All Collections
PHISH
Initial setup
Report phishing integration with CybSafe
Report phishing integration with CybSafe

Configure your email system to send successful reports of simulated phishing emails back to CybSafe

Ben Robinson avatar
Written by Ben Robinson
Updated over a week ago

In CybSafe's phishing report pages you will find a "reported emails" metric that can measure successful reports of simulated phishing emails.

There are some additional steps needed to configure this report to work, and will differ depending on what email system you use.


Microsoft

How does it work

Our report phishing button integration for Microsoft works by simply forwarding our simulation email to CybSafe to be included in your reporting stats.

  • It is important to note that only CybSafe's phishing simulations will be counted and tracked in your reporting. We have unique identifiers in our emails to ensure they are only counted.

  • Any emails that are not our own simulation emails will be automatically deleted and will not be counted in your reported statistics.

We do not retain or store the content of emails sent to the reportphish.cybsafe.com domain. For debugging purposes, we store the From address and Message ID for all received messages in our service logs.

CybSafe inbox details

The generic inbound email address is [email protected]. The local-part of the email address is customisable to your organisation, it does not have to be called "report".

Integration outline

CybSafe recommends a simple email forwarding approach:

General integration guidelines

  • CybSafe can be used in conjunction with other phishing simulation tools’ “Report email” feature.

  • The CybSafe inbound mailbox scans any forwarded emails for CybSafe phishing, and records the users who correctly identify our simulated phishing attempts.

  • The configuration of this feature can be tailored to suit the customer organisation’s needs.

  • The organisation is to use its native “Report email” feature (mail client dependant), which must have the capability to forward reported emails to a custom email address.

  • If the internal report phishing process relies on individuals forwarding suspect emails to a group inbox, a simple auto-forwarding rule to the CybSafe inbox can be created.

  • For more information on how CybSafe sends phishing, please see: Advanced simulated phishing information.

  • You can review our allow listing instructions here: How to add CybSafe to your allowlist.

Enable the report message or the report phishing add-ins

The first step in this integration is to enable the Report Phishing Add-In for your organisation.

The full Microsoft instructions can be found in the article, Enable the report message or the report phishing add-ins.

For this integration to work successfully CybSafe requires the report phishing add-in for your organisation to be setup.

Once installed and setup you can move onto configuring your report phish button and ensuring the emails are forwarded to the CybSafe report phish mailbox with the instructions below.

How to configure your report phish button

There are two sets of configuration that need to be done to your button to report phishing emails to CybSafe.

  1. Configure the user submissions email address.

  2. Use Mail flow rules to report the phishing emails to CybSafe.

Configure the user submission address for the Microsoft report phish button

You can find all the information from Microsoft in the following article, user reported message settings.

This article will help you to configure the button to send reported phishing emails to Microsoft for analysis and/or to an internal mailbox for analysis.

Once setup correctly you will then need to create a mail flow rule to also report the phishing emails to CybSafe.

Configure the mail flow rules to send reported phishing emails to CybSafe

How you setup the mail flow rule will depend on your settings for the user submissions address as per the instructions above.

You can create the rule to use the Microsoft address or your internal email address as the recipient or both, depending on your config.

Instructions if a button is configured to report to Microsoft.

When a user clicks on report phish using the native Microsoft button the email is sent to [email protected] if you have configured the button to report emails to Microsoft.

Using mail flow rules, you will essentially setup a forward from the button for any emails sent to the Microsoft email address to be sent to [email protected].

i.e. The Recipient is [email protected]

The following Microsoft article will provide all of the latest advice in setting up a mail flow rule in Exchange Online.

Instructions if a button is configured to not report to Microsoft, but rather deliver to an internal mailbox.

When a user clicks on report phish using the native Microsoft button the email is sent to your designated internal email address, if you have configured the button to only report emails internally and not to Microsoft.

Using mail flow rules, you will essentially setup a forward from the button for any emails sent to your designated email address to be sent to [email protected].

i.e. The recipient is your internal email address

The following Microsoft article will provide all of the latest advice in setting up a mail flow rule in Exchange Online.

SOC simulated attack triage advice

Use the following information for your SOC team to automate triage of our phishing simulation reports.

In addition to the whitelisting signatures, CybSafe emails always contain HTML with the following signature (note this is an example of a unique email ID):

The HTML shown in bold will always be present, so email triage can be automated with a body search for “cs-unique-ref”.


Google Workspace

CybSafe offers a Google Workspace App that allows successful reports of CybSafe phishing emails in Gmail to be represented in phishing reports.

The first step is to install the CybSafe Google Workspace app

Installing the CybSafe Google Workspace app

To enable CybSafe to access Google Cloud Platform behaviour-related data, domain wide authority needs to be delegated to Cybsafe’s service account. See Google’s documentation for reference here

  1. Go to Security / Access and data control / API controls → Select Manage Domain wide Delegation, and Add new. Direct link

  2. The client id for our production app is: 112617549266209094482

  3. Click Authorize

  4. Enter your GCP Admin email and Google Customer ID Account / Account settings Direct Link

  5. Send the Customer ID and Primary Admin Email to [email protected] with the subject “Activate Google Workspace Integration”. CybSafe will then finish the integration in our system.

After this is completed the app will be installed.

