Hybrid PAB

Share

Is this article helpful?

Last updated:

Hybrid Phish Alert Button (PAB) Product Manual

Important:Starting February 17, 2025, Microsoft deprecated legacy Exchange Online tokens. This deprecation may impact the functionality of the Hybrid Phish Alert Button. The legacy Exchange Online tokens can be reenabled until June 2025. We recommend authorizing Graph APIs and NAA-SSO in your phish alert account settings before February 17, 2025, to prevent authentication issues once these legacy tokens are deprecated. For more information, see Microsoft’s Nested app authentication and Outlook legacy tokens deprecation FAQ.
Important:On February 25, 2025, the Graph and Hybrid Phish Alert Buttons (PABs) were merged, along with their manuals, to provide a more streamlined experience. As a result, the Graph PABs guides and information will now be included here, in the Hybrid Phish Alert Button (PAB) Product Manual. We also updated the fallback mechanism for the Hybrid PAB. This updated manifest will allow the Hybrid PAB to switch from NAA-SSO to SSO-OBO whenever it is in an environment that does not support NAA-SSO. You will need to update your XML manifest to implement the improved fallback mechanism.

The Hybrid Phish Alert Button (PAB) for Microsoft 365 and Microsoft Exchange allows your users to easily report suspicious emails and help protect your organization from cyberattacks. When your users click the PAB to report an email, they can provide your IT team with an early warning about potential threats.

Tip: If you use the phishing feature in our KnowBe4 console, the Hybrid PAB will also track if your users report our simulated phishing emails. You can use this feature to see which users successfully identify potential threats.

The Hybrid PAB detects your users’ mail clients and automatically configures the best version of the PAB for each user. To learn how to install the Hybrid PAB and how your users can use the PAB in their mail clients, see the sections below.

Prerequisites and Limitations

Before you can install the Hybrid PAB for your organization, your organization will need to have one of the following mail servers:

  • Microsoft Exchange 2013 - version 15.0.847.32 (SP1), or a later version
  • Microsoft Exchange 2016 - version 15.1.225.42 (RTM), or a later version
  • Microsoft Exchange 2019
  • Microsoft 365
  • Microsoft Outlook 2016, 2019, and 2021 for Mac:
    • Exchange 2016
    • Exchange 2019
    • Microsoft 365

If you have a proxy server, a connection to the following is needed to bypass the proxy server or proxy authentication:

  • outlook.office365.com
  • outlook.office.com
  • us.pab.knowbe4.com, eu.pab.knowbe4.com, or ca.pab.knowbe4.com
    The domain used will depend on where your KnowBe4 account is located.

You will also need to enable and configure the PAB from your KnowBe4 console Account Settings before following the steps in this article. To learn how to enable and configure the PAB in your KnowBe4 account, see the Enable PAB section of our Phish Alert Button (PAB) Product Manual.

Installing the Hybrid PAB for Microsoft 365

To install the Hybrid PAB in Microsoft 365, follow the steps below: 

Accepting Required Permissions

Before installing the Hybrid PAB for Microsoft 365, follow the steps below:

  1. Log in to your KSAT console.
  2. Click on your email address in the top-right corner of the page, and select Account Settings.
  3. Navigate to Account Integrations > Phish Alert.
  4. Select the Enable Phish Alert check box.
  5. From the Select PAB Version drop-down menu, select Hybrid PAB.
  6. Click Accept Microsoft Permissions to Authorize GRAPH APIs for the PAB. You will be redirected to the Microsoft 365 login page.
  7. Log in to your Microsoft 365 account using your admin credentials.
  8. Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
  9. Once you accept the permissions, the GRAPH Authorization Successful window will display. Click Back to PAB Configuration to return to the Phish Alert settings.
  10. Click Authorize NAA-SSO for GRAPH APIs and repeat steps 6 through 9.

