How can I use the Microsoft Report Phishing add-in with Arsen?
It is important that your employees are able to report an email that appears suspicious to them, and that this report can be automatically escalated to Arsen in case it's a simulation or sent to the email address of your choice in the event it's a genuine phishing attempt.
⚠️ Note that you can interchangeably use the Report Phishing or Report Message add-in. You can read the official documentation at any time if you have any questions.
Pros and Cons compared to the Arsen Phish Report button:
Pros:
Native integration maintained by Microsoft
Does not require external permission requests
Cons:
Manual integration
Limited customization
Requires a valid Microsoft 365 Defender for Office 365 Plan 1 license
Connect Arsen to the Outlook reporting button and establish strong reflexes right from your employees' mailbox. Increase the overall security level of your company by encouraging employees to report. Your security score will increase in proportion to the general security level of your organization because by creating these reflexes, you are fostering a culture of necessary reporting.
If the email originates from an Arsen campaign, the report is then directly sent to the Arsen platform.
If the email comes from another source, it is forwarded to Microsoft.
Prerequisite : Create or Use a Dedicated Reporting Email Address
Step 1 : Configure the Use of the Outlook Reporting Button
Step 2 : Create Rules for Redirecting Reported Emails
➡️ If you already have a dedicated SecOps email account, you do not need to go through this step and you can go to Step 1.
To create a dedicated email address for reporting malicious emails, go to your Microsoft 365 Admin Center. Click on Active users.
The list of users will be displayed. Click on Add a user button and enter a generic email address like the following example: secops@yourcompany.com with a license that allows access to Outlook. Follow all steps and click Finish Adding to create the user.
Sign in to Microsoft 365 Defender.
Go to Settings, then Email & collaboration, and click on User reported settings.
Select Use the built-in Report button in Outlook.
(Optional) You can then, using the checkboxes :
Ask users who click the reporting button to confirm their choice.
Customize the message displayed in the reporting window.
In the Reported message destinations section, you must select "My reporting mailbox only" under the “Send reported messages to:” dropdown.
➡️ Reported emails not originating from an Arsen simulation will continue to be relayed to Microsoft by Arsen automatically.
⚠️ If you choose to forward the email to both Microsoft and Arsen by selecting Microsoft and my reporting mailbox, this means that Microsoft will analyze Arsen simulations and may affect your campaigns using the same domain name.
Next, select your reporting email address (see Prerequisites) and click Save.
At this stage, all reported emails are routed to your SecOps email account.
There are two rules to create :
The first rule will allow forwarding of phishing simulation emails to Arsen.
The second rule will redirect malicious emails to Microsoft.
Go to the Exchange Admin Center.
Navigate to Mail flow and click on Rules.
Click on + Add a rule, then click on Create a new rule.
Give a name to your rule such as: Arsen Phishing Simulation Report
Apply the rule if :
The recipient > is this person > and select your SecOps email account.
Click + to add a new rule condition.
Select The subject or body > subject or body includes any of these words and set:
x-arsen-report (if you are using the Microsoft Email Delivery integration to whitelist our phishing simulations emails)
161.38.204.14 (if you are using the manual whitelisting method)
Do the following :
Select Add recipients > to the Cc box and add the following email address: phish@arsen.report
Click Next and Finish
Go to the Exchange Admin Center.
Go to Mail flow and click on Rules.
Click on + Add a rule, then on Create a new rule.
Give a name to your rule such as : Suspicious Phishing Report
Apply the rule if :
> The recipient > Is this person, and select your SecOps email address
Do the following :
> Select Add recipients > to the Cc box and add the following email address: phish@office365.microsoft.com
Except if :
>**The subject or body** > subject or body includes any of these words, and add 161.38.204.14
Click Next and Finish.
Now, click on the rule you just added and enable it by clicking Enable.
⚠️ It may take a few minutes to propagate through the system.
The add-in is now set-up, you can go to Submissions in Microsoft Defender to see users reported messages.
