(Beta) Phishing Report Button
We’re getting ready to release an improved version of the Phishing Report Button! If you’re part of the Beta phase, this is your go-to spot for documentation. If you’re not part of the Beta, feel free to take a look! While the installation itself has not changed, the documentation has been streamlined and you’ll be able to get an advance look at some of the changes.
Technical overview
The Phishing Report Button (PRB) is an add-in for Microsoft Outlook that allows you to report emails your employees think might be malicious. These add-ins are easily installed on your organisation’s exchange server and operate locally. This means they work directly within Outlook, in the browser for Outlook Web Access, and on the mobile Outlook app.
The Phishing Report Button add-in is based on the technologies HTML, CSS, and JavaScript and is not an old COM+ plugin. Due to the web technologies used, the add-in can also be used in OWA (Outlook on the Web) or in the mobile Outlook apps.
The application is fed into the Exchange environment via a manifest file (see Installing the Phishing Report Button). This contains all configurations for the display, access rights and references to the add-in host. The Microsoft REST API (on premise setups), Graph API or EWS (Exchange Web Services) can be used as an interface to the Exchange Server.
Furthermore, the button first obtains a configuration package from our SoSafe server when starting.
Host of the add-in:
https://reporter.sosafe.deAPI-URL-SoSafe:
https://api.sosafe.de/v1
The add-in specifically accesses the following end points:
API:
| To retrieve the access token | |
|
| To retrieve the email header |
|
| To send the email |
|
| To delete the email |
|
| To retrieve an attachment |
EWS:
getCallbackTokenAsync
makeEwsRequestAsync
How a report works
When your users open the button, behind the scenes, the necessary JavaScript code is downloaded from the SoSafe interface (The API is located at
https://reporter.sosafe.de).The system first verifies your SoSafe license. Once it confirms an active license, a new dialog opens.
Users will see the header information of the email, such as the subject and sender, which is retrieved directly from the exchange server. They will also find details about the email content and any attachments.
With this information at hand, your users can decide whether to report the email.
If they choose to report it, the add-in follows a specific protocol. The process varies depending on whether the email is a simulated phishing attempt or an actual suspicious email.
Reporting a simulated mail
When your users report an email that's part of a phishing training, they’ll get positive feedback confirming they’ve correctly identified it. Each simulated email has a unique, anonymous code that securely tags it as a SoSafe email. When they use the button to check an email, the PRB sends this code to the SoSafe Evaluation API (https://api.sosafe.de). This not only confirms the email's authenticity but also helps calculate the reporting rate in the SoSafe Manager's Analytics (learn more in our Analytics documentation). Once an email is reported, the window will close and the email will be automatically removed from the mailbox.
Reporting a suspicious mail
In cases where the reported email isn't from SoSafe, the PRB triggers a different process. It creates a new email on the exchange server that contains the contents of the suspicious email (header, body, and attachments) as attachments. This email is then sent to your organization's security team using either the Exchange GraphAPI, REST API (deprecated by Microsoft), or EWS. After it’s reported, the suspicious email will be deleted from the mailbox using the chosen API.
All processing takes place on your server. The emails reported by users are never sent to SoSafe unless Threat Inbox is turned on and/or via your chosen email forwarding method, which you can read more about here.