Installing the Hybrid PAB for Microsoft 365

Follow the steps below to install the Hybrid PAB for Microsoft 365:

  1. Click the download icon next to the PAB manifest for Microsoft products option to download the PhishAlertManifest.xml file.
    Note:Each Phish Alert Button (PAB) XML manifest file is unique to the KSAT console based on where it's downloaded. So, if you manage multiple KSAT consoles, you'll need to download and install the correct manifest file for each console separately.
  2. In a new tab of your browser, log in to your Microsoft 365 admin center.
  3. From the menu on the left side of the page, click Settings.
  4. From the Settings drop-down menu, select Integrated apps.
  5. Click Add-ins at the top-right corner of the page. The Add-ins page will open.
  6. On the Add-ins screen, click Deploy Add-In. The Deploy a new add-in pop-up window will open.
  7. In the pop-up window, click Next.
  8. Click Upload custom apps.
  9. Select the I have the manifest file(.xml) on this device option. Then, click Choose File and select the PhishAlertManifest.xml file.
  10. Click Upload to install the PAB. The Configure add-in pop-up window will open.
  11. From the pop-up window, select which users will have access to the PAB and which method you would like to use to deploy the PAB.
    Important:We recommend allowing all users to access the PAB and using the Fixed deployment method.
  12. Click Next, and additional app permissions will display.
  13. Once you have read the permissions, click Save. The Deploy Phish Alert pop-up window will open.
  14. Once the pop-up window displays a confirmation that the add-in has successfully deployed, click Next. The Announce add-in pop-up window will open and display a message about Microsoft’s announcement recommendations.
    Note:After you install and deploy the PAB, you might receive an email from your mail service provider that contains information you can use to help you announce the PAB add-in to your users. KnowBe4 does not send the email about the PAB's intended usage and benefits.
  15. Click Close.

Installing the PAB in the Microsoft Exchange Admin Center

To install the PAB in the Microsoft Exchange Admin Center, follow the steps below: 

Accepting Required Permissions

Before installing the Hybrid PAB for Microsoft 365, follow the steps below:

  1. Log in to your KnowBe4 console.
  2. Click on your email address in the top-right corner of the page, and select Account Settings
  3. Navigate to Account Integrations > Phish Alert.
  4. Select the Enable Phish Alert check box.
  5. From the Select PAB Version drop-down menu, select Hybrid PAB.
  6. Click Accept Microsoft Permissions to Authorize GRAPH APIs for the PAB. You will be redirected to the Microsoft 365 login page.
  7. Log in to your Microsoft 365 account using your admin credentials.
  8. Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
  9. Once you accept the permissions, the GRAPH Authorization Successful window will display. Click Back to PAB Configuration to return to the Phish Alert settings.
  10. Click Authorize NAA-SSO for GRAPH APIs and repeat steps 6 through 9.

Installing the Hybrid PAB in the Microsoft Exchange Admin Center

Follow the steps below to install the Hybrid PAB in the Microsoft Exchange Admin Center: 

  1. Click the download icon next to the PAB manifest for Microsoft products option to download the PhishAlertManifest.xml file.
    Note:Each Phish Alert Button (PAB) XML manifest file is unique to the KSAT console based on where it's downloaded. So, if you manage multiple KSAT consoles, you'll need to download and install the correct manifest file for each console separately.
  2. In a new tab in your browser, log in to your Microsoft Exchange Admin Center account.
  3. Navigate to Exchange Admin Center > organization > add-ins.
    Important:If you are using Microsoft Exchange 2013 and you have a different Admin Center view, you will need to navigate to Exchange admin center > organization > apps.
  4. From the add-ins page, click the plus icon (+) and select Add from file.
  5. Click Choose File and select the PhishAlertManifest.xml file.
  6. Click Next.
  7. Make sure that the Make this add-in available to users in your organization check box and the Mandatory, always enabled. Users can't disable this add-in. check box are selected.
  8. Click Save to finish the installation.
Note:The expected timeframe for the PAB to deploy is 24 hours, but timeframes can vary. For more information about deploying add-ins, see Microsoft's