Building Phishing Reporting Button Workflow

What Is This

The "Building Phishing Reporting Button Workflow" skill demonstrates how to implement a phishing report button within email clients-most notably Microsoft Outlook and Microsoft 365-with an automated triage workflow. This workflow collects user-reported suspicious emails, analyzes them, extracts indicators of compromise (IOCs), and provides feedback to users. The purpose is to close the loop between end users and security teams, improving organizational defenses against phishing attacks. This skill leverages Microsoft's built-in Report button, modern SOAR (Security Orchestration, Automation, and Response) platforms, and integrates with incident response processes for faster detection and remediation.

The workflow aligns with key cybersecurity frameworks (such as NIST CSF and MITRE ATT&CK), specifically targeting phishing and social engineering threats. It is especially relevant for organizations seeking to increase user engagement in security reporting, comply with regulatory requirements, and automate incident response.

Why Use It

Phishing remains one of the most prevalent attack vectors, with adversaries frequently using email to deliver malicious payloads, harvest credentials, or perform social engineering. Traditional email protection technologies, while effective, are not infallible. End users are often the first line of defense and can provide early warning by reporting suspicious emails.

Implementing a phishing report button workflow offers several advantages:

• Empowers End Users: Users can quickly report suspicious emails with a single click, reducing friction and increasing reporting rates.
• Automated Triage: SOAR integration can automatically analyze reported emails, extract threat intelligence, and trigger containment or remediation actions.
• Faster Incident Response: Security teams receive actionable alerts with context, reducing mean time to detection (MTTD) and mean time to response (MTTR).
• Compliance and Auditability: Many frameworks (like NIST CSF and MITRE ATT&CK) recommend or require user-reporting and incident response capabilities.
• Security Awareness Feedback: Users who report can receive automated feedback, reinforcing awareness and engagement.

Organizations with mature phishing reporting workflows have seen report rates above 70 percent during phishing simulations, dramatically improving their resilience.

How to Use It

1. Enable the Built-in Phishing Report

Button

For Microsoft 365 environments, Microsoft recommends using the built-in Report button in Outlook, which supersedes older add-ins like "Report Message" and "Report Phishing." This button can be enabled organization-wide via the Microsoft 365 Defender portal.

Example: Enabling the Built-in Report Button via PowerShell

## Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com

## Enable the built-in phishing reporting functionality for all users
Set-OrganizationConfig -ReportJunkEmailEnabled $true

2. Configure Email Routing for Reported

Items

Reported emails can be automatically forwarded to a dedicated mailbox or a security operations system. Set up a rule to route these emails for further triage.

Example: Mail Flow Rule in Exchange Online

## Create a transport rule to redirect reported messages
New-TransportRule -Name "Phishing Report Redirect" `
    -SubjectContainsWords "Phishing report" `
    -RedirectMessageTo "phishing-reports@yourdomain.com"

3. Integrate with SOAR for Automated

Triage

Leverage a SOAR platform (such as Microsoft Sentinel or Splunk SOAR) to automate the triage process. The SOAR playbook can:

• Extract IOCs from the reported email (sender, URLs, attachments)
• Check against threat intelligence feeds
• Create or update incidents in the security operations platform
• Notify security analysts or trigger automated response actions

Example: Pseudocode for SOAR Playbook

def triage_reported_email(email):
    iocs = extract_iocs(email)
    verdict = check_threat_intel(iocs)
    if verdict == 'malicious':
        auto_quarantine(email)
        notify_user(email.sender, "Malicious email detected and removed.")
    else:
        notify_user(email.sender, "No threat detected. Thank you for reporting.")
    log_incident(email, iocs, verdict)

4. Provide Feedback to

Reporters

Automate feedback to users who report emails, letting them know the outcome. This reinforces security awareness and keeps users engaged.

Example: Automated Feedback Email (PowerShell)

Send-MailMessage -To $reporter -From "security@yourdomain.com" `
    -Subject "Phishing Report Update" `
    -Body "Thank you for reporting. Our analysis team has reviewed your submission."

When to Use It

Deploy this workflow when:

• Setting up or upgrading phishing reporting capabilities in Microsoft 365 or Outlook environments
• Designing security controls to satisfy compliance requirements (NIST CSF, MITRE ATT&CK)
• Building or improving an automated incident response process
• Conducting security architecture reviews or assessments
• Rolling out security awareness programs to encourage user reporting

Important Notes

• Ensure your organization uses the latest built-in Report button, as legacy add-ins are deprecated and may not be supported.
• Regularly test and tune the workflow, especially the SOAR triage logic, to minimize false positives and negatives.
• Ensure that reported messages are routed securely and that privacy of reporters is maintained.
• Provide ongoing user education to maximize adoption and accurate reporting.
• Monitor and measure key metrics such as report volume, triage times, and incident outcomes to improve the workflow continuously.

By implementing this skill, organizations can significantly strengthen their phishing defenses, respond faster to threats, and foster a proactive security culture.