The SoSafe Phishing Reporting button is an Office add-in that is installed on the customer's exchange server.

The add-in runs locally (in Outlook, in the browser for Outlook Web Access or the mobile Outlook app). 

After the user activates the button, the add-in first downloads the preconfigured functional logic (JavaScript code) via the SoSafe interface (API at https://reporter.sosafe.de). In a first step, a check of the SoSafe license takes place. If an active license is confirmed, a window is opened in which the header information of the mail (retrieved from the exchange server) is displayed for the user. 

The user can then use the basic information displayed (subject and sender of the suspicious mail) to make a final decision on whether to report the mail. If the user continues with the reporting process, a different logic is triggered depending on whether it is a simulated SoSafe phishing mail or a "real" suspicious mail.

Option 1: If the reported e-mail is a simulated SoSafe mail, the user will receive positive feedback that the e-mail has been correctly identified as such. Each simulated SoSafe phishing mail contains an anonymous association code, which allows the mail to be safely identified as SoSafe mail. The button transmits this anonymous mapping code to the SoSafe Evaluation API (https://api.sosafe.de) when checking a mail. This check also serves to calculate the figure "reporting rate" in the reporting section of the SoSafe Manager. After the report has been made, the window closes, and the reported mail is deleted from the user's mailbox.

Option 2: If the reported mail does not originate from SoSafe, the functional logic of the report button creates a new mail on the customer’s mail system (exchange server). The button downloads the individual elements (mail header, mail body and attachments) of the suspicious mail from the exchange server and adds these elements as attachments to the new e-mail. This new e-mail is then sent to the customer's stored SOC address using exchange REST API. The suspicious e-mail is then deleted from the user's mailbox using REST API.

All processing takes place on the customer's server. The e-mails reported by the user are never sent to SoSafe.

One of the following servers is required:

  • Office 365 for Business / Office 365 for Education
  • Exchange Server 2016 (only Hybrid), Version 15.1.544.27 (CU3) or later version

Furthermore, you should have received a manifest file in XML-format (sosafe-manifest-o365.xml), which is needed for the installation. 


After the installation is completed the button can be used in the following mail clients: 

  • Office 365 Outlook Web Access (OWA)
  • Outlook for Office MSO
  • Outlook 2016 for Windows (only in Click-to-Run installation)
  • Outlook 2016 for Mac
  • Outlook for iOS
  • Outlook for Android

It must be ensured that the mail program can access the following URLs:



Determine whether centralized deployment of add-ins works for your organization: https://docs.microsoft.com/en-us/microsoft-365/admin/manage/centralized-deployment-of-add-ins?view=o365-worldwide 


Here you can access the installation manuals for the Phishing-Reporter-Button: