Articles in this section

Deploying KillPhish

Updated

KillPhish is an advanced email threat protection add-in for Microsoft 365 (Office 365). It works on the Outlook Web App (OWA), Outlook for desktop on both Windows and Mac, Outlook for iOS, and Outlook for Android. KillPhish can give an email a risk assessment (low, medium, or high risk). It enables reporting phishing and other types of threats. Each inbox's risk profile is unique, and KillPhish can help expose telltale signs of threats to your security.

Deployment

To deploy KillPhish to your organization, follow the steps below. Do not deploy KillPhish from the Microsoft Add-ins page.

  1. Sign in to Microsoft 365 with your work or school account.
  2. Select the app launcher icon in the upper-left and choose Admin.admin_-_microsoft.png
  3. In the navigation menu, press Show all, then choose Settings > Integrated apps.integrated_apps.png
  4. Choose Upload custom apps at the top of the page, beside Get apps.upload_custom_app.png
  5. Choose Upload manifest file (.xml) from device and locate the manifest file. The manifest file can be downloaded from the Microsoft Add-In (KillPhish) tab on the Reporting Settings page in Portal.
  6. Choose Next after Microsoft has had time to validate the manifest.
  7. On the Edit who has access page, choose EveryoneSpecific Users/Groups, or Only me. Use the search box to find the users and groups to whom you want to deploy the add-in.

  8. When finished, choose Next. Then, click the "Accept Permissions" button. You must consent to the permissions required by KillPhish. The add-in requires permission to sign in and read user profile, and read and write user mail (delegated permissions), and sign in as any user to read and write mail (application permissions). The latest build of KillPhish (released April 5, 2022) uses Microsoft Graph API to get message contents, send reported emails from the users' inboxes, and delete emails. These API calls require Mail.ReadWrite, Mail.Send, and User.Read permission at both the delegated and application level.

       accept_permissions2.png

  9. Click Next to begin deployment of the add-in. This process may take up to three minutes. Then, finish the walkthrough by pressing Next. You now see your add-in along with other apps in Microsoft 365.


    Note: Outlook add-ins can take up to 24 hours to appear on users' ribbons.
     

  10. The add-in will work on Outlook Web App (OWA) and the Outlook desktop app at this point. If you would like it to work on Outlook for iOS and Android, you'll need to enter the tenant ID of the Microsoft account that the add-in was deployed to. The tenant ID can be found by logging into Azure and clicking on Azure Active Directory, or going to this link: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

NOTE: Changes to the Branding Name or Branding Icon will require a redeployment of the manifest file.

How to redeploy or update KillPhish

To update or redeploy the KillPhish add-in, follow the steps below:

  1. Download a new manifest file by clicking Edit > Download Manifest on your Killphish instance, found
    in Settings > Reporting Settings > Microsoft KillPhish
  2. Open admin.microsoft.com and select the Integrated Apps page.
  3. Select your KillPhish app.
  4. Click Remove App
  5. On the Integrated Apps page, click Upload Custom App
  6. Choose "Upload manifest file (.xml)" from the device and locate the manifest file.
  7. Allow the validation to complete and assign the app to the appropriate users/groups.
  8. Click Next and accept the permissions request
  9. Click Next to deploy the add-in. Allow 48 hours for the Killphish button to appear in the user's Outlook
    ribbon.

Troubleshooting

Allow up to 72 hours for the plugin to become fully functional and ready for use by your users.

If you run into the following error with the KillPhish plugin, then the plugin may be getting blocked by a firewall or security software.

add-in_error.png

The KillPhish add-in is supported on the most recent build/version of Outlook. While KillPhish may function on older versions, continued functionality is not guaranteed. It is recommended that updates be made to the most recent build/version for all devices.

NOTE: Outlook add-ins can take up to 72 hours to appear on users' ribbons

KillPhish and Shared Mailboxes

If KillPhish was deployed before August 22, 2023, then it will not work on shared mailboxes. If you deployed/updated the add-in after that date, then it will work on a shared mailbox. 

KillPhish will not work on group mailboxes.

FAQs

Why does KillPhish need ReadWrite application permissions? (These permissions give the add-in the ability to read and modify mail from any user in the tenant.)

Due to the way the Graph API works when called from a mobile device, application permissions are required for KillPhish to make API calls when used on a mobile device. The add-in will only ever use these permissions when a user opens the add-in (it will use the read permission then) and reports an email (uses both the read and write permissions when reporting an email).

 

Do the application permissions give KillPhish the ability to modify mail in all mailboxes?

As indicated by the permissions pop-up, the permissions granted to KillPhish do allow the add-in to modify mail in any mailbox in the tenant. Note, though, that the only time KillPhish deletes or creates emails is when a user reports a message.

 

Does KillPhish work in GCC High or DoD environments?

No, KillPhish does not work with GCC High or DoD-licensed Microsoft accounts.

 

What information related to the reported emails does KillPhish store?

The only information that the plugin stores for reported emails is the message ID and the email address of the individual reporting this email. This information is used to display an alert on the plugin stating that it was previously reported, should the user open the reported email a second time.

Was this article helpful?
0 out of 0 found this helpful