Skip to main content
Sign in

Email Reporting

Ethan Vaughan
  • Updated

This article describes the different ways Portal allows your targets to report suspicious emails.

  1. Accessing Reporting Settings
  2. General Reporting
  3. Office 365 Add-In (KillPhish)
  4. Outlook Add-In
  5. Reporting via Email Forwarding
  6. Manual Reporting

Accessing Reporting Settings

You can manage your KillPhish add-in and Report Phishing COM add-in settings, view installation instructions, and download the manifest or MSI file from the Reporting Settings page. Navigate to Administration > Settings > Reporting Settings (or Inbox/Reporting Settings, if you have the Inbox module with your Portal subscription).

admin_panel.png

You will be presented with three different tabs, shown below. (You'll have an additional tab if you have the Inbox feature).

first_page.png

  • Note: The Office (Microsoft) 365 Add-In (KillPhish) tab has settings for the KillPhish plugin. The Outlook Add-In tab has settings for the Report Phishing Outlook desktop plugin (aka MSI plugin, COM add-in, or Report Phishing add-in). These two plugins are NOT the same. The Report Phishing plugin will only appear on the Outlook desktop app, and is available for Office (Microsoft) 365 as well as non-Office (Microsoft) 365 accounts; the KillPhish plugin will appear on desktop or web instances of Outlook and is only available for Office (Microsoft) 365 accounts. The Report Phishing plugin is a simple "click and report" plugin. It does not have advanced scanning. The KillPhish plugin has scanning ability, which can be disabled (see Office 365 Add-In (KillPhish) below).

General Reporting

The Reporter Email Address is the email address that receives the reported emails when your users report a phishing email. You may allow additional inboxes to receive copies of the reported emails by adding Additional Reporter Addresses.

Office 365 Add-In (KillPhish)

The next tab, Office 365 Add-In (KillPhish), contains settings related to your KillPhish plugin.reporting_settins.png

 

The Advanced Threat Protection on/off switch, when turned on, will cause the emails to be scored. Additionally, information about the email (sender, SPF, links, attachments, words, and phrases) will be displayed, as shown below.

* Disclaimer: Users should remain vigilant against email security threats, even if the Advanced Threat Protection feature is turned on in your plugin. ATP is not capable of detecting every social engineering/phishing threat in emails. You should use the other tools that Portal provides to educate your users about the various threats posed by phishing and social engineering, and how to detect these attacks.

The Include Message Body in Reported Emails on/off switch lets you choose if you'd like the original message body of reported emails to be included when your users report emails. If you turn this toggle off, then the original message body is never sent to Portal servers and is not included in the reported email.

atp_on.PNG

If Advanced Threat Protection is turned off, then only the helpful tips will be displayed. No score or risk assessment will be shown to the user, as shown below.

atp_off.PNG

The Branding Name is what will appear as the name of the plugin on user's inboxes.

The Helpful Tips box allows you to create your own helpful tips that will appear on your user's instances of the KillPhish plugin. You are allowed to enter seven or fewer helpful tips. The helpful tips may not total more than 350 characters in length. Enter the helpful tips as plain text, each new tip on a new line. If you delete the helpful tips and do not enter anything in the text box, then Portal will place default helpful tips on the user's plugin.

The Reported Success Message is a message that will appear on the plugin after a target successfully reports an email. You can enter up to 200 characters of text for the reported success message. This setting is optional. If you leave it blank in your reporting settings, the users will only see the green "Reported Successfully!" popup.

reported_success_message.png

The Branding Icon is the icon that will appear for the plugin (this is what user's will click to get the plugin to scan the email and allow them to report).

  • Note: You will need to redeploy the manifest file in order for changes to the branding name or branding icon to appear on the KillPhish plugin. Changes to helpful tips and Advanced Threat Protection will display automatically without the need to redeploy the plugin.

Outlook Add-In

Click on the Outlook Add-In tab to view settings for the Report Phishing plugin.

Advanced Threat Protection is not available for the Report Phishing desktop plugin. The Delete Emails Reported feature is only available for the Report Phishing plugin - not the KillPhish plugin. What Delete Emails Reported does is causes emails to be immediately deleted from the user's inbox when they report emails using the Report Phishing plugin. The Reported Confirmation is a message that the user receives when he/she reports an email.

The Outlook Add-In will send reported emails to the username setup for the IMAP (Incoming) mail server on the Mail Settings page (Administration > Settings > Mail Settings).

outlook_2.png

 

Reporting via Forwarding

In addition to the Outlook Report Phishing and Office 365 KillPhish add-ins, your targets can report suspicious emails by forwarding to an IMAP email address that you set up. In order for Portal to log that a target has reported a simulated phishing email via the forwarding method, you will need to configure the IMAP (Incoming) mail server. Go to Administration > Settings > Mail Settings. Enter the mail server, port, username (email address), password, and encryption type, as shown below. Click the "Test IMAP" button. If the test is successful, then click the Save button at the bottom of the screen. Now, whenever your targets forward a simulated phishing email from Portal to the username specified in the incoming mail server, it will be logged that the target reported the email. Once every hour, our system scans the incoming mail server and checks for reported phishing emails from Portal. These emails are then deleted from the incoming mail server inbox.

incoming_mail_server.PNG

If you don't want PhishingBox test emails to appear in your primary O365 reporting address, you may want to redirect test emails from your primary reporting address in Outlook to another email address. To do this, add the following rule to your mail flow rules.

mceclip0.png

For the 'The Recipient is...' condition, select your firm's primary reporting address.

For the 'Redirect the message to...' action, select the address to which you wish to redirect test emails.

For the 'The subject or body matches...' condition, add the following regular expression: '/k=[a-z0-9]{40}/'

NOTE: We cannot guarantee that Portal will be able to connect to your mail client via IMAP. Please be sure sure to safelist the Portal IP (found in this article) to allow for connections via IMAP. Consult with your mail provider for troubleshooting.

Manual Reporting

As a Portal admin/user, you can manually log that a target reported a simulated phishing email. To do so, go to Tests/Campaigns > Manage Tests. Open one of your tests. Scroll to the bottom. In the Emails tab, click on the blue flag icon for the email and target in question. The blue flag will become red for manually reported phishing emails. This will log that the target reported the email.

Capture2.PNG

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.