Using report phishing in Gmail

Once the app has been installed users that successfully report a CybSafe phishing email will have that report come through on our reporting pages.

All a user needs to do is use the native report phishing functionality below:


Proofpoint

How does it work

Our report phishing button integration for Proofpoint works by simply forwarding our simulation email to CybSafe to be included in your reporting stats.

  • It is important to note that only CybSafe's phishing simulations will be counted and tracked in your reporting. We have unique identifiers in our emails to ensure they are only counted.

  • Any emails that are not our own simulation emails will be automatically deleted and will not be counted in your reported statistics.

We do not retain or store the content of emails sent to the reportphish.cybsafe.com domain. For debugging purposes, we store the From address and Message ID for all received messages in our service logs.

CybSafe inbox details

The generic inbound email address is [email protected]. The local-part of the email address is customisable to your organisation, it does not have to be called "report".

Outline

CybSafe recommends a simple email forwarding approach:

General guidelines

  • CybSafe can be used in conjunction with other phishing simulation tools’ “Report email” feature.

  • The CybSafe inbound mailbox scans any forwarded emails for CybSafe phishing, and records the users who correctly identify our simulated phishing attempts.

  • The configuration of this feature can be tailored to suit the customer organisation’s needs.

  • The organisation is to use its native “Report email” feature (mail client dependant), which must have the capability to forward reported emails to a custom email address.

  • If the internal report phishing process relies on individuals forwarding suspect emails to a group inbox, a simple auto-forwarding rule to the CybSafe inbox can be created.

  • For more information on how CybSafe sends phishing, please see: Advanced simulated phishing information.

  • You can review our allow listing instructions here: How to add CybSafe to your allowlist.

How to configure your Proofpoint report button

You can identify CybSafe emails reported via the Proofpoint PhishAlarm button by using our forwarding rules.

First, you will need to set a forwarding rule for the PhishAlarm button to forward all emails to an internal SecOps/suspicious email inbox (or email address).

i.e. The recipient is your internal email address

From this internal inbox, you will setup a forwarding rule for any reported phishing emails sent to your designated email address to be sent to [email protected]. (Note: The local-part of the email address is customisable to your organisation, it does not have to be called "report").

This means that you will be able to see when your users have reported a CybSafe phishing email via the Proofpoint PhishAlarm button.

Note: This process also circumvents the limitations of Proofpoint TAP/TRAP with simulated phishing emails.

Instructions if you only want CybSafe to receive CybSafe simulated phishing emails reported via the Proofpoint button (i.e. not actual phishing emails)

We are able to process both simulated and non-simulated phishing emails. However, if you would like to limit the emails forwarded to CybSafe to only CybSafe phishing emails, you can use our unique identifiers to do so.

In addition our standard whitelisting signatures, CybSafe emails always contain HTML with the following signature:

The HTML shown in bold will always be present, so can be identified with a body search for “cs-unique-ref”.


Cofense

How does it work

Our report phishing button integration for Cofense works by simply forwarding our simulation email to CybSafe to be included in your reporting stats.

  • It is important to note that only CybSafe's phishing simulations will be counted and tracked in your reporting. We have unique identifiers in our emails to ensure they are only counted.

  • Any emails that are not our own simulation emails will be automatically deleted and will not be counted in your reported statistics.

We do not retain or store the content of emails sent to the reportphish.cybsafe.com domain. For debugging purposes, we store the From address and Message ID for all received messages in our service logs.

CybSafe inbox details

The generic inbound email address is [email protected]. The local-part of the email address is customisable to your organisation, it does not have to be called "report".

Outline

CybSafe recommends a simple email forwarding approach:

General guidelines

  • CybSafe can be used in conjunction with other phishing simulation tools’ “Report email” feature.

  • The CybSafe inbound mailbox scans any forwarded emails for CybSafe phishing, and records the users who correctly identify our simulated phishing attempts.

  • The configuration of this feature can be tailored to suit the customer organisation’s needs.

  • The organisation is to use its native “Report email” feature (mail client dependant), which must have the capability to forward reported emails to a custom email address.

  • If the internal report phishing process relies on individuals forwarding suspect emails to a group inbox, a simple auto-forwarding rule to the CybSafe inbox can be created.

  • For more information on how CybSafe sends phishing, please see: Advanced simulated phishing information.

  • You can review our allow listing instructions here: How to add CybSafe to your allowlist.

How to configure your Cofense report button

You can identify CybSafe emails reported via the Cofense button by using our forwarding rules.

First, you will need to set a forwarding rule for the Cofense button to forward all emails to an internal SecOps/suspicious email inbox (or email address).

i.e. The recipient is your internal email address

From this internal inbox, you will setup a forwarding rule for any reported phishing emails sent to your designated email address to be sent to [email protected]. (Note: The local-part of the email address is customisable to your organisation, it does not have to be called "report").

This means that you will be able to see when your users have reported a CybSafe phishing email via the Cofense button.

Instructions if you want to identify CybSafe phishing emails

In addition our standard whitelisting signatures, CybSafe emails always contain HTML with the following signature:

The HTML shown in bold will always be present, so can be identified with a body search for “cs-unique-ref”.

You can add automatic labels and classifications to CybSafe emails in Cofense, to identify them to your team (see below):

Did this answer your question?