Allowing employees to easily report suspicious emails helps strengthen overall organizational security and automates internal reporting workflows in Arsen.
1 – Objectives
Allow employees to report suspicious emails directly from Outlook
Automatically send reports related to Arsen simulations into Arsen
Redirect real phishing emails to Microsoft
Reinforce a culture of vigilance and improve the global security score
2 – Prerequisites
Use Microsoft Outlook and Microsoft 365
Have a Microsoft 365 administrator account
Hold a Microsoft 365 Defender for Office 365 Plan 1 license
Access to Microsoft 365 Admin Center, Defender, and Exchange Admin Center
3 – Understand Outlook’s native report button
3.1 – Available add-ins
You may use either Report Phishing or Report Message—both work.
Microsoft documentation remains available if needed.
3.2 – Behavior based on the email source
If the email originates from an Arsen campaign → the report is automatically forwarded to Arsen
If the email originates from any other source → it is sent to Microsoft
3.3 – Advantages of using the native button
Native Microsoft integration
No external authorization workflow required
4 – Create or use a dedicated reporting mailbox
4.1 – Check if a reporting address already exists
If so, proceed to the next step.
4.2 – Create a reporting email address
Go to Microsoft 365 Admin Center
Click
Active UsersClick
+ Add a user
Create a generic address (e.g., [email protected]) with an Outlook license.
5 – Configure the Outlook report button
5.1 – Access reporting settings
In Microsoft 365 Defender, go to:
Settings → Email & Collaboration → User-reported settings
Select Use the built-in Outlook Report button.
5.2 – Customize user experience
You may enable:
Confirmation before sending
Customization of the message shown to the user
5.3 – Define the destination for reported emails
In Message report destinations:
Select the option to send reports only to your reporting mailbox
Choose the mailbox created in Step 1
Click
Save
⚠️ Warning
If you choose Microsoft and my reporting mailbox, Microsoft will also analyze Arsen simulations.
This may interfere with campaigns using the same phishing domains.
6 – Create email redirection rules
6.1 – Rule logic
You must create two rules:
Redirect Arsen simulation reports → to Arsen
Redirect real malicious emails → to Microsoft
7 – Rule 1: Redirect Arsen simulation reports
7.1 – Access Exchange rules
Go to Exchange Admin Center → Mail flow → Rules
Click + Add a rule → Create a new rule
7.2 – Configure the rule
Name: Arsen Phishing Simulation Rule
7.2.1 – Conditions
The recipient is your reporting address (e.g., [email protected])
AND the email subject or body contains:
161.38.204.14and185.211.123.249(manual whitelisting)x-arsen-report(API whitelisting)
7.2.2 – Action
Add CC recipient: [email protected]
7.2.3 – Finalization
Click Save and activate the rule.
A propagation delay may occur.
7.2.4 – Rule summary
8 – Rule 2: Redirect real malicious emails to Microsoft
8.1 – Access rule creation
In Mail flow → Rules, click + Add a rule → Create a new rule
8.2 – Configure the rule
Name: Arsen Suspicious Phishing Report
8.2.1 – Condition
Recipient is the reporting address (e.g., [email protected])
8.2.2 – Action
Add CC recipient: [email protected]
8.2.3 – Exception
Except if subject or body contains:
161.38.204.14and185.211.123.249Optionally:
x-arsen-report(API whitelisting)
8.2.4 – Finalization
Click Save and activate the rule.
Propagation delay may apply.
8.2.5 – Rule summary
