The SoSafe Phishing Report Button is an Office add-in that is installed on the customer's exchange server.

The add-in runs locally (in Outlook, in the browser for Outlook Web Access or the mobile Outlook app). 

After the user activates the button, the add-in first downloads the preconfigured functional logic (JavaScript code) via the SoSafe interface (API at https://reporter.sosafe.de). First, the SoSafe license is checked. If an active license is confirmed, a window is opened in which the header information of the email (retrieved from the exchange server) is displayed for the user. 

The user can then use the basic information displayed (subject and sender of the suspicious email) to make a final decision on whether to report the email. If the user continues with the reporting process, a different logic is triggered depending on whether it is a simulated phishing email or a "real" suspicious email.


Option 1: If the reported email is a simulated phishing email, the user will receive positive feedback that the email has been correctly identified as such. Each simulated phishing email contains an anonymous association code, which allows the email to be safely identified as SoSafe email. The button transmits this anonymous mapping code to the SoSafe Evaluation API (https://api.sosafe.de) when checking a email. This check also serves to calculate the figure "reporting rate" in the reporting section of the SoSafe Manager. After the report has been made, the window closes, and the reported email is deleted from the user's mailbox.


Option 2: If the reported mail does not originate from SoSafe, the functional logic of the report button creates a new email in the customer’s mail system (exchange server). The button downloads the individual elements (email header, email body and attachments) of the suspicious email from the exchange server and adds these elements as attachments to the new email. This new email is then sent to the customer's stored SOC address using exchange REST API. The suspicious email is then deleted from the user's mailbox using REST API.



All processing takes place on the customer's server. The emails reported by the user are never sent to SoSafe.



One of the following servers is required:

  • Microsoft 365 for Business / Microsoft 365 for Education
  • Exchange Server 2016, Version 15.1.544.27 (CU3) or later version

Furthermore, you should have received a manifest file in XML format (sosafe-manifest.xml), which is needed for the installation. 


After the installation is completed the button can be used in the following email clients: 

  • Microsoft 365 Outlook Web Access (OWA)
  • Outlook for Office MSO
  • Outlook 2016 for Windows (only in Click-to-Run installation)
  • Outlook 2016 for Mac
  • Outlook for iOS
  • Outlook for Android

It must be ensured that the email program can access the following URLs:



Determine whether centralized deployment of add-ins works for your organization: https://docs.microsoft.com/en-us/microsoft-365/admin/manage/centralized-deployment-of-add-ins?view=o365-worldwide 


Here you can access the installation manuals for the Phishing Report Button:



1 Recommended: When unexpected errors occur, system information and error logs are sent to SoSafe servers. This allows errors to be detected and corrected at an early stage.