How does it work

CybSafe Inbox Details

Integration Outline

General Integration Guidelines

Enable the Report Message or the Report Phishing add-ins

How to configure your Report Phish button

Configure the user submission address for the Microsoft Report Phish button

Configure the Mail flow rules to send reported phishing emails to CybSafe

SOC Simulated Attack Triage Advice

How does it work

Our report phishing button integration for Microsoft works by simply forwarding our simulation email to CybSafe to be included in your Reporting Stats.

  • It is important to note that only CybSafe's Phishing simulations will be counted and tracked in your reporting. We have unique identifiers in our emails to ensure they are only counted.

  • Any emails that are not our own simulation emails will be automatically deleted and will not be counted in your Reported statistics.

CybSafe Inbox Details

The generic inbound email address is report@reportphish.cybsafe.com. The local-part of the email address is customisable to your organisation, it does not have to be called "report".

Integration Outline

CybSafe recommends a simple email forwarding approach:

General Integration Guidelines

  • CybSafe can be used in conjunction with other phishing simulation tools’ “Report Email” feature.

  • The CybSafe inbound mailbox scans any forwarded emails for CybSafe phishing, and records the users who correctly identify our simulated phishing attempts.

  • The configuration of this feature can be tailored to suit the customer organisation’s needs.

  • The organisation is to use its native “Report Email” feature (mail client dependant), which must have the capability to forward reported emails to a custom email address.

  • If the internal report phishing process relies on individuals forwarding suspect emails to a group inbox, a simple auto-forwarding rule to the CybSafe inbox can be created.

  • For more information on how CybSafe sends phishing, please see: Advanced Simulated Phishing Information.

  • You can review our allow listing instructions here: How to add CybSafe to your Allow list.

Enable the Report Message or the Report Phishing add-ins

The first step in this integration is to enable the Report Phishing Add-In for your organisation.

The full Microsoft instructions can be found in the article, Enable the Report Message or the Report Phishing add-ins.

For this integration to work successfully CybSafe requires the Report Phishing add-in for your organisation to be setup.

Once installed and setup you can move onto configuring your report phish button and ensuring the emails are forwarded to the CybSafe report Phish mailbox with the instructions below.

How to configure your Report Phish button

There are two sets of configuration that need to be done to your button to report Phishing emails to CybSafe.

  1. Configure the user submissions email address.

  2. Use Mail flow rules to report the phishing emails to CybSafe.

Configure the user submission address for the Microsoft Report Phish button

You can find all the information from Microsoft in the following article, User reported message settings.

This article will help you to configure the button to send reported phishing emails to Microsoft for analysis and/or to an internal mailbox for analysis.

Once setup correctly you will then need to create a mail flow rule to also report the phishing emails to CybSafe.

Configure the Mail flow rules to send reported phishing emails to CybSafe

How you setup the mail flow rule will depend on your settings for the User Submissions address as per the instructions above.

You can create the rule to use the Microsoft address or your internal email address as the recipient or both, dependant on your config.

Instructions if a button is configured to report to Microsoft.

When a user clicks on report phish using the native Microsoft button the email is sent to phish@office365.microsoft.com if you have configured the button to report emails to Microsoft.

Using mail flow rules, you will essentially setup a forward from the button for any emails sent to the Microsoft email address to be sent to report@reportphish.cybsafe.com.

i.e. The Recipient is phish@office365.microsoft.com

The following Microsoft article will provide all of the latest advice in setting up a mail flow rule in Exchange Online.
Use mail flow rules to see what your users are reporting to Microsoft in Exchange Online.

Instructions if a button is configured to NOT report to Microsoft, but rather deliver to an internal mailbox.

When a user clicks on report phish using the native Microsoft button the email is sent to your designated internal email address, if you have configured the button to only report emails internally and not to Microsoft.

Using mail flow rules, you will essentially setup a forward from the button for any emails sent to your designated email address to be sent to report@reportphish.cybsafe.com.

i.e. The Recipient is your internal email address

The following Microsoft article will provide all of the latest advice in setting up a mail flow rule in Exchange Online.
Use mail flow rules to see what your users are reporting to Microsoft in Exchange Online.

SOC Simulated Attack Triage Advice

Use the following information for your SOC team to automate triage of our phishing simulation reports.

In addition to the whitelisting signatures, CybSafe emails always contain HTML with the following signature:

The HTML shown in BOLD will always be present, so email triage can be automated with a body search for “cs-unique-ref”.

Still have any questions?

If you still have any questions, you can contact the team at support@cybsafe.com and we will be happy to answer any further concerns.

Did this answer your question?