How to install the Arsen Phish Report add-in on Outlook ?
Outlook add-ins, also known as add-ons, automate tasks and extend Outlook functionality for some or all of your users.
The Phish Report button allows your employees to easily and securely report a potential phishing email to your IT security service.
If the email comes from an Arsen campaign, the report is then directly sent to the Arsen platform.
If the email comes from another source, it is forwarded to the email of your choice (IT security service) and then deleted from the user's mailbox.
Prerequisites for installing the Phish Report add-in
Overview of the Phish Report add-in
Step 1: Generating the manifest.xml file
Step 2: Testing the Phish Report add-in on Outlook
Step 3: Deploying the add-in on Outlook
The Phish Report add-in for Outlook is only compatible with:
Outlook 2013+ or later on Windows
Outlook 2016+ or later on Mac
Outlook on iOS
Outlook on Android
Outlook on the web for Exchange 2016+ or later
Outlook on the web for Exchange 2013
Outlook.com
The client must be connected to an Exchange or Microsoft 365 server via a direct connection. When configuring the client, the user must have an Exchange, Office, or Outlook.com type account. Add-ins do not work with clients configured to connect with POP3 or IMAP.
An Office add-in includes two basic components: an XML manifest file and a web application.
The manifest is an XML file that specifies the settings and features of the add-in, including the name of the button as it appears in the Outlook ribbon, as well as other settings specific to your business.
The web application, hosted by the Arsen platform, displays the Outlook taskpane (task pane; see image below) when your users click the Phish Report button.
The application is responsible for analyzing the email to determine if it was sent from the Arsen platform or not, and reporting it accordingly.
The taskpane on the right of the Outlook client:
The taskpane is automatically translated into the default language of the Outlook client.
The generation of the manifest.xml file is done directly from the Arsen platform, under the Settings section:
First, you need to define the header used by Arsen to differentiate emails from the platform from other emails. If you have not yet followed this step, click here to learn how to configure the header in your account.
👉 If you have already defined the Arsen header, then the latter is already pre-filled in the manifest generation form.
You must then define the email address to which the reported emails will be forwarded. This email can be a dedicated phishing service account (abuse@example.com, phishing@example.com, etc.) or directly the email of the person in charge, depending on your company's internal procedures.
👉 Reports of emails from the Arsen platform are not forwarded, the report information is directly sent back to our platform.
Define the name of the button as it will appear in the ribbon and in the Outlook action menu.
Finally, you have the option to customize the messages that will be displayed to your users when reporting a phishing email.
👉 You can choose to specify or not that it is a phishing simulation campaign by customizing the message or leaving it as generic as possible.
Testing the add-in ensures its proper functioning before deploying it on a larger scale (next step).
The method presented here works with Outlook on the web, i.e., the version of Outlook available at https://outlook.com
To test your Outlook add-in with other versions (Outlook 2013, 2016, etc.), please refer to Microsoft's official documentation on this topic.
Access your Outlook account.
Create a new email.
Select "..." at the bottom of the new message, then select Download Add-ins from the drop-down menu.
Testing the add-in ensures its proper functioning before deploying it on a larger scale (next step).
The method presented here works with Outlook on the web, which is the version of Outlook available at https://outlook.com.
To test your Outlook add-in with other versions (Outlook 2013, 2016, etc.), please refer to Microsoft's official documentation on this topic.
Access your Outlook account.
Create a new email.
Select "..." at the bottom of the new message, then select "Download Add-ins" from the drop-down menu.
Click on "My add-ins" and then "Add a custom add-in."
Finally, click From a file... and select the Manifest file generated in the previous step.
The reporting button is now accessible from the email actions menu.
▶️ Although in most cases the deployment of the Outlook add-in is quick and easy, it is possible that your configuration is specific and requires additional settings. In this case, refer to Microsoft's official documentation for deploying Office add-ins.
Deployment with Microsoft 365
The Microsoft 365 admin center allows administrators to easily deploy Office add-ins to users and groups within their organization. Add-ins deployed via the admin center are available to users directly in their Office applications, without any client configuration required.
In the Admin Center, select Settings, then select Integrated Apps.
Select Upload custom apps.
Choose the option to upload the manifest from a local file and select the manifest.xml file generated in the previous step.
Select the Users who will have access to the Phish Report button. We recommend deploying the button to a small group of users before deploying at scale.
Finally, click Done. The add-in will be deployed to your users in approximately 6 to 12 hours.
👉 Be sure to test your add-in before deploying it at scale. You can test it locally on your account by clicking on Download add-ins in the email action menu (see step 2).
Deploying on Exchange Admin Center
For online and on-premises environments that do not use the Azure AD identity service, you can deploy Outlook add-ins via the Exchange server.
Deploying Outlook add-ins requires:
Microsoft 365, Exchange Online, or Exchange Server 2013 or later
Outlook 2013 or later
To assign add-ins to clients, use the Exchange admin center to upload a manifest directly from the manifest.xml file generated in step 1.
To assign add-ins to specific users, you must use Exchange PowerShell. For more information, refer to "Install or remove Outlook add-ins for your organization" on TechNet.
The Phish Report button allows your employees to easily and securely report a potential phishing email to your IT security service.
