Threat Defense phishing templates simulate real-life phishing attacks and are used to accurately gauge how your organization handles phishing attacks. Part of “handling” a phishing attack may include reporting the email via the Report Message add-in for Outlook. QuickHelp recommends this configuration as its best practice.
This document outlines how to configure Exchange to allow QuickHelp to track these reported emails.
To track phishing Reporting, you will need to do all the following:
Enable the Report Message Outlook add-in
Designate an existing email account or create a new mailbox (to receive a copy of all reported emails)
Add the BrainStorm Threat Defense contact email
Enable the Report Message Outlook add-in
The Report Message add-in for Outlook and Outlook on the web allows end users to easily report phishing emails. BrainStorm Threat Defense can track these reported emails and provide the data to you in a QuickHelp Admin Portal Campaign dashboard. If you have not enabled this add-in for your organization, please find instructions here.
Designate an email account (to receive a copy of all reported emails)
When an end user reports an email as phishing, a message is sent to Microsoft, but you also need to send a copy of this email to a user in your M365 tenant. While you can use an existing user, we strongly recommend creating a new user expressly for this purpose. This email will be used for the email forwarding, Bcc rule, and forward to a Threat Defense Email steps.
Enable forwarding
- Click here to access the Microsoft Security Settings page.
- Select the designated internal user into input 'Add an exchange online mailbox to send reported messages to.'
- Log in to the Office 365 Security & Compliance Admin Center
- Click Threat Management > Policy > Anti-Spam
- Click Create policy > Outbound
- Enter a name in the Name field (e.g. Forwarding for Threat Defense)
- Enter a description in the Description field (optional)
- Click Next
- Enter the email of and select the designated internal user (see above) in the Users field
- Click Next
- Enter 1000 in the Set an external message limit field
- Enter 1000 in the Set an internal message limit field
- Enter 10000 in the Set a daily message limit field
- Select No action, alert only from the Restriction placed on users who reach the message limit pulldown menu
- Select On - Forwarding is enabled from the Automatic Forwarding rules pulldown menu
- Click Next
- Review the configuration
- Click Create
NOTE: Make sure that this policy is on and has the appropriate Priority
Create a Bcc Rule
This allows the reported email to be Bcc'ed to the designated internal user (see above).
- Log in to the Exchange admin center
- Click Mail flow > Rules
- Click the + icon
- Click Create a new rule…
- Enter a name in the Name field
- Click More options…
NOTE: You must click More options… at this point in order to have the correct options in the *Apply this rule if… pulldown menu for the next step.
Select The recipient … > address includes any of these words from the *Apply this rule if… pulldown menu
Enter [email protected] in the specify words or phrases dialog
Click the + icon
Click OK
Click add condition
Select Any attachment … > content includes any of these words from the new *Apply this rule if… pulldown menu
Enter bs-phishing-email-reporting in the specify words or phrases dialog
- Click the + icon
- Click OK
Select Add recipients… > to the Bcc box from the *Do the following… pulldown menu
Find and select the designated internal user from above
Click Add
Click OK
Click Save
Add the BrainStorm Threat Defense Contact
For QuickHelp to track Reported emails, these emails need to be forwarded to a BrainStorm Threat Defense email which should exist as an external contact in your M365 tenant.
- Log in to the Exchange admin center
- Click Recipients > Contacts
- Click Add a contact
- Choose Mail user from the Contact type pulldown menu
- Enter BrainStorm in the First name field
- Enter Reporting in the Last name field
- Enter BrainStorm Reporting in the Display name field
- Enter [email protected] in the Email field
NOTE: While the First, Last, and Display name fields can contain other information (we recommend using our suggestions), the Email field must contain this exact email.
Enter bsireporting in the Alias field
Enter bsireporting as the User ID
Select an organizational domain from the Domain pulldown menu
Enter a password in the New password field
You can set up any password.Enter the same password in the Confirm password field
Click Add
Configure forwarding
This steps will enable automatic forwarding of any email sent to your internal email (above) to the BrainStorm Threat Defense Reporting email contact.
- Log in to the Exchange admin center
- Click Recipients > Mailboxes
- Search for the designated internal user (not the BrainStorm Threat Defense contact you just created)
- Click on the User Display Name
- Click Manage mail flow settings under Mail flow settings
- Click Email forwarding > Edit
- Enable Forward all emails sent to this mailbox
- Find and select [email protected] as the Forwarding address
- Enable Keep a copy of forwarded email in this mailbox
- Click Save
With Tracking enabled, you will be able to see Reported emails both by individuals within a campaign or an aggregated count by Campaign on the main Simulated Phishing Dashboard.
By User*
By Campaign