Add a Report Phishing Button in Outlook

Add a ‘report phishing’ button in Outlook; forward spam and phishing emails to your internal security team the right way!

 

PhishMe offers a great solution for the enterprise with its anti-phishing training and phishing simulations.   The service also provides an easy way for end-users to report the messages to their IT department and use for statistical tracking.  Their solution for end-user reporting is an add-in in Outlook, providing a simple way for the end-user to click a button to report messages.   I wanted the same thing for my security program, but we didn’t contract with PhishMe,  so I needed another solution.   I didn’t want to enlist a developer to create an Outlook add-in button, so  I came up with a relatively easy solution.   If you are good at scripting or have some workstation management tools this should be no problem to implement across the enterprise.   Below are the steps you can use to reproduce a  ‘report phish’ button in Outlook that automatically sends your security or IT department a full copy of the phishing emails.   It also does much more that forwards the email, it sends the junk mail as an attachement in an email, preserving the message headers that will be needed for forensics.

 

  1. Install the Microsoft Junk Email reporter add-in for Outlook 2010 or 2013. The download can be retrieved at  https://www.microsoft.com/en-us/download/details.aspx?id=18275

 

  1. Open Outlook and verify you now see the junk options in the ribbon.

Outlook phish button

 

 

 

 

 

  1. phishing outlook button 3Right click a blank space in the ribbon and choose ‘Customize Ribbon’. On the right side, under “Customize the Ribbon” select Main Tabs, and expand the Home (Mail) tab.  Click the ‘New Group’ button and rename it to be something useful “report junk” or “report phish”.

 

 

 

 

4. Next, select the  ‘report junk’ button on the left side, and add it to the ‘report phish’ group you just created by clicking the ‘add>>’ button.    Rename it and give it an icon of your choice.  Now you should have a new icon in your main mailbox view that you can use to report junk.  By default, the add-in will only report the junk to Microsoft, however with a registry hack you can blind-copy  (bcc) an email address of your choice.  the full junk mail message will be sent as an attachment, with all the header information that is missing from a forwarded message.   This works great for sending to an IT department or a security operations center (SOC).

outlook phish 4

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Your Outlook ribbon should now look similar to this:

outlook phish button toolbar

 

 

How to report phishing to your IT department across the enterprise.  If you want the junk email reporter to forward to your IT department, add the destination email address to the registry using the following registry key.  (Typical registry hack warning here, don’t do this if you don’t know what you are doing…)  You can also copy the following lines and create your own .reg file, I’ll leave that up to you.   Replace the email address in the code with the address that will get a copy of the message.

“Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Junk E-mail Reporting\Addins]”BccEmailAddress”=”phishy@yourdomainhere.com”

 

 

  1. (Optional) Open up an email in outlook.  Since Outlook uses a new ribbon for this view, you have the option of putting the new button in the mail-read view too.  Now repeat steps 3-6 to create a button in the mail-read view if you choose.

 

  1. Now that you have created the new buttons, test them to make sure they work using an email address of your choice.

 

  1. If you want to apply this to multiple computers across the enterprise, there are several ways you can do it. Use a script, SCCM or a workstation admin tool of your choice.  Make sure the following three requirements are met on your PC’s and you should be good to go:
    1. Verify that the junk email reporting add-in is installed.
    2. Copy the .reg key from step 7 to all computers, or manually edit the registry with the email address you want the junk email to be forwarded to.
    3. From your working, test computer, find the files called olkexplorer.officeUI and olkmailread.officeUI  in C:\Users\%username%\AppData\Local\Microsoft\Office\     These files contain the ribbon info that you just created.  You can copy them to the user’s profiles, overwriting the files that are currently there.   *note, this may delete previously created custom ribbons if they exist.   It may be a good idea to rename the old files first.
    4. Restart outlook

I’ve noticed that this does not work in 64bit Office installs, I assume this has something to do with the junk email reporting add-in.  These instructions will work with Windows 7 and office 2010, and 2013.    It takes a little effort to get this working enterprise-wide, but when combined with security training and phishing simulations it gives you some great information on how end-users react to phishing emails.  It also empowers the end-user.  They are now becoming part of the solution, instead of part of the problem.

I really like to hear from you!  Let me know if you try this, or if you have any other solutions to make life a little better while fighting spam and phish attacks!

 

 

11 comments for “Add a Report Phishing Button in Outlook

  1. Lewis
    March 16, 2016 at 11:29 am

    all worked up until the BCC field.. I never recieve the email

    • Spencer Alessi
      August 8, 2016 at 2:25 pm

      If your office install is 64 bit It WILL NOT work.

  2. Rocky
    August 8, 2016 at 7:14 am

    Seeing as it was a function implemented to send phishing mails to Microsoft, it the mail also actually bcc’d to them ? Or is it limited to the registry key configured mail account ?

    Great work btw,

    Rocky

    • Spencer
      August 8, 2016 at 2:26 pm

      I believe it IS actually sending to some “abuse@microsoft” account AND to who ever you specified in the BCC registry key..

      • Rocky
        August 11, 2016 at 9:13 am

        That’s a shame, anyone know a way to turn that off ?

        • Jef
          September 2, 2016 at 5:11 am

          If you have a mail gateway, capable of blocking outgoing mail based on mail address and subject, you can have your gateway drop this mails to MS. (probably best AND condition : to: abuse@microsoft.com AND subject [Contains: “Whatever notification generated”]

        • Steven
          December 5, 2016 at 8:02 pm

          you could capture it with a transport rule in Exchange

        • Nstr10
          March 13, 2017 at 2:41 pm

          It sends to abuse@messaging.microsoft.com
          Armed with that knowledge, you can create a rule in whatever mail server software you use to simply not send there, or redirect mail to that address to one of your choosing!

  3. deepak Bhatia
    November 30, 2016 at 2:45 pm

    Hello. what are the pre reqs for installation for Office 2016 x32
    DJ Bhatia

Leave a Reply

Your email address will not be published. Required fields are marked *