Phishing Report Button - General information
The Phishing Report Button, an Office add-in, gets installed on your organization’s exchange server and operates locally. This means it works directly within Outlook, in the browser for Outlook Web Access, and on the mobile Outlook app. Its purpose is to enable users to make informed decisions about the safety of the emails they receive and report suspicious emails to help protect your organization.
Here's how it works:
When you open the button, the necessary JavaScript code is downloaded from the SoSafe interface (The API is located at https://reporter.sosafe.de).
The system first verifies your SoSafe license. Once it confirms you have an active license, a new dialog opens.
In this dialog, you'll see the header information of the email, such as the subject and sender, which is retrieved directly from the exchange server. You'll also find details about the email's content and any attachments.
With this information at hand, you can decide whether to report the email.
If you choose to report it, the add-in follows a specific protocol. The process varies depending on whether the email is a simulated phishing attempt or an actual suspicious email.
Simulated Mail
When you report an email that's part of a phishing training, you'll get positive feedback confirming you've correctly identified it. Each simulated email has a unique, anonymous code that securely tags it as a SoSafe email. When you use the button to check an email, it sends this code to the SoSafe Evaluation API (https://api.sosafe.de). This not only confirms the email's authenticity but also helps calculate the reporting rate in the SoSafe Manager's Analytics. Once you report it, the window will close and the email will be automatically removed from your mailbox.
Suspicious Mail
In cases where the reported email isn't from SoSafe, the report button triggers a different process. It creates a new email on the exchange server that contains the contents of the suspicious email (header, body, and attachments) as attachments. This email is then sent to your organizations security team using either the Exchange GraphAPI, REST API (deprecated by Microsoft), or EWS. After you report it, the suspicious email will be deleted from the mailbox using the chosen API.
All processing takes place on your server. The emails reported by users are never sent to SoSafe.
Further details
All processing takes place on your servers. The emails reported by the user are never sent to SoSafe.
The following solutions are supported:
Microsoft 365 for Business / Microsoft 365 for Education
Exchange Server 2016, Version 15.1.544.27 (CU3) or later version
Furthermore, you should have received a manifest file in XML format (sosafe-manifest.xml), which is needed for the installation.
The Phishing Report Button can be used with the following email clients:
Microsoft 365 Outlook Web Access (OWA)
Outlook for Office MSO
Outlook 2016 for Windows
Outlook 2016 for Mac
Outlook for iOS
Outlook for Android
It must be ensured that the email program can access the following URLs:
https://sentry.sosafe.de 1
1 Recommendation: When unexpected errors occur, system information and error logs are sent to the SoSafe server. This allows errors to be detected and resolved at an early stage.