⚠️ Note that you can interchangeably use the Report Phishing or Report Message add-in. You can read the official documentation at any time if you have any questions.
Pros and Cons compared to the Arsen Phish Report button:
Pros:
Native integration maintained by Microsoft
Does not require external permission requests
Cons:
Manual integration
Limited customization
Requires a valid Microsoft 365 Defender for Office 365 Plan 1 license
Connect Arsen to the Outlook reporting button and establish strong reflexes right from your employees' mailbox. Increase the overall security level of your company by encouraging employees to report. Your security score will increase in proportion to the general security level of your organization because by creating these reflexes, you are fostering a culture of necessary reporting.
If the email originates from an Arsen campaign, the report is then directly sent to the Arsen platform.
If the email comes from another source, it is forwarded to Microsoft.
Summary
Prerequisite : Create or Use a Dedicated Reporting Email Address
Step 1 : Configure the Use of the Outlook Reporting Button
Step 2 : Create Rules for Redirecting Reported Emails
Prerequisites : Create or Use a Dedicated Reporting Email Address
➡️ If you already have a dedicated SecOps email account, you do not need to go through this step and you can go to Step 1.
To create a dedicated email address for reporting malicious emails, go to your Microsoft 365 Admin Center. Click on Active users.
The list of users will be displayed. Click on Add a user button and enter a generic email address like the following example: secops@yourcompany.com with a license that allows access to Outlook. Follow all steps and click Finish Adding to create the user.
Step 1 : Configure the Use of the Outlook Reporting Button
Sign in to Microsoft 365 Defender.
Go to Settings, then Email & collaboration, and click on User reported settings.
Select Use the built-in Report button in Outlook.
(Optional) You can then, using the checkboxes :
Ask users who click the reporting button to confirm their choice.
Customize the message displayed in the reporting window.
In the Reported message destinations section, you must select "My reporting mailbox only" under the “Send reported messages to:” dropdown.
➡️ Reported emails not originating from an Arsen simulation will continue to be relayed to Microsoft by Arsen automatically.
⚠️ If you choose to forward the email to both Microsoft and Arsen by selecting Microsoft and my reporting mailbox, this means that Microsoft will analyze Arsen simulations and may affect your campaigns using the same domain name.
Next, select your reporting email address (see Prerequisites) and click Save.
At this stage, all reported emails are routed to your SecOps email account.
Step 2 : Create Rules for Redirecting Reported Emails
There are two rules to create :
The first rule will allow forwarding of phishing simulation emails to Arsen.
The second rule will redirect malicious emails to Microsoft.
Rule 1 : Reporting Arsen Simulation Emails
Go to the Exchange Admin Center.
Navigate to Mail flow and click on Rules.
Click on + Add a rule, then click on Create a new rule.
Give a name to your rule such as: Arsen Phishing Simulation Report
Apply the rule if :
The recipient > is this person > and select your SecOps email account.
Click + to add a new rule condition.
Select The subject or body > subject or body includes any of these words and set:
x-arsen-report (if you are using the Microsoft Email Delivery integration to whitelist our phishing simulations emails)
161.38.204.14 (if you are using the manual whitelisting method)
Do the following :
Select Add recipients > to the Cc box and add the following email address: phish@arsen.report
Click Next and Finish
Rule 2: Reporting Malicious Emails to Microsoft
Go to the Exchange Admin Center.
Go to Mail flow and click on Rules.
Click on + Add a rule, then on Create a new rule.
Give a name to your rule such as : Suspicious Phishing Report
Apply the rule if :
> The recipient > Is this person, and select your SecOps email address
Do the following :
> Select Add recipients > to the Cc box and add the following email address: phish@office365.microsoft.com
Except if :
>**The subject or body** > subject or body includes any of these words, and add 161.38.204.14
Click Next and Finish.
Now, click on the rule you just added and enable it by clicking Enable.
⚠️ It may take a few minutes to propagate through the system.
The add-in is now set-up, you can go to Submissions in Microsoft Defender to see users reported messages.
Updated on: 08/04/2024
Thank you!