Email Reporting

This article describes the different ways Portal allows your targets to report suspicious emails.

1. Accessing Reporting Settings
2. General Reporting
3. Office 365 Add-In (KillPhish)
4. Outlook Add-In
5. Reporting via Email Forwarding
6. Manual Reporting

Accessing Reporting Settings

You can manage your KillPhish add-in and Report Phishing COM add-in settings, view installation instructions, and download the manifest or MSI file from the Reporting Settings page. Navigate to Administration > Settings > Reporting Settings (or Inbox/Reporting Settings, if you have the Inbox module with your Portal subscription).

You will be presented with three different tabs, shown below. (You'll have an additional tab if you have the Inbox feature).

• Note: The Office (Microsoft) 365 Add-In (KillPhish) tab has settings for the KillPhish plugin. The Outlook Add-In tab has settings for the Report Phishing Outlook desktop plugin (aka MSI plugin, COM add-in, or Report Phishing add-in). These two plugins are NOT the same. The Report Phishing plugin will only appear on the Outlook desktop app, and is available for Office (Microsoft) 365 as well as non-Office (Microsoft) 365 accounts; the KillPhish plugin will appear on desktop or web instances of Outlook and is only available for Office (Microsoft) 365 accounts. The Report Phishing plugin is a simple "click and report" plugin. It does not have advanced scanning. The KillPhish plugin has scanning ability, which can be disabled (see Office 365 Add-In (KillPhish) below).
  

General Reporting

The Reporter Email Address is the email address that receives the reported emails when your users report a phishing email. You may allow additional inboxes to receive copies of the reported emails by adding Additional Reporter Addresses.

Note that if you are using the Outlook desktop Report Phishing COM add-in, you will need to configure the IMAP connection on the Mail Settings page in order for the Additional Reporter Addresses to receive copies of reported emails. The Additional Reporter Addresses will not be sent the EML file when reporting using the Outlook desktop COM add-in, but they will receive the EML file if you are reporting using the KillPhish add-in (if you turn on the "Include Message Body as an Attachment in Reported Emails" setting).

Microsoft Add-In (KillPhish)

The next tab, Microsoft (Office) 365 Add-In (KillPhish), contains settings related to your KillPhish plugin.

1. Manifest File - This is the file you will download and install to make the plugin appear on your user's Outlook ribbons.
2. Reported Emails - These are settings that relate to the way a reported message will appear when it is sent to the Reporter Email Address and the Additional Reporter Addresses. See this article for an example of a reported email.
   • Reporter Email Address - The email address that will receive the messages when your users report them. The Additional Reporter Addresses (set on the General tab) will also receive copies of reported emails.
   • Include The Blue Box in Reported Emails - If turned on, The Blue Box (a summary of information about the reported email) will be included in the reported message.
   • Send Message Body to Portal Server - If turned on, the message body will be sent to the Portal server. You must turn this option on in order to include the EML attachment and/or to show the message body in the reported emails.
     • Include Message Body as an Attachment in Reported Emails - If turned on, the reported message will be included as an EML attachment in the email that is sent to the Reporter Email Address. The EML attachment is a combination of the message body with the headers of the reported email. If enabled, it may take a few minutes longer for the reported email to arrive in the inboxes of the Reporter Email Address and the Additional Reporter Addresses.
       
     • Include Message Body below The Blue Box - This option will display the original message body in the body of the reported email.
       
   • Include Message Headers in Reported Emails - This option will create a .txt file attachment containing the original headers of the reported email. Note: Some versions of Outlook as well as some devices do not allow the plugin to collect the headers of the reported email. For example, the headers cannot be collected on Outlook for Android or iOS. Outlook 2016 for Mac and Windows also cannot collect the message headers. The Outlook version needs to support the API requirement set 1.8 or higher. A complete list of API requirement sets and the corresponding Outlook versions that support them can be found in this article.
3. Plugin Settings - This area contains settings related to how the plugin appears to your users. The below screenshots describe these settings in depth.
4. Compatibility Requirements and Deployment Instructions - This box shows the compatibility requirements of the KillPhish plugin. It also gives installation instructions.

