Prefered name
- Email : report@phish.mycurricula.com
4. Click Save
Step 2. Create a shared mailbox
Shared Mailboxes do not use or require a license.
- Select Mailboxes under the Recipients section
- Click the Add a shared mailbox button
- In the Shared Mailbox fields add the following
-
Display Name : PhishReport
-
Email address : PhishReport
-
@ : Use the Select Domain drop down to select your domain.
Step 3. Hide the shared mailbox from the Global Address List (GAL)
Hiding the address from the GAL prevents this address from displaying in the GAL for employees.
-
Select the Share Mailbox that was created in Step 2
-
Click the Hide Mailbox or Manage Hide from GAL button
-
Toggle the option from Off to On
-
Select Save
Step 4. Set up Forwarding on the Shared Mailbox to the Contact
Now that you have a Contact and a Shared Mailbox created, we need to set up forwarding on the shared mailbox to send email to the contact.
- Click on the Shared Mailbox you created to bring up a Settings Menu
- Select Email Forwarding
4. In the "Forward to an internal email address" section, use the Search Email button to search for the contact that was created earlier.
5. If you want to keep a copy of the email that is sent to our reporting mailbox make sure to check the box next to "Deliver Messages to both forwarding address and mailbox"
6. Click Save
Note: You may need to create an External Forwarding Rule in Mail Flow Settings to correctly report the Phishing Emails to report@phish.mycurricula.com. This Microsoft guide may help configure those rules.
Step 5. Microsofts Reporting Button in Microsoft Defender
This covers setting up Microsofts' Reporting button and adjusting the functionality. This will forward emails directly to Managed SAT and not to Microsoft. This prevents Microsoft from running additional scanning on the email which triggers recurring training on the phishing email. Please note that some of these options recently changed.
Sign in to Microsoft 365 Defender portal
1. Scroll down on the left column and expand Settings and select Email & Collaboration
2. Select User Reported Settings
3. Select the On/Off button to turn the feature on. If enabled by default, check the box to Monitor Reported messages in Outlook.
4. Select the Use Built-In "Report button option".
5. Under "Send reported messages to": use the drop-down menu to select My Reporting Mailbox Only.
6. In the email address field put in the shared mailbox email address that was created earlier. It would be something like PhishReport@yourdomain.com
7. Uncheck the box for Let users choose if they want to report
9. Scroll down and Toggle OFF the quarantine report message button if listed.
10. Select Save
Step 6. Configure Reporting within Managed SAT
-
Log into Managed SAT as the domain administrator (if you're a Channel Partner/Reseller you'll also need to chose a customer)
-
Select the gear icon at the top of the page on the right
-
Select Phishing in the left menu
-
Scroll down to Report Phishing Services and enter the Shared Mailbox address created in Step 2. It would be something like PhishReport@yourdomain.com
-
Click Update
This Concludes setting up a Reporting button within Microsoft and Reporting feature to the Managed SAT Reporting Services platform.
Comments
1 comment
This doc is a little out of date and I would like to see it updated.
Some notes.
Creating the contact seems to be redundant if its only purpose is to forward externally. I had to create an anti-spam policy to allow the forward to an external address even if I pointed it to the contact that has an internal address for an alias.
Recommend either clarification of intent of that or start with shared mailbox then add the anti-spam policy so it can forward or skip the shared mailbox and just point to contact. Not sure which is better, but I tried both and the anti-spam policy was required on my tenant with the default defender settings regardless.
Please sign in to leave a comment.