How to Configure Microsoft Outlook 365's 'Report Phishing' Add-in for NCSC's SERS

In the ever-evolving landscape of cybersecurity, phishing attacks remain one of the most pervasive threats to organizations worldwide. To combat this, Microsoft has introduced the ‘Report Phishing’ add-in for Outlook 365, enabling users to report suspicious emails directly to the National Cyber Security Centre’s (NCSC) Suspicious Email Reporting Service (SERS). This article delves into the technical steps required to configure this add-in, its relevance to security teams, and how it integrates into broader email protection strategies.

TL;DR: Key Takeaways

What: The ‘Report Phishing’ add-in for Outlook 365 allows users to report phishing emails to NCSC’s SERS.
Why: Enhances email security by enabling rapid reporting and analysis of phishing attempts.
How: Configure the add-in via Microsoft 365 Admin Center and integrate it with SERS using Exchange Online rules.
Who: Essential for SOC Analysts, System Administrators, and Threat Intel Researchers.
Relevance: Strengthens organizational defenses by leveraging user-reported data to improve anti-phishing policies.

High-Level Overview for CISOs

The ‘Report Phishing’ add-in is a critical tool for organizations aiming to bolster their email security posture. By enabling users to report phishing attempts directly from their Outlook interface, the add-in streamlines the process of identifying and mitigating phishing threats. This integration with NCSC’s SERS ensures that reported emails are analyzed and acted upon swiftly, reducing the risk of successful phishing campaigns.

Technical Deep Dive: Configuring the ‘Report Phishing’ Add-in

Step 1: Install the ‘Report Phishing’ Add-in

Access Microsoft 365 Admin Center: Navigate to the Integrated Apps section under Settings.
Search for the Add-in: Use the search bar to locate the ‘Report Phishing’ add-in.
Deploy the Add-in: Select ‘Get it now’ and deploy it to your organization. Ensure the deployment scope is set to ‘Entire Organization’ for full coverage^[1].

Step 2: Configure User-Reported Settings

Access Microsoft Defender Portal: Go to Settings > Email & Collaboration > User Reported Settings.
Enable Monitoring: Ensure ‘Monitor reported messages in Outlook’ is selected.
Set Reporting Destination: Configure the ‘Send reported messages to’ field to include both Microsoft and your organization’s reporting mailbox^[2].

Step 3: Integrate with NCSC’s SERS

Create a Shared Mailbox: Set up a shared mailbox (e.g., [email protected]) to receive reported emails.
Configure Exchange Online Rules:
- Navigate to Exchange Admin Center > Mail Flow > Rules.
- Create a new rule named ‘Report Phishing to SERS’.
- Set the condition to ‘The recipient is [email protected]’.
- Add an action to Bcc the message to [email protected]^[3].

Step 4: Test the Integration

Send a Test Email: Use a test phishing email to verify the reporting process.
Check Reporting Mailbox: Ensure the email is forwarded to both Microsoft and SERS.
Validate Deletion: Confirm that reported emails are moved to the Deleted Items folder as configured^[4].

Relevance to Target Audience

For SOC Analysts and Threat Intel Researchers

Enhanced Visibility: User-reported phishing emails provide valuable data for threat intelligence and incident response.
Improved Detection: Leverage reported emails to refine anti-phishing policies and improve detection rates.

For System Administrators

Streamlined Deployment: Centralized deployment via Microsoft 365 Admin Center simplifies management.
Customizable Settings: Tailor reporting destinations and actions to meet organizational needs.

For Red Teamers

Phishing Simulation Testing: Use the add-in to test user awareness and response to phishing attempts.
Feedback Loop: Analyze reported emails to identify gaps in phishing defenses.

Remediation and Best Practices

Educate Users: Train employees on how to use the ‘Report Phishing’ add-in effectively.
Monitor Reports: Regularly review reported emails to identify trends and improve defenses.
Update Policies: Use insights from reported emails to update anti-phishing policies and configurations.

Conclusion

The ‘Report Phishing’ add-in for Outlook 365 is a powerful tool for enhancing email security. By enabling users to report phishing attempts directly to NCSC’s SERS, organizations can improve their defenses against phishing attacks. For security teams, this integration provides valuable data for threat intelligence and incident response, making it an essential component of any email security strategy.