Skip to main content

Deploying KillPhish

PhishingBox Support
  • Updated

KillPhish is an advanced email threat protection add-in for Microsoft 365 (Office 365). It works on the Outlook Web App (OWA), Outlook for desktop on both Windows and Mac, Outlook for iOS, and Outlook for Android. KillPhish can give an email a risk assessment (low, medium, or high risk). It enables reporting phishing and other types of threats. Each inbox's risk profile is unique, and KillPhish can help expose telltale signs of threats to your security.

Deployment

To deploy KillPhish to your organization, follow the steps below. Do not deploy KillPhish from the Microsoft Add-ins page - https://admin.microsoft.com/Adminportal/Home?source=applauncher#/Settings/AddIns

 

  1. Sign in to Microsoft 365 with your work or school account.

  2. Select the app launcher icon in the upper-left and choose Admin.admin_-_microsoft.png

  3. In the navigation menu, press Show all, then choose Settings > Integrated apps.integrated_apps.png

  4. Choose Upload custom apps at the top of the page, beside Get apps.upload_custom_app.png

  5. Choose Upload manifest file (.xml) from device and locate the manifest file. The manifest file can be downloaded from the Microsoft Add-In (KillPhish) tab on the Reporting Settings page in Portal.

  6. Choose Next after Microsoft has had time to validate the manifest.

  7. On the Edit who has access page, choose EveryoneSpecific Users/Groups, or Only me. Use the search box to find the users and groups to whom you want to deploy the add-in.

  8. When finished, choose Next. Then, click Accept permissions button. You must consent to the permissions required by KillPhish. The add-in requires permission to sign in and read user profile and read and write user mail (delegated permissions) and sign in as any user to read and write mail (application permissions). The latest build of KillPhish (released April 5, 2022) uses Microsoft Graph API to get message contents, send reported emails from the users' inboxes, and delete emails. These API calls require Mail.ReadWrite, Mail.Send, and User.Read permission at both the delegated and application level.

       accept_permissions2.png

  9. Click Next to begin deployment of the add-in. This process may take up to three minutes. Then, finish the walkthrough by pressing Next. You now see your add-in along with other apps in Microsoft 365.


    Note: Outlook add-ins can take up to 24 hours to appear on users' ribbons.

  10. The add-in will work on Outlook Web App (OWA) and the Outlook desktop app at this point. If you would like it to work on Outlook for iOS and Android, you'll need to enter tenant id of the Microsoft account that the add-in was deployed to. The tenant id can be found by logging into Azure and clicking on Azure Active Directory, or going to this link: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview

NOTE: Changes to the Branding Name or Branding Icon will require a redeployment of the manifest file.

Troubleshooting

Allow up to 72 hours for the plugin to become fully functional and ready for use by your users.

If you run into the following error with the KillPhish plugin,

add-in_error.png

then the plugin may be getting blocked by a firewall or security software.

The KillPhish add-in is supported on the most recent build/version of Outlook. While KillPhish may function on older versions, continued functionality is not guaranteed. It is recommended that updates be made to the most recent build/version for all devices.

NOTE: Outlook add-ins can take up to 72 hours to appear on users' ribbons

 

KillPhish and Shared Mailboxes

KillPhish will not work on shared mailboxes. 

FAQs

Why does KillPhish need ReadWrite application permissions? (These permissions give the add-in the ability to read and modify mail from any user in the tenant.)

Due to the way Graph API works when called from a mobile device, application permissions are required in order for KillPhish to make API calls when used on a mobile device. The add-in will only ever use these permissions when a user opens the add-in (it will use the read permission then) and reports an email (uses both the read and write permissions when reporting an email).

 

Do the application permissions give KillPhish the ability to modify mail in all mailboxes?

As indicated by the permissions popup, the permissions granted to KillPhish do allow the add-in to modify mail in any mailbox in the tenant. Note, though, that the only time KillPhish deletes or creates emails is when a user reports a message.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.