Flow Chart Overview
Compatibility with Microsoft Tools
We are fully compatible with the built-in Microsoft report button.
Additionally, we can connect to the "Report Message" add-on for enhanced reporting capabilities.
Configuration Steps
Dedicated Mailbox Creation
Customers should create a dedicated mailbox, e.g., report@domain.TLD. For better management, it is recommended that they use a shared mailbox with delegation assigned to at least one user.
Admin Configuration for Reporting
Admins configure Microsoft reports to be sent to the dedicated mailbox. These reports are sent on behalf of the user who reported the issue.
Transport Rule Setup
Implement a transport rule to send a copy of these reports to our reports mailbox for further analysis and action.
To limit the number of users reporting emails to the Incident Response (IR) system for testing purposes, follow these steps:
1. Add a condition in the report submission rule: Apply this rule if > The sender.. is this person
2. You can also use group: Apply this rule if > The sender.. is a member of this group
Report Details Extraction
Report Analysis Code
We have developed a code that extracts details from the received reports, such as the user's action (Phishing, Junk, Not Junk).
When a user clicks on "Phishing":
We receive a scan report with the comment: "I think this email is malicious."
When a user clicks on "Junk":
We receive a scan report with the comment: "I think this email is spam."
When a user clicks on "Not Junk":
We receive a scan report with the comment: "I think this email is clean."
Options
- We can configure feedback emails (handling alerts). For more information, refer to: Enabling Investigation Handling Report
- The alerts can be customized. See alerts examples here: Reports&Alerts Samples (Feb 2024) under “Handling Alerts.”
- The customer can configure Microsfot to send reports to the Incident Response (IR) team only when a user clicks 'Phishing.'
- Add the following condition to the submission transport rule:
Apply this rule if > The message headers… > include any of these words >
- specify header name: Message-ID
- specify words or phrases: Phish
Note: Microsoft 365 Specific
This configuration and reporting mechanism is tailored explicitly for Microsoft 365 environments, leveraging its built-in reporting functionalities and customizations.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article