Add a ‘report phishing’ button in Outlook; forward spam and phishing emails to your internal security team the right way!
- NOTE: This article has been updated with an additional easier option for building an enterprise-wide phishing button. Check it out here.
PhishMe offers a great solution for the enterprise with its anti-phishing training and phishing simulations. The service also provides an easy way for end-users to report the messages to their IT department and use for statistical tracking. Their solution for end-user reporting is an add-in in Outlook, providing a simple way for the end-user to click a button to report messages. I wanted the same thing for my security program, but we didn’t contract with PhishMe, so I needed another solution. I didn’t want to enlist a developer to create an Outlook add-in button, so I came up with a relatively easy solution. If you are good at scripting or have some workstation management tools this should be no problem to implement across the enterprise. Below are the steps you can use to reproduce a ‘report phish’ button in Outlook that automatically sends your security or IT department a full copy of the phishing emails. It also does much more that forwards the email, it sends the junk mail as an attachement in an email, preserving the message headers that will be needed for forensics.
- Install the Microsoft Junk Email reporter add-in for Outlook 2010 or 2013. The download can be retrieved at https://www.microsoft.com/en-us/download/details.aspx?id=18275
- Open Outlook and verify you now see the junk options in the ribbon.
- Right click a blank space in the ribbon and choose ‘Customize Ribbon’. On the right side, under “Customize the Ribbon” select Main Tabs, and expand the Home (Mail) tab. Click the ‘New Group’ button and rename it to be something useful “report junk” or “report phish”.
4. Next, select the ‘report junk’ button on the left side, and add it to the ‘report phish’ group you just created by clicking the ‘add>>’ button. Rename it and give it an icon of your choice. Now you should have a new icon in your main mailbox view that you can use to report junk. By default, the add-in will only report the junk to Microsoft, however with a registry hack you can blind-copy (bcc) an email address of your choice. the full junk mail message will be sent as an attachment, with all the header information that is missing from a forwarded message. This works great for sending to an IT department or a security operations center (SOC).
Your Outlook ribbon should now look similar to this:
How to report phishing to your IT department across the enterprise. If you want the junk email reporter to forward to your IT department, add the destination email address to the registry using the following registry key. (Typical registry hack warning here, don’t do this if you don’t know what you are doing…) You can also copy the following lines and create your own .reg file, I’ll leave that up to you. Replace the email address in the code with the address that will get a copy of the message.
“Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Junk E-mail Reporting\Addins]”BccEmailAddress”=”firstname.lastname@example.org”
- (Optional) Open up an email in outlook. Since Outlook uses a new ribbon for this view, you have the option of putting the new button in the mail-read view too. Now repeat steps 3-6 to create a button in the mail-read view if you choose.
- Now that you have created the new buttons, test them to make sure they work using an email address of your choice.
- If you want to apply this to multiple computers across the enterprise, there are several ways you can do it. Use a script, SCCM or a workstation admin tool of your choice. Make sure the following three requirements are met on your PC’s and you should be good to go:
- Verify that the junk email reporting add-in is installed.
- Copy the .reg key from step 7 to all computers, or manually edit the registry with the email address you want the junk email to be forwarded to.
- From your working, test computer, find the files called olkexplorer.officeUI and olkmailread.officeUI in C:\Users\%username%\AppData\Local\Microsoft\Office\ These files contain the ribbon info that you just created. You can copy them to the user’s profiles, overwriting the files that are currently there. *note, this may delete previously created custom ribbons if they exist. It may be a good idea to rename the old files first.
- Restart outlook
I’ve noticed that this does not work in 64bit Office installs, I assume this has something to do with the junk email reporting add-in. These instructions will work with Windows 7 and office 2010, and 2013. It takes a little effort to get this working enterprise-wide, but when combined with security training and phishing simulations it gives you some great information on how end-users react to phishing emails. It also empowers the end-user. They are now becoming part of the solution, instead of part of the problem.
I really like to hear from you! Let me know if you try this, or if you have any other solutions to make life a little better while fighting spam and phish attacks!
If you want to better understand the adversary, Brian Krebs has a great book called Spam Nation. I highly recommend a read through. The book is available through Amazon and the affiliate link is below.
NOTE: This article has been updated with an additional easier option for building an enterprise-wide phishing button. Check it out here.