When Phish slip through the net….
Let your Microsoft 365 users report and remove phishing messages with just two mouse clicks.
Anyone who follows Through Technology closely will know that we have done a lot of work with central government implementing technology controls to protect organisations from Phishing attacks…. Which remain the #1 route to get malware and ransomware into your systems.
But even if you implement technical solutions like mail scanning, SPF, DMARC and DKIM, some phishing emails will inevitably reach your users, after which you are reliant on your users following any guidance or training you have given them.
One of the best measures you can implement for those phishing attempts that do get through is simple, effective reporting and removal. If you make it easy for your staff to report a phishing message, they are more likely to do so, and thus protect their colleagues and even other organisations against the threat.
NCSC and SERS
The UK National Cyber Security Centre (NCSC) has set up a Suspicious Email Reporting Service (SERS), which enables any UK organisation to report phishing attempts. The NCSC investigate reported messages and their “Takedown” service attempts to have the source of them taken down from the internet. As of January 2022, they had removed over 135,000 suspicious addresses from the internet as a result.
Any UK individual or organisation can report to this service by simply forwarding a message to firstname.lastname@example.org.
Making it easy with Office 365
However, if you are a Microsoft 365 customer you can very easily make this much quicker and simpler for your users. With minimal effort, you can deploy the Microsoft Report Phishing add-in for Outlook, which will enable your staff to report phishing attempts to both NCSC and Microsoft for investigation with just two mouse clicks, after which the email will be deleted for the user and both NCSC and Microsoft will be looking into blocking the source from future attacks.
1. Add the Report Phishing Add-in to your Office 365 tenant.
2. Configure it to also report to NCSC
3. Customise the end user message
4. Let your users know.
5. Deploy it.
Add the Report Phishing Add-in to your tenant.
Open the Office365 Admin Center and select Settings – Integrated Applications.
(You might need to click “Show all” before you see Settings in the left-hand bar).
Press the Get Apps button and search for Report Phishing and click Get it Now.
Once added, click on the Report Phishing application in the list and select Edit Users. For testing, choose the Just Me (email@example.com) option.
Click the Update button at the bottom of the page to ensure this setting is applied. You will see a message saying it may take time to deploy the add-in to your users. Once complete you will see the Report Phishing button on the Microsoft Outlook ribbon.
Configure the add-in to report to Microsoft and NCSC.
By default, hitting this button will only report phishing to Microsoft, but it is easy to change that so it also reports to the NCSC.
In the Microsoft 365 Admin Center, navigate to the Exchange Admin Center.
From there, navigate to Mail Flow – Rules.
Hit the + button to create a new rule.
Give the rule a meaningful title, like “NCSC Phishing Report”.
Set Apply this rule if to The Recipient is firstname.lastname@example.org. You can also add your organisation’s admin email addresses to this rule if you want to see what is being reported.
Set Do the following to BCC the message to email@example.com
Click the Save button. The rule will be added and should look like this:
Customise the message to your users
When users click on the Report Phishing button, it will now send the email to Microsoft and NCSC. However, the message that pops up only tells users that they are sharing information with Microsoft…. And these emails could include personally identifiable information. So, there are a couple of simple steps to customise the user notification.
Return to the Microsoft 365 Admin Center and select Security, to open Microsoft 365 Defender.
From the very bottom of the menu, select Policies and Rules and choose Threat policies from the menu.
From the Threat Policies menu, select Others – User reported message settings. A User Submissions screen will be displayed.
Enter title and message that you want users to see when they report a suspected phishing message. Here is how we have it set:
Click the Save button to apply your changes.
Tell your users about it.
Send a message out to your users notifying them of the change and telling them about the new button in Microsoft Outlook and what it does, to protect them, their colleagues, other UK organisations and other Microsoft customers from Phishing attacks.
Activate it for everyone
Return to the Report Phishing app settings that we looked at initially. (Go to Microsoft 365 Admin Center – Settings – Integrated Apps – Report Phishing).
Click the Edit Users link.
Click Specific users/groups and add in the users you wish to receive the Report Phishing Button. This is useful if you want to do a phased rollout. Or...
Select Entire Organisation to deploy it to every instance of Outlook (and Outlook Web Access).
Click Save to apply your changes.
It may take a short while for users to all see the Report Phishing button, but within a day, everyone in your organisation will be able to report and remove phishing email with just two mouse clicks….
First they click this:
Then they click Report.... and they're done…
…. And our all our IT systems will be a safer place.
If your organisation would like further assistance to ensure your Microsoft 365 solution is secure and compliant with any relevant standards or legislation. Please contact firstname.lastname@example.org