Configure Malicious Message Reporting

One of the ways that Phishing Response receives information about email threats is by reporting from within the organization. Many email products and add-ons enable individuals within an organization to report malicious messages, usually from within the email client software. Such software is sometimes framed as only for phish reporting, but it can be used to report any suspicious email messages.

Some examples include:

  • Report Message add-in for Microsoft Office 365
  • KnowBe4 Phish Alert Button
  • Wombat PhishAlarm
  • Cofense Reporter

The configuration of malicious message reporting is done in those products, and configuring them so that Phishing Response receives the reports is fundamentally a matter of one thing: Reported messages must be directed to the <symbolicname>@phish.air.agari.com email address, where <symbolicname> is the unique name identifying the organization.

TIP: An organization's <symbolicname>, which is determined by Agari when an organization's account is first created, can be found in the URL in the browser's address bar after logging in, and it is the first part of that URL. For example, an organization called Sashimi Bank might have the <symbolicname> of sashimibank, which you can see in it's URL: https://sashimibank.air.agari.com.

For example, the Microsoft Office 365 documentation has the section "Use the EAC to create a mail flow rule to receive copies of reported messages" in the Use mail flow rules topic for Office 365 administrators. Follow these instructions and use the email address as described below:

Use the EAC to create a mail flow rule to receive copies of reported messages :

  1. In the EAC, go to Mail flow > Rules.

  2. Click Add and then select Create a new rule.

  3. In the New rule page that opens, configure the following settings:

    • Name: Enter a unique, descriptive name for the rule. For example, Bcc Messages Reported to Microsoft.

    • Click More Options.

    • Apply this rule if: Select The recipient > address includes any of these words: In the Specify words or phrases dialog that appears, enter one of the following values, click Add, and repeat until you've entered all the Microsoft email values below:

      • Required:

        • phish@office365.microsoft.com

      • Optional:

        • junk@office365.microsoft.com

        • abuse@messaging.microsoft.com

      • To edit an entry, select it and click Edit. To remove an entry, select it and click Remove.

      • When you're finished, click OK.

    • Do the following: Select Add recipients > to the Bcc box. In the dialog that appears, find and input the recipient: <symbolicname>@phish.air.agari.com

      • NOTE:

      Reported messages must be directed to the <symbolicname>@phish.air.agari.com email address, where <symbolicname> is the unique name identifying the organization.

    • When you're finished, click OK.

  4. You can make additional selections to audit the rule, test the rule, activate the rule during a specific time period, and other settings. We recommend testing the rule before you enforce it.

  5. When you're finished, click Save.

TIP:

Other products are configured similarly; check the documentation for those products for details.