Before Using KillPhish, you must deploy it to your Office 365 account. For instructions, see article: Deploying KillPhish
KillPhish, once deployed, will provide helpful tips related to dealing with suspicious emails and provide a risk assessment of potentially harmful emails. Using KillPhish, users can report suspicious emails to the email account of your choice at the click of a button.
KillPhish can be fully whitelabeled, including the name and logo. To configure KillPhish branding, navigate to Administration > Settings > Reporting Settings. If the name of the KillPhish add-in is whitelabeled, all instances of 'KillPhish' in the examples below will be replaced with the whitelabeled add-in name.
The KillPhish Widget
Deploying KillPhish will enable the KillPhish widget across all Office platforms. The KillPhish widget is pictured below.
Helpful Tips contains suggestions for dealing with potential harmful emails, including reviewing links before clicking, verifying file types of attachments, and considering the ramifications of following any instructions or actions requested in the email.
Details lists important properties of the email and their values, including the sender, subject, SPF record pass/fail (if SPF checks fail, the email will be labeled as high risk), attachments, and links contained in the email. Only shown if Advanced Threat Protection is on for the KillPhish plugin.
Links/Attachments lists all links and attachments in the email, and their associated URLs and file types. Only shown if Advanced Threat Protection is on for the KillPhish plugin.
Words/Phrases assesses certain keywords and phrases typically associated with risky emails, including but not limited to, 'password', 'irs', 'label', and 'invoice'. Only shown if Advanced Threat Protection is on for the KillPhish plugin.
After users have reported emails, the email may be removed from their inbox if you have turned on the Delete Emails Reported setting on the Microsoft tab on the Reporting Settings page.
* Disclaimer: Users should remain vigilant against email security threats, even if the Advanced Threat Protection feature is turned on in your plugin. ATP is not capable of detecting every social engineering/phishing threat in emails. You should use the other tools that Portal provides to educate your users about the various threats posed by phishing and social engineering, and how to detect these attacks.
Opening the KillPhish Widget
KillPhish is cross-platform compatible. Once deployed, KillPhish will be available in Outlook for desktop, mobile, and web. The method for using Killphish varies from platform to platform.
If an email is brought into focus in the inbox, the Report Phishing button will appear in the Outlook ribbon, pictured below.
Click the button to display the KillPhish widget.
To display the KillPhish widget in the Outlook web app, bring an email into focus, then click the 'More Options' ellipsis located at the top-right corner of the email window.
Once the options menu is displayed, click 'KillPhish' to display the KillPhish widget.
The KillPhish widget is only available for mobile devices from within the Outlook app. To access the options menu, select an email then tap the options ellipses in the top-right corner of the email window.
Once the options menu is displayed, tap the KillPhish icon to open the widget.
If you have set a Reported Success Message in the KillPhish settings, then this message will appear below the green checkmark after the user has reported the message.
Reported Email Customization
When your users report an email, the reported message will go to the Reporter Email Address (set on the Reporting Settings page in Portal) and the Additional Reporter Email Addresses (set on the Reporting Settings page in Portal).
The email that is sent to the Reporter Email Address and Additional Reporter Addresses will look something like the below message.
Subject - The subject of the reported message will contain the words "REPORTED EMAIL:" in addition to the subject of the original email.
Original Headers attachment - This text file attachment contains the original headers of the reported message. KillPhish cannot collect the headers on all devices. For example, the headers cannot be collected on Outlook for Android or iOS. Outlook 2016 for Mac and Windows also cannot collect the message headers. The Outlook version needs to support the API requirement set 1.8 or higher. A complete list of API requirement sets and the corresponding Outlook versions that support them can be found in this article. You can choose to not include this attachment by turning off the "Include Message Body below The Blue Box" setting on the Reporting Settings page.
Original Email attachment - This is an EML file of the original email message. You can choose to not include this attachment by turning off the "Include Message Body as an Attachment in Reported Emails" option on the Reporting Settings page.
"The Blue Box" - This is a summary of information about the reported email. It shows who reported the message, the sending email address, CC'd emails, who the email was sent to, the message subject, date sent, the category (low, medium, or high risk), the message score, if it was a phishing simulation email, and if KillPhish could collect the message headers. You can choose to not include this attachment by turning off the "Include The Blue Box in Reported Emails" option on the Reporting Settings page.
Original Message body - Below The Blue Box will be the original message body. If you do not wish to include the original message body in reported emails, you can turn off the "Include Message Body below The Blue Box" setting on the Reporting Settings page.