QuickHelp Support Center

Threat Defense phishing templates simulate real-life phishing attacks and are used to accurately gauge how your organization handles phishing attacks. Part of “handling” a phishing attack may include reporting the email via the Report Message add-in for Outlook. QuickHelp recommends this configuration as its best practice.

This document outlines how to configure Exchange to allow QuickHelp to track these reported emails.

To track phishing Reporting, you will need to do all the following:

Enable the Report Message Outlook add-in

Designate an existing email account or create a new mailbox (to receive a copy of all reported emails)

Enable forwarding

Create a Bcc rule

Add the BrainStorm Threat Defense contact email

Configure forwarding

Enable the Report Message Outlook add-in

The Report Message add-in for Outlook and Outlook on the web allows end users to easily report phishing emails. BrainStorm Threat Defense can track these reported emails and provide the data to you in a QuickHelp Admin Portal Campaign dashboard. If you have not enabled this add-in for your organization, please find instructions here.

Designate an email account (to receive a copy of all reported emails)

When an end user reports an email as phishing, a message is sent to Microsoft, but you also need to send a copy of this email to a user in your M365 tenant. While you can use an existing user, we strongly recommend creating a new user expressly for this purpose. This email will be used for the email forwarding, Bcc rule, and forward to a Threat Defense Email steps.

Enable forwarding

1. Log in to the Office 365 Security & Compliance Admin Center
2. Click Threat Management > Policy > Anti-Spam
   
3. Click Create policy > Outbound
   
4. Enter a name in the Name field (e.g. Forwarding for Threat Defense)
5. Enter a description in the Description field (optional)
6. Click Next
   
7. Enter the email of and select the designated internal user (see above) in the Users field
8. Click Next
   
9. Enter 1000 in the Set an external message limit field
10. Enter 1000 in the Set an internal message limit field
11. Enter 10000 in the Set a daily message limit field
12. Select No action, alert only from the Restriction placed on users who reach the message limit pulldown menu
13. Select On - Forwarding is enabled from the Automatic Forwarding rules pulldown menu
14. Click Next
    
15. Review the configuration
16. Click Create
    

    NOTE: Make sure that this policy is on and has the appropriate Priority

    
    

Create a Bcc Rule

This allows the reported email to be Bcc'ed to the designated internal user (see above).

1. Log in to the Exchange admin center
2. Click Mail flow > Rules
   
3. Click the + icon
4. Click Create a new rule…
   
5. Enter a name in the Name field
6. Click More options…

   NOTE: You must click More options… at this point in order to have the correct options in the *Apply this rule if… pulldown menu for the next step.
   

7. Select The recipient … > address includes any of these words from the *Apply this rule if… pulldown menu
   

8. Enter phish@office365.microsoft.com in the specify words or phrases dialog

9. Click the + icon

10. Click OK
    

11. Click add condition
    

12. Select Any attachment … > content includes any of these words from the new *Apply this rule if… pulldown menu

13. Enter bs-phishing-email-reporting in the specify words or phrases dialog

14. Click the + icon
15. Click OK
    

16. Select Add recipients… > to the Bcc box from the *Do the following… pulldown menu

17. Find and select the designated internal user from above

18. Click Add

19. Click OK
    

20. Click Save

Add the BrainStorm Threat Defense Contact

For QuickHelp to track Reported emails, these emails need to be forwarded to a BrainStorm Threat Defense email which should exist as an external contact in your M365 tenant.

1. Log in to the Exchange admin center
2. Click Recipients > Contacts
   
3. Click Add a contact
   
4. Choose Mail user from the Contact type pulldown menu
5. Enter BrainStorm in the First name field
6. Enter Reporting in the Last name field
7. Enter BrainStorm Reporting in the Display name field
8. Enter brainstormreporting@brainstorminc.com in the Email field

   NOTE: While the First, Last, and Display name fields can contain other information (we recommend using our suggestions), the Email field must contain this exact email.

9. Enter bsireporting in the Alias field

10. Enter bsireporting as the User ID

11. Select an organizational domain from the Domain pulldown menu

12. Enter a password in the New password field
    You can set up any password.

13. Enter the same password in the Confirm password field

14. Click Add
    
    

Configure forwarding

This steps will enable automatic forwarding of any email sent to your internal email (above) to the BrainStorm Threat Defense Reporting email contact.

1. Log in to the Exchange admin center
2. Click Recipients > Mailboxes
   
3. Search for the designated internal user (not the BrainStorm Threat Defense contact you just created)
4. Click on the User Display Name
5. Click Manage mail flow settings under Mail flow settings
   
6. Click Email forwarding > Edit
   
7. Enable Forward all emails sent to this mailbox
8. Find and select brainstormreporting@brainstorminc.com as the Forwarding address
9. Enable Keep a copy of forwarded email in this mailbox
10. Click Save
    

With Tracking enabled, you will be able to see Reported emails both by individuals within a campaign or an aggregated count by Campaign on the main Simulated Phishing Dashboard.

By User*

By Campaign