Updated: Using the ‘Report Message’ add-in as phishing button in Outlook

Update to Add Phishing Button to Outlook: ‘Report Message’

A few years ago, I blogged about a way for enterprises to report phishing messages by adding an Outlook phishing button.  The message would forward to their IT or Security department quickly and easily without having to pay for a service.  Using that approach , with the click of a button employees can report phishing or suspicious emails and send the full message (with headers) to a mailbox monitored by your IT staff.   Here is a link to the article ‘Add a Report Phishing button in Outlook’.

Since then, Microsoft has made some changes to their junk reporting tools as the collective world is moving toward cloud services, specifically Office 365.  While I don’t have much of an opinion on email platforms, I have noticed that Microsoft’s spam and phishing filtering service has not kept up with the filtering that is happening with Gmail- this may be by design, or just part of Microsoft’s marketing strategy…who knows.   What I do know is that enterprise employees using Outlook and Office 365 have been struggling with Business Email Compromise (BEC), phishing, spam for years, and it’s not getting any better.

Visibility into how spam and phishing make it into our mailboxes is a critical need for any security program.  It increases awareness and allows defenders to rally and protect employees from insidious and crafty emails that occasionally make it to executive and VIP inboxes–the very places they can do the most damage. The world is a dangerous place when it comes to email and digital security.  Worst of all,  IT staff often has no idea about phishing campaign attack trends, and what the bad guys are up to.  Let’s change that.

What’s changed since the Outlook Phishing button?

The Outlook phishing button that I blogged about in a previous article uses Microsoft’s junk email reporting app. For years Microsoft has accepted reported junk emails and used the statistics to fine tune their filters (as long as end users and companies allow that information to leave their network).  While not serving the exact same purpose as the Junk Email Reporter, Microsoft’s ‘Report Message’ add-in is even easier to use and configure; for example, with a simple email rule in Office 365 you can send the full message, headers and all, directly to your IT or Information Security group, or a shared mailbox that is monitored by your enterprise defenders (makes the sound like heros doesn’t it).  It’s a little different spin on the ‘Phishing Button’ in Outlook, but can be configured to do essentially the same thing–serve as an early warning sign for your IT staff when used by security aware employees.  The Report Message add-in also has the added benefit of protecting you in Outlook Web too, something the simple Outlook Phish Button could never do.

Outlook Report Message

Outlook’s New Report Message Button

How to Report phishing messages to your IT department

The following instructions will work for Outlook and/or Outlook web users who use the Office 365 cloud service, personal or enterprise!

Here’s what you need to do:

1. Install the Report Message add-in from Microsoft’s AppSource

Here is a link for download.  https://appsource.microsoft.com/en-us/product/office/wa104381180

There are ways to push this out globally and I have more information below, but for now just download to your personal Outlook instance so you can test in your environment.  Once you go through all the steps defined here and determine it is working, roll it out to the rest of the company.

2. Create Online Exchange rule to blind-copy (Bcc) your internal phishing report mailbox.  

You must be an Exchange Online Administrator for your organization to complete this task.   If you are not, contact your IT department and show them this article, they will be impressed that you care enough to send them something that will help them, instead of just clicking the phishing email and going on with life… You will be the hero of the day!

  1. In the Exchange Admin Center, choose ‘mail flow > rules’
  2. Choose + > Create a new rule
  3. In the name box, type a descriptive name, such as ‘Phish report rule’, or as Microsoft suggests, ‘Submissions’…huh?   Anyway, you make the call….
  4. In the Apply this rule if list, choose ‘the recipient includes…’
  5. In the specify words or phrases screen, add ‘junk@office365.microsoft.com’ and ‘phish@office365.microsoft.com’ and choose ‘ok’

  6. In the ‘Do the following…’ list, choose Bcc the message to…

7. Add whoever you want to get the phishing messages in your organization then choose ‘OK’

  • It can be a person, email group or shared mailbox.  

8. Choose Audit this rule with severity level, and choose Medium

9. Under Choose a mode for this rule, choose Enforce.

10. Click ‘Save’

  (The configuration may take a few hours to sync across Office servers, have patience).

 3. Test your anti-phishing Report Message button!

Now, when you are ready to test, open a spam or phishing email and click the Report Message button!!  If it is working correctly, the email will be moved to your Junk E-mail folder, and a full copy of the entire email message, including headers will be sent to the mailbox of your you chose in step 7 above.  Woohoo!


What if I don’t want to send junk reports to Microsoft?

If you are the cynical  type and are suspicious of sending any information from your network, (including junk mail to Microsoft), just create a new Exchange Online rule that blocks any message sent to ‘junk@office365.microsoft.com’ and ‘phish@office365.microsoft.com’ from leaving your Exchange service.   If the rule is run after the bcc rule it should  still work to Bcc the mail to your internal staff.

Here’s a guide to create the rule that blocks reporting spam to Microsoft:


I personally haven’t tried this, but seems like it should work.  If you have, let us know your results or post back if you find a better way.


Additional reading–Next Step toward hero status: Enterprise Install

Yep, sometimes Microsoft stuff works great, this is one of those times.  They make this super-easy,  the following instructions were copied from


Get and enable the Report Message add-in for your organization


You must be an Office 365 global administrator or an Exchange Online Administrator to complete this task. In addition, Exchange must be configured to use OAuth authentication To learn more, see Exchange requirements (Centralized Deployment of add-ins).

1 Go to the Services & add-ins page in the Microsoft 365 admin center.

Report Message enterprise install

2. Choose + Deploy Add-in.

report message

3. In the New Add-In screen, review the information, and then choose Next.

message reporter phishing button add-in

4. Select I want to add an Add-In from the Office Store, and then choose Next.

message reporter phish button add-in

5. Search for Report Message, and in the list of results, next to the Report Message Add-In, choose Add.

phish button enterprise install

6. On the Report Message screen, review the information, If it looks good, choose Next

phishing button enterprise install

7. Specify the user default settings for Outlook  Here you can decide whether you want your end users to have a mandatory install, or make it optional.  I personally like the Mandatory setting 🙂    Choose Next.

Phish button message reporter options

8. Specify user or group to get the Report Message Add-in, and then choose Save.

Report Message phish options

Now in Outlook your users will have an icon that looks like this:

Outlook Report Message 'phishing' button

In Outlook web, you should see something like this:


If you followed the directions carefully, you should now have a enterprise-wide tool to report phishing to your internal team.  You did it! now get on to reporting those bad emails!

Post a reply and let me know if it helped you and your organization, I’d love to hear any success stories!


Additional information:

Using the Report Message Add-in (Microsoft)




  1. Pingback: Add a Report Phishing Button in Outlook -

  2. Matt - Reply

    Unfortunately this is limited use, as this is not enterprise ready for Mobile App, currently the add-in even though installed and enabel dwill not work on iPhone, Some Android and Sumsung models ? The repot Phsihing option does not exist it will show on some legacy Samsung devices still.

    So in current state its pointless as most email viewed on phone, basicaly now removeing MS Add-In and looking for a solution that will work on mobile. Shame EOP is pointless to respond without ability to report ?.

  3. Gael - Reply

    Report Message will be tested in our organization.

    Suggest for the chapter “What if I don’t want to send junk reports to Microsoft?”, it will be certainly most important for suspicious ones to also block mail to “not_junk@office365.microsoft.com” 🙂

  4. Paul Jadlowski - Reply

    Thank you very much for this! We have been targeted recently and the Microsoft instructions are not nearly as easy to follow as yours! Keep up the good work!

Leave Comment

Your email address will not be published. Required fields are marked *