Overview
If you’re unable to use KillPhish to report an email—whether due to technical issues, device limitations, or personal preference—there are still ways to log reported actions in PhishingBox. This article outlines alternative methods for reporting phishing or suspicious emails while ensuring those actions are properly recorded in PhishingBox.
Use the links below to jump to a section:
- Microsoft's Built-in Reporting Button
- Reporting via Forwarding
- Manual Reporting
- Microsoft Report Button with Mail Flow Forwarding
Microsoft's Built-in Reporting Button
If you'd like to use Microsoft’s Report Message button to report suspicious emails, you can configure it to forward those reports to a designated inbox that connects with PhishingBox. This allows reported simulated emails to be tracked in PhishingBox campaigns. Follow the steps below to set this up:
Step 1: Create a Reporting Mailbox
Create a mailbox in Microsoft 365 that will collect all reported emails (if one doesn't already exist).
Step 2: Configure User Reported Settings
Go to User reported settings in the Microsoft 365 Security & Compliance Center.
-
Under Reported message destinations, configure the following:
Send reported messages to: Select My reporting mailbox only
Choose the mailbox you created in Step 1
Step 3: Connect the Mailbox to PhishingBox
Open the PhishingBox portal in an incognito window
Go to Administration > Settings > Mail Settings > Security Inbox tab
Click the Create button
Set the Connection Type to Microsoft Entra ID and click Authorize
Sign in using the mailbox created in Step 1
Once connected, PhishingBox will begin recording reported emails submitted through the Microsoft Report Message button.
Reporting via Forwarding
Targets can report suspicious emails by forwarding them to a designated reporter mailbox. To ensure PhishingBox logs when a simulated phishing email is reported this way, you’ll need to configure a Security Inbox.
To set this up, go to Administration > Settings > Mail Settings > Security Inboxes in the PhishingBox portal. Then, follow the instructions in the Security Inboxes section of the Mail Settings article to configure either an IMAP or Microsoft Entra ID inbox.
If you prefer not to have PhishingBox test emails show up in your primary Microsoft 365 reporter mailbox when using the forwarding method, you can CC a secondary mailbox instead. This way, test emails are logged by PhishingBox without cluttering your main reporting inbox.
To do this, add the following mail flow rule in Microsoft 365:
- For 'Apply this rule if', make the following selections:
- The recipient
- is this person and select your tenant's primary reporting address.
- Click the "+" icon to add an And condition
- For the 'And' condition, make the following selections:
- The message headers...
-
includes any of these words and enter:
- X-PHISHTEST
- PhishingBox
- For 'Do the following', make the following selections
- Add recipients
- to the Cc box and select the email address you want to copy the message to
- Click "Save"
NOTE: You may need to adjust this mail flow rule to align with the specific reporting needs of your environment. To ensure the rule functions properly, identify a consistent attribute in PhishingBox emails, such as message headers or sender IP addresses, that the rule can use to match and take appropriate action.
Microsoft Report Button with Mail Flow Forwarding
You can also use Microsoft’s built-in reporting tool together with a Microsoft 365 mail flow rule to log reported PhishingBox emails. In this setup, users report emails using Microsoft’s built-in Report Message/Report Phishing button, Microsoft sends the report to a designated reporting mailbox, and a mail flow rule forwards matching PhishingBox simulation reports to a PhishingBox Security Inbox.
Step 1: Create or Identify a Shared Reporting Mailbox
Create or identify the shared mailbox that Microsoft will use to receive reported messages. This mailbox will be configured as the reporting destination in Microsoft Defender.
Step 2: Add the Mailbox as a SecOps Mailbox in Microsoft Defender
Go to the Microsoft Defender portal: https://security.microsoft.com
-
Navigate to:
Email & Collaboration > Policies & Rules > Threat Policies > Advanced Delivery
Or go directly to https://security.microsoft.com/advanceddelivery
- Select the SecOps mailboxes tab.
- Click Add.
Enter the shared reporting mailbox address.
- Click Save.
Adding the mailbox as a SecOps mailbox tells Microsoft Defender that messages delivered to this mailbox are intended for security operations. This helps prevent Defender from treating those messages the same way it would treat messages delivered to end users.
Step 3: Configure Microsoft User Reported Settings
Go to https://security.microsoft.com/securitysettings/userSubmission
- Under Reported message destinations, choose one of the following:
- Microsoft and my reporting mailbox
- My reporting mailbox only
Enter the shared reporting mailbox address.
- Click Save.
When users report emails using Microsoft’s built-in reporting button, reported messages will now be sent to the configured mailbox.
Step 5: Create a Microsoft 365 Mail Flow Rule
Create a Microsoft 365 mail flow rule to forward reported PhishingBox simulation messages from your Microsoft reporting mailbox to the PhishingBox Security Inbox.
- In Exchange Admin Center, go to Mail flow > Rules.
- Create a new rule.
Name the rule.
-
Under Apply this rule if, choose a condition that reliably identifies PhishingBox simulation reports.
Example:
- The subject or body
- subject or body includes any of these words
- Enter a PhishingBox simulation domain or another consistent identifier
-
Add another condition for the reporting mailbox.
Example:
- The recipient
- is this person
- Select the Microsoft reporting mailbox
- Under Do the following, choose:
- Redirect the message to
- these recipients
Enter PhishingBox's reported messages inbox address, reported@phishingbox.com
- Save the rule.
NOTE: The mail flow rule conditions should be adjusted to match your environment. You can match on a simulation domain, sender, header, or another consistent attribute found in your PhishingBox simulation emails. The goal is to forward only PhishingBox simulation reports to the PhishingBox Security Inbox while allowing non-simulation reports to continue through your normal Microsoft reporting workflow.
Manual Reporting
As a PhishingBox admin/user, you can manually log that a target reported a simulated phishing email. To do so, navigate to Tests / Campaigns > Manage Tests. Find the test you want to log a reported action for and click the test name (this opens the Test Details page). Scroll to the bottom. In the Emails tab, click the drop-down in the Actions column, then click "Log Report Action". This will log that the target reported the email.