Set up Report Phishing as a way for your organizations' employees to report suspicious emails. This provides insight into the suspicious emails sent to your users and creates an incident in OneView for the Admin to track and review. Receiving this information is helpful for pointing out attacks occurring within the organization and for better training your employees.
Go to Manage > Email Security, then click on Settings > Report Phishing. First check the requirements below, then follow the instructions for the appropriate email provider.
Mailbox guidelines
To set up report phishing, an admin must enter an email address to designate as the report phishing mailbox. Make sure the mailbox meets the following guidelines:
- For Microsoft 365, the mailbox should be created as a shared mailbox and does not need to be a licensed mailbox.
- For Google Workspace, the mailbox needs to be a licensed mailbox.
- The mailbox cannot belong to any user or group (e.g., distribution lists, shared inbox groups, or security groups).
- The mailbox must have a First Name property set in your email system (e.g., "Phishing").
- Use a dedicated email address like phishing@yourdomain.com. This mailbox is meant only for reports and should not be tied to an individual's primary inbox.
- The mailbox should not be a helpdesk email address, as every email forwarded to the Report Phishing Mailbox will create an incident.
- The user reporting the suspicious email needs to have their email address enabled as a protected mailbox on the Mailboxes tab.
NOTICE - After checking that the mailbox meets the guidelines, go to the Configurations > Mailboxes tab and click the refresh button. The mailbox does not appear on this tab, but this step is crucial to prevent errors with setup. Afterwards, come back to this page to continue set up.
Microsoft 365
If you're using Microsoft 365, enter an email address to assign as the mailbox that receives suspicious emails.
Set up report phishing mailbox
- Enter the email address to use for reporting phishing. See the guidelines above.
- Click Save.
- Once complete, inform your users to forward suspicious emails to the configured email address.
Set up report phishing add-on button
You can also add a button to Outlook to make forwarding suspicious emails simpler.
- Click Download XML.
- Log in to Microsoft 365 Admin Center as an Administrator.
- Go to Admin > Settings > Integrated apps > Add-ins.
- Select Deploy Add-in > Next > Upload custom apps > Choose file.
- Select the downloaded XML file and click Upload.
- Select which users to distribute the Report Phishing button to and a deployment method.
- Click Deploy.
- The button displays immediately for Outlook Web but may take up to 24 hours on Outlook Desktop.
- Once it's been deployed, inform your end-users to use the report Phishing button in Outlook to forward suspicious emails.
Note: Shared mailboxes cannot use the Report Phishing button. Have them directly forward suspicious emails to the email address instead.
Integrate with KnowBe4 Phish Alert button
If the organization uses KnowBe4, you can set up KnowBe4's Phish Alert button to additionally forward emails to the report phishing mailbox, which sends the information to your OneView console.
- Configure the KnowBe4 "Phish Alert" button to forward reported emails to the report phishing mailbox set up in OneView previously. For more information, see Phish Alert Button (PAB) Product Manual.
- Contact ThreatDown Support.
- Ensure KnowBe4 is set up with the following:
- Office Add-in Format: EML.
- Enable Email Forwarding: Checkbox is checked.
Notes
- Using this integration disables direct email forwarding to the report phishing mailbox.
- If your organization uses KnowBe4 for security awareness campaigns, inform ThreatDown Support in order to whitelist the KnowBe4 campaign emails.
Google Workspace
If you're using Google Workspace, enter an email address to designate as the mailbox that receives suspicious emails.
Set up report phishing mailbox
- Enter the email address to use for reporting phishing. See the guidelines above.
- Click Save.
- Once complete, inform your users to forward suspicious emails to the configured email address.
Return to Email Security guide.