If the email comes from an Arsen campaign, the report is then directly sent to the Arsen platform.
If the email comes from another source, it is forwarded to the email of your choice (IT security service) and then deleted from the user's mailbox.
Summary
Prerequisites for installing the Phish Report add-in
Overview of the Phish Report add-in
Step 1: Generating the manifest.xml file
Step 2: Testing the Phish Report add-in on Outlook
Step 3: Deploying the add-in on Outlook
Prerequisites for installing the Phish Report add-in
The Phish Report add-in for Outlook is only compatible with:
Outlook 2013+ or later on Windows
Outlook 2016+ or later on Mac
Outlook on iOS
Outlook on Android
Outlook on the web for Exchange 2016+ or later
Outlook on the web for Exchange 2013
Outlook.com
The client must be connected to an Exchange or Microsoft 365 server via a direct connection. When configuring the client, the user must have an Exchange, Office, or Outlook.com type account. Add-ins do not work with clients configured to connect with POP3 or IMAP.
Overview of the Phish Report add-in
An Office add-in includes two basic components: an XML manifest file and a web application.
XML Manifest 📃
The manifest is an XML file that specifies the settings and features of the add-in, including the name of the button as it appears in the Outlook ribbon, as well as other settings specific to your business.
Web Application 🖥
The web application, hosted by the Arsen platform, displays the Outlook taskpane (task pane; see image below) when your users click the Phish Report button.
The application is responsible for analyzing the email to determine if it was sent from the Arsen platform or not, and reporting it accordingly.
The taskpane on the right of the Outlook client:
The taskpane is automatically translated into the default language of the Outlook client.
Step 1: Generating the manifest.xml file
The generation of the manifest.xml file is done directly from the Arsen platform, under the Settings section:
First, you need to define the header used by Arsen to differentiate emails from the platform from other emails. If you have not yet followed this step, click here to learn how to configure the header in your account.
👉 If you have already defined the Arsen header, then the latter is already pre-filled in the manifest generation form.
You must then define the email address to which the reported emails will be forwarded. This email can be a dedicated phishing service account (abuse@example.com, phishing@example.com, etc.) or directly the email of the person in charge, depending on your company's internal procedures.
👉 Reports of emails from the Arsen platform are not forwarded, the report information is directly sent back to our platform.
Define the name of the button as it will appear in the ribbon and in the Outlook action menu.
Finally, you have the option to customize the messages that will be displayed to your users when reporting a phishing email.
👉 You can choose to specify or not that it is a phishing simulation campaign by customizing the message or leaving it as generic as possible.
Step 2: Testing the Phish Report add-in on Outlook
Testing the add-in ensures its proper functioning before deploying it on a larger scale (next step).
The method presented here works with Outlook on the web, i.e., the version of Outlook available at https://outlook.com
To test your Outlook add-in with other versions (Outlook 2013, 2016, etc.), please refer to Microsoft's official documentation on this topic.
Access your Outlook account.
Create a new email.
Select "..." at the bottom of the new message, then select Download Add-ins from the drop-down menu.
Testing the add-in ensures its proper functioning before deploying it on a larger scale (next step).
The method presented here works with Outlook on the web, which is the version of Outlook available at https://outlook.com.
To test your Outlook add-in with other versions (Outlook 2013, 2016, etc.), please refer to Microsoft's official documentation on this topic.
Access your Outlook account.
Create a new email.
Select "..." at the bottom of the new message, then select "Download Add-ins" from the drop-down menu.
Click on "My add-ins" and then "Add a custom add-in."
Finally, click From a file... and select the Manifest file generated in the previous step.
The reporting button is now accessible from the email actions menu.
Step 3 : Deploying the add-in on Outlook.
▶️ Although in most cases the deployment of the Outlook add-in is quick and easy, it is possible that your configuration is specific and requires additional settings. In this case, refer to Microsoft's official documentation for deploying Office add-ins.
Deployment with Microsoft 365
The Microsoft 365 admin center allows administrators to easily deploy Office add-ins to users and groups within their organization. Add-ins deployed via the admin center are available to users directly in their Office applications, without any client configuration required.
In the Admin Center, select Settings, then select Integrated Apps.
Select Upload custom apps.
Choose the option to upload the manifest from a local file and select the manifest.xml file generated in the previous step.
Select the Users who will have access to the Phish Report button. We recommend deploying the button to a small group of users before deploying at scale.
Finally, click Done. The add-in will be deployed to your users in approximately 6 to 12 hours.
👉 Be sure to test your add-in before deploying it at scale. You can test it locally on your account by clicking on Download add-ins in the email action menu (see step 2).
Deploying on Exchange Admin Center
For online and on-premises environments that do not use the Azure AD identity service, you can deploy Outlook add-ins via the Exchange server.
Deploying Outlook add-ins requires:
Microsoft 365, Exchange Online, or Exchange Server 2013 or later
Outlook 2013 or later
To assign add-ins to clients, use the Exchange admin center to upload a manifest directly from the manifest.xml file generated in step 1.
To assign add-ins to specific users, you must use Exchange PowerShell. For more information, refer to "Install or remove Outlook add-ins for your organization" on TechNet.
Updated on: 20/07/2023
Thank you!