A Phish Alert Report email notification will be sent to your specified email addresses when a user reports a suspected phishing email outside of a simulation.

NOTE: This requires the Forward Suspected Phishing Emails setting to be enabled on your Phish Alert Button settings.

The notification will look like this:

The notification email will include (depending on your Phish Alert settings):

Summary Details

Here are what the summary components of the report email mean.

  • Recipient

    • User who submitted the suspected phishing email

  • Sender

    • The sender of the phishing email

  • Subject

    • The subject of the phishing email

  • Received At

    • The date/time the email was received in UTC

  • Message ID

    • This is the unique identifier generated by the outgoing email server or client

    • It can be used in an Exchange message trace

  • Network Message ID

    • This ID is assigned by Exchange when it processes an email. This corresponds to the X-MS-Exchange-Organization-Network-Message-Id message header

    • This can be used to manually submit an email to Microsoft for analysis as a suspected phish via the Microsoft 365 Security portal

There will also be a table summarising the suspected email’s attachments if present.

EML attachment

NOTE: This requires the Include Suspected Email as EML file attachment setting to be enabled in your Phish Alert Button settings.

The report notification will include an EML file attachment containing a reproduction of the suspected phishing email.

The notification’s body will inform you of the method used to construct the EML file. We currently offer 2 message data retrieval approaches.

  • Office JavaScript API

    • This is the data provided by the Outlook Add-in. It provides enough data to give the summary in the notification and the body of the suspected email but in a sanitised form. It can’t provide message headers or attachments. The EML may appear strange when opened as a result.

  • MS Graph API

    • We use the authorisation provided at add-in install or during sideloading testing to retrieve message data provided Retrieve Message Data via the MS Graph API on Behalf of a User using SSO is enabled.

    • This will include a less sanitised version of the email body, its message headers and attachments if the Include Suspected Email's Attachments in EML File option is enabled.

The EML generation process takes a graceful degradation approach so that if the MS Graph load fails we fallback to the Office JavaScript API data.

IMPORTANT NOTE: You should only open the EML file in a sandboxed environment such as Windows Sandbox or a VM.

Microsoft Threat Assessment Submission

NOTE: This requires the Submit Suspected Phishing Emails to Microsoft for Analysis setting to be enabled in your Phish Alert Button settings.

Suspected emails will be submitted to Microsoft via the MS Graph API. The report notification will include the ID of the submission if successful. You can view the submissions in the Microsoft 365 Security portal under Emails & Collaboration > Submissions.

If the submission to Microsoft is not successful, this will be reported in the report notification email. You may then report the email to Microsoft manually.

NOTE: At time of writing we are experiencing issues with the Threat Assessment functionality in the MS Graph API. The matter has been raised with Microsoft in the hopes of finding a solution.

Did this answer your question?