Overview
This article describes the different ways PhishingBox allows your targets to report suspicious emails, and how to manage each method. To get started, navigate to Administration > Settings > Reporting Settings:
Use the links below to jump to a section:
- General Reporting
- Microsoft Add-In (KillPhish)
- Gmail Add-In (KillPhish Lite)
- Outlook Add-In
- Reporting via Email Forwarding
- Manual Reporting
NOTE: Microsoft Add-In (KillPhish) tab has settings for the KillPhish plugin. The Outlook Add-In tab has settings for the Report Phishing Outlook desktop plugin (aka COM add-in). These two plugins are NOT the same. Check out our KillPhish vs KillPhish Lite vs Report Phishing COM Add-in article to see a table comparison between our report button offerings.
General Reporting
The General Reporting tab is where you define your Reporter Email Address(es). The Reporter Email Address is the email address that receives the reported emails when your users report an email using the add-ins. You may allow additional mailboxes to receive copies of the reported emails by adding Additional Reporter Addresses.
NOTE: If you are using the Outlook Add-In (Report Phishing COM add-in), you will need to configure a Security Inbox connection on the Mail Settings page for the Additional Reporter Addresses to receive copies of reported emails.
When emails are reported by the Microsoft Add-In (KillPhish) and the Gmail Add-in (KillPhish Lite), all the defined Reporter Email Addresses will receive the EML file of the reported email (if you turn on the "Include Message Body as an Attachment in Reported Emails" setting). For emails reported by the Outlook Add-In, only the "Reporter Email Address" will receive the EML file (and not the Additional Reporter Addresses).
Microsoft Add-In (KillPhish)
The Microsoft Add-In (KillPhish) tab is where you can create and manage KillPhish instances. A Microsoft 365 license is required to use this reporting button. The KillPhish reporting button will appear on Outlook desktop, Outlook Web App (OWA), and the mobile applications for Outlook (iOS and Android).
NOTE: If you're NOT using Microsoft 365 but still use Outlook, you will need to use the Outlook Add-in.
- The "Manage KillPhish Instance" table is where you'll create and manage KillPhish instances. Configuring an instance allows you to generate a manifest file which will be used to import the KillPhish Add-In to your Microsoft 365 tenant.
- This section details the compatibility requirements and deployment instructions.
- The link found here will take you to the deprecated KillPhish Settings (this section only applies to those who created KillPhish instances prior to April 5, 2022).
For details on configuring and deploying a KillPhish instance, please see our Microsoft Add-In (KillPhish) article. For details on using the KillPhish button, please see our Using KillPhish Microsoft Add-in article.
Gmail Add-In (KillPhish Lite)
The Gmail Add-In (KillPhish Lite) tab is where you will customize your KillPhish Lite settings. KillPhish Lite is compatible with Gmail and can be installed from the Google Workspace Marketplace. KillPhish Lite allows users to report emails in Gmail. KillPhish Lite does not allow advanced scanning/scoring of emails, collection of header information, or a custom reported success message to be displayed after a user reports an email. Additionally, it cannot be white labeled (a custom branding name and icon cannot be set).
For details on configuring and deploying KillPhish Lite, please see our Gmail Add-In (KillPhish Lite) article. For details on using the KillPhish Lite button, please see our Using Gmail Add-In (KillPhish Lite) article.
Outlook Add-In
The Outlook Add-In tab contains settings for the Report Phishing add-in (also referred to as the COM add-in). The Report Phishing COM add-in is only compatible with 64-bit Outlook app running on a 64-bit Windows machine. Unlike the Microsoft Add-In (KillPhish), a Microsoft 365 subscription is NOT required.
Advanced Threat Protection is NOT available for the Report Phishing desktop add-in. The only customizations available for the Report Phishing add-in is the ability to delete emails and display a reported confirmation message after the user reports a message. If "Delete Emails Reported" is turned on, then any email that a user reports will be deleted from the user's inbox.
The Report Phishing Outlook COM Add-In will log reported actions for phishing tests and send reported emails to the Reporter Email Address (which is configured in the General Reporting tab).
NOTE: If you deployed the Outlook COM Add-in prior to August 2, 2022, you will need to configure a Security Inbox (for the Reporter Email Address) to log reported actions in phishing tests. You can configure an IMAP/OAuth inbox on the Mail Settings > Security Inboxes tab.
For more information on the Report Phishing COM add-in, see Outlook Add-In (Report Phishing COM Add-in) article.
NOTE: Outlook Add-In (Report Phishing add-in) and the KillPhish Add-In are not the same.
Reporting via Forwarding
In addition to our reporting button add-ins, targets can report suspicious emails by forwarding them to a designated reporter mailbox. To ensure PhishingBox logs when a target reports a simulated phishing email via the forwarding, you will need to configure a Security Inbox. To do this, navigate to Administration > Settings > Mail Settings > Security Inboxes tab. Follow the instructions in the Security Inboxes section of the Mail Settings article on how to set up an IMAP or OAuth inbox.
If you prefer not to have PhishingBox test emails appear in your primary Microsoft 365 reporter mailbox when using the forwarding method, consider CC'ing a secondary mailbox when sending test emails to the primary reporting address in Microsoft 365.To do this, add the following rule to your mail flow rules:
- For 'Apply this rule if', make the following selections:
- The recipient
- is this person and select your tenant's primary reporting address.
- Click the "+" icon to add an And condition
- For the 'And' condition, make the following selections:
- The message headers...
-
includes any of these words and enter:
- X-PHISHTEST
- PhishingBox
- For 'Do the following', make the following selections
- Add recipients
- to the Cc box and select the email address you want to copy the message to
- Click "Save"
NOTE: You may need to adjust this mail flow rule to align with the specific reporting needs of your environment. To ensure the rule functions properly, identify a consistent attribute in PhishingBox emails, such as message headers or sender IP addresses, that the rule can use to match and take appropriate action.
Manual Reporting
As a PhishingBox admin/user, you can manually log that a target reported a simulated phishing email. To do so, navigate to Tests / Campaigns > Manage Tests. Find the test you want to log a reported action for and click the test name (this opens the Test Details page). Scroll to the bottom. In the Emails tab, click the drop-down in the Actions column, then click "Log Report Action". This will log that the target reported the email.
Comments
0 comments
Please sign in to leave a comment.