Skip to main content
Skip table of contents

Phishing Report Button - General information

Read this article in: Deutsch, Français, Dutch

The Phishing Report Button, an Office add-in, gets installed on your organization’s exchange server and operates locally. This means it works directly within Outlook, in the browser for Outlook Web Access, and on the mobile Outlook app. Its purpose is to enable users to make informed decisions about the safety of the emails they receive and report suspicious emails to help protect your organization.

Here's how it works:

  1. When you open the button, the necessary JavaScript code is downloaded from the SoSafe interface (The API is located at

  2. The system first verifies your SoSafe license. Once it confirms you have an active license, a new dialog opens.

  3. In this dialog, you'll see the header information of the email, such as the subject and sender, which is retrieved directly from the exchange server. You'll also find details about the email's content and any attachments.

  4. With this information at hand, you can decide whether to report the email.

  5. If you choose to report it, the add-in follows a specific protocol. The process varies depending on whether the email is a simulated phishing attempt or an actual suspicious email.

Simulated Mail

When you report an email that's part of a phishing training, you'll get positive feedback confirming you've correctly identified it. Each simulated email has a unique, anonymous code that securely tags it as a SoSafe email. When you use the button to check an email, it sends this code to the SoSafe Evaluation API ( This not only confirms the email's authenticity but also helps calculate the reporting rate in the SoSafe Manager's Analytics. Once you report it, the window will close and the email will be automatically removed from your mailbox.

Suspicious Mail

In cases where the reported email isn't from SoSafe, the report button triggers a different process. It creates a new email on the exchange server that contains the contents of the suspicious email (header, body, and attachments) as attachments. This email is then sent to your organizations security team using either the Exchange GraphAPI, REST API (deprecated by Microsoft), or EWS. After you report it, the suspicious email will be deleted from the mailbox using the chosen API.

All processing takes place on your server. The emails reported by users are never sent to SoSafe.

Further details

All processing takes place on your servers. The emails reported by the user are never sent to SoSafe.

The following solutions are supported:

  • Microsoft 365 for Business / Microsoft 365 for Education

  • Exchange Server 2016, Version 15.1.544.27 (CU3) or later version

Furthermore, you should have received a manifest file in XML format (sosafe-manifest.xml), which is needed for the installation. 

The Phishing Report Button can be used with the following email clients: 

  • Microsoft 365 Outlook Web Access (OWA)

  • Outlook for Office MSO

  • Outlook 2016 for Windows

  • Outlook 2016 for Mac

  • Outlook for iOS

  • Outlook for Android

It must be ensured that the email program can access the following URLs:  

Phishing Report Button - Installation Manuals

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.