The Advanced Threat Protection on/off switch, when turned on, will cause the emails to be scored. Additionally, information about the email (sender, SPF, links, attachments, words, and phrases) will be displayed, as shown below.

* Disclaimer: Users should remain vigilant against email security threats, even if the Advanced Threat Protection feature is turned on in your plugin. ATP is not capable of detecting every social engineering/phishing threat in emails. You should use the other tools that Portal provides to educate your users about the various threats posed by phishing and social engineering, and how to detect these attacks.

If Advanced Threat Protection is turned off, then only the helpful tips will be displayed. No score or risk assessment will be shown to the user, as shown below.

Delete Reported Emails will cause the email that a user reports to be removed from the inbox.

The Branding Name is what will appear as the name of the plugin on user's inboxes.

The Helpful Tips box allows you to create your own helpful tips that will appear on your user's instances of the KillPhish plugin. You are allowed to enter seven or fewer helpful tips. The helpful tips may not total more than 350 characters in length. Enter the helpful tips as plain text, each new tip on a new line. If you delete the helpful tips and do not enter anything in the text box, then Portal will place default helpful tips on the user's plugin.

The Reported Success Message is a message that will appear on the plugin after a target successfully reports an email. You can enter up to 200 characters of text for the reported success message. This setting is optional. If you leave it blank in your reporting settings, the users will only see the green "Reported Successfully!" popup.

The Branding Icon is the icon that will appear for the plugin (this is what user's will click to get the plugin to scan the email and allow them to report).

• Note: You will need to redeploy the manifest file in order for changes to the branding name or branding icon to appear on the KillPhish plugin. Changes to helpful tips and Advanced Threat Protection will display automatically without the need to redeploy the plugin. Changes to the Reported Emails settings do not require redeployment of the plugin to take effect.
  

Outlook Add-In

Click on the Outlook Add-In tab to view settings for the Report Phishing plugin.

Advanced Threat Protection is not available for the Report Phishing desktop plugin. The Delete Emails Reported feature is only available for the Report Phishing plugin - not the KillPhish plugin. What Delete Emails Reported does is causes emails to be immediately deleted from the user's inbox when they report emails using the Report Phishing plugin. The Reported Confirmation is a message that the user receives when he/she reports an email.

The Outlook Add-In will send reported emails to the username setup for the IMAP (Incoming) mail server on the Mail Settings page (Administration > Settings > Mail Settings).

Reporting via Forwarding

In addition to the Outlook Report Phishing and Office 365 KillPhish add-ins, your targets can report suspicious emails by forwarding to an IMAP email address that you set up. In order for Portal to log that a target has reported a simulated phishing email via the forwarding method, you will need to configure the IMAP (Incoming) mail server. Go to Administration > Settings > Mail Settings. Enter the mail server, port, username (email address), password, and encryption type, as shown below. Click the "Test IMAP" button. If the test is successful, then click the Save button at the bottom of the screen. Now, whenever your targets forward a simulated phishing email from Portal to the username specified in the incoming mail server, it will be logged that the target reported the email. Once every hour, our system scans the incoming mail server and checks for reported phishing emails from Portal. These emails are then deleted from the incoming mail server inbox.

If you don't want PhishingBox test emails to appear in your primary O365 reporting address, you may want to redirect test emails from your primary reporting address in Outlook to another email address. To do this, add the following rule to your mail flow rules.

For the 'The Recipient is...' condition, select your firm's primary reporting address.

For the 'Redirect the message to...' action, select the address to which you wish to redirect test emails.

For the 'The subject or body matches...' condition, add the following regular expression: '/k=[a-z0-9]{40}/'

NOTE: We cannot guarantee that Portal will be able to connect to your mail client via IMAP. Please be sure sure to safelist the Portal IP (found in this article) to allow for connections via IMAP. Consult with your mail provider for troubleshooting.

Manual Reporting

As a Portal admin/user, you can manually log that a target reported a simulated phishing email. To do so, go to Tests/Campaigns > Manage Tests. Open one of your tests. Scroll to the bottom. In the Emails tab, click on the blue flag icon for the email and target in question. The blue flag will become red for manually reported phishing emails. This will log that the target reported the email.