Threat Defense phishing templates simulate real-life phishing attacks and are used to accurately gauge how your organization handles phishing attacks. Part of “handling” a phishing attack may include reporting the email via the Report Message add-in for Outlook. BrainStorm recommends this configuration as its best practice.

This document outlines how to configure Exchange to allow BrainStorm to track these reported emails.

To track phishing Reporting, you will need to do all the following:

Enable the Report Message Outlook add-in

Designate an existing email account or create a new mailbox (to receive a copy of all reported emails)

Enable forwarding

Create a Bcc rule

Add the BrainStorm Threat Defense contact email

Configure forwarding

Enable the Report Message Outlook add-in

The Report Message add-in for Outlook and Outlook on the web allows end users to easily report phishing emails. BrainStorm Threat Defense can track these reported emails and provide the data to you in a QuickHelp Admin Portal Campaign dashboard. If you have not enabled this add-in for your organization, please find instructions here.

Designate an email account (to receive a copy of all reported emails)

When an end user reports an email as phishing, a message is sent to Microsoft, but you also need to send a copy of this email to a user in your M365 tenant. While you can use an existing user, we strongly recommend creating a new user expressly for this purpose. This email will be used for the email forwarding, Bcc rule, and forward to a Threat Defense Email steps.

Enable forwarding

  1. Log in to the Office 365 Security & Compliance Admin Center
  2. Click Threat Management > Policy > Anti-Spam
  3. Click Create policy > Outbound
  4. Enter a name in the Name field (e.g. Forwarding for Threat Defense)
  5. Enter a description in the Description field (optional)
  6. Click Next
  7. Enter the email of and select the designated internal user (see above) in the Users field
  8. Click Next
  9. Enter 1000 in the Set an external message limit field
  10. Enter 1000 in the Set an internal message limit field
  11. Enter 10000 in the Set a daily message limit field
  12. Select No action, alert only from the Restriction placed on users who reach the message limit pulldown menu
  13. Select On - Forwarding is enabled from the Automatic Forwarding rules pulldown menu
  14. Click Next
  15. Review the configuration
  16. Click Create

    NOTE: Make sure that this policy is on and has the appropriate Priority

Create a Bcc Rule

This allows the reported email to be Bcc'ed to the designated internal user (see above).

  1. Log in to the Exchange admin center
  2. Click Mail flow > Rules
  3. Click the + icon
  4. Click Create a new rule…
  5. Enter a name in the Name field
  6. Click More options…

    NOTE: You must click More options… at this point in order to have the correct options in the *Apply this rule if… pulldown menu for the next step.

  7. Select The recipient … > address includes any of these words from the *Apply this rule if… pulldown menu

  8. Enter in the specify words or phrases dialog

  9. Click the + icon

  10. Click OK

  11. Select Add recipients… > to the Bcc box from the *Do the following… pulldown menu

  12. Find and select the designated internal user from above

  13. Click Add

  14. Click OK

  15. Click Save

Add the BrainStorm Threat Defense Contact

For BrainStorm to track Reported emails, these emails need to be forwarded to a BrainStorm Threat Defense email which should exist as an external contact in your M365 tenant.

  1. Log in to the Exchange admin center
  2. Click Recipients > Contacts
  3. Click Add a contact
  4. Choose Mail user from the Contact type pulldown menu
  5. Enter BrainStorm in the First name field
  6. Enter Reporting in the Last name field
  7. Enter BrainStorm Reporting in the Display name field
  8. Enter in the Email field

    NOTE: While the First, Last, and Display name fields can contain other information (we recommend using our suggestions), the Email field must contain this exact email.

  9. Enter bsireporting in the Alias field

  10. Enter bsireporting as the User ID

  11. Select an organizational domain from the Domain pulldown menu

  12. Enter a password in the New password field
    You can set up any password.

  13. Enter the same password in the Confirm password field

  14. Click Add

Configure forwarding

This steps will enable automatic forwarding of any email sent to your internal email (above) to the BrainStorm Reporting email contact.

  1. Log in to the Exchange admin center
  2. Click Recipients > Mailboxes
  3. Search for the designated internal user (not the BrainStorm contact you just created)
  4. Click on the User Display Name
  5. Click Manage mail flow settings under Mail flow settings
  6. Click Email forwarding > Edit
  7. Enable Forward all emails sent to this mailbox
  8. Find and select as the Forwarding address
  9. Enable Keep a copy of forwarded email in this mailbox
  10. Click Save

With Tracking enabled, you will be able to see Reported emails both by individuals within a campaign or an aggregated count by Campaign on the main Simulated Phishing Dashboard.

By User*

By Campaign