Understand your Phish Alert Report Notification

Learn what the suspected phishing email alert notifications contain.

Courtney Leacock avatar
Written by Courtney Leacock
Updated over a week ago

A Phish Alert Report email notification will be sent to your specified email addresses when a user reports a suspected phishing email outside of a simulation.

NOTE: This requires the Forward Suspected Phishing Emails setting to be enabled on your Phish Alert Button settings.

The notification will look like this:

The notification email will include (depending on your Phish Alert settings):

Summary Details

Here are what the summary components of the report email mean.

  • Recipient

    • User who submitted the suspected phishing email

  • Sender

    • The sender of the phishing email

  • Subject

    • The subject of the phishing email

  • Received At

    • The date/time the email was received in UTC

  • Message ID

    • This is the unique identifier generated by the outgoing email server or client

    • It can be used in an Exchange message trace

  • Network Message ID

    • This ID is assigned by Exchange when it processes an email. This corresponds to the X-MS-Exchange-Organization-Network-Message-Id message header

    • This can be used to manually submit an email to Microsoft for analysis as a suspected phish via the Microsoft 365 Security portal

There will also be a table summarising the suspected email’s attachments if present.

EML attachment

NOTE: This requires the Include Suspected Email as EML file attachment setting to be enabled in your Phish Alert Button settings.

The report notification will include an EML file attachment containing a reproduction of the suspected phishing email.

The notification’s body will inform you of the method used to construct the EML file. We currently offer 2 message data retrieval approaches.

  • Office JavaScript API

    • This is the data provided by the Outlook Add-in. It provides enough data to give the summary in the notification and the body of the suspected email but in a sanitised form. It can’t provide message headers or attachments. The EML may appear strange when opened as a result.

  • MS Graph API

    • We use the authorisation provided at add-in install or during sideloading testing to retrieve message data provided Retrieve Message Data via the MS Graph API on Behalf of a User using SSO is enabled.

    • This will include a less sanitised version of the email body, its message headers and attachments if the Include Suspected Email's Attachments in EML File option is enabled.

The EML generation process takes a graceful degradation approach so that if the MS Graph load fails we fallback to the Office JavaScript API data.

IMPORTANT NOTE: You should only open the EML file in a sandboxed environment such as Windows Sandbox or a VM.

Did this answer your question?