Phishing Report Button - General information
The Phishing Report Button, an Office add-in, gets installed on your organization’s exchange server and operates locally. This means it works directly within Outlook, in the browser for Outlook Web Access, and on the mobile Outlook app. Its purpose is to enable users to make informed decisions about the safety of the emails they receive and report suspicious emails to help protect your organization.
Here's how it works:
When you open the button, the necessary JavaScript code is downloaded from the SoSafe interface (The API is located at https://reporter.sosafe.de).
The system first verifies your SoSafe license. Once it confirms you have an active license, a new dialog opens.
In this dialog, you'll see the header information of the email, such as the subject and sender, which is retrieved directly from the exchange server. You'll also find details about the email's content and any attachments.
With this information at hand, you can decide whether to report the email.
If you choose to report it, the add-in follows a specific protocol. The process varies depending on whether the email is a simulated phishing attempt or an actual suspicious email.
Simulated Mail
When you report an email that's part of a phishing training, you'll get positive feedback confirming you've correctly identified it. Each simulated email has a unique, anonymous code that securely tags it as a SoSafe email. When you use the button to check an email, it sends this code to the SoSafe Evaluation API (https://api.sosafe.de). This not only confirms the email's authenticity but also helps calculate the reporting rate in the SoSafe Manager's Analytics. Once you report it, the window will close and the email will be automatically removed from your mailbox.
Suspicious Mail
In cases where the reported email isn't from SoSafe, the report button triggers a different process. It creates a new email on the exchange server that contains the contents of the suspicious email (header, body, and attachments) as attachments. This email is then sent to your organizations security team using either the Exchange GraphAPI, REST API (deprecated by Microsoft), or EWS. After you report it, the suspicious email will be deleted from the mailbox using the chosen API.
All processing takes place on your server. The emails reported by users are never sent to SoSafe.
Further details
The supported Exchange Server and Outlook versions can be found in the compatibility matrix.
To install the button, you need a manifest file (XML format). You can download this in the SoSafe Manager.
On the left-hand side, click on “Phishing Report Button → Microsoft integrations”
Under the heading “Phishing Report Button manifest”, download the appropriate file for your environment.
If your Exchange server has a connection to the Internet, you can also download the manifest file via a URL on your server.
You will find the button installation manuals here.
It must be ensured that the email program can access the following URLs. These URLs should not be blocked by a firewall or similar:
https://sentry.sosafe.de 1
1 Recommendation: When unexpected errors occur, system information and error logs are sent to the SoSafe server. This allows errors to be detected and resolved at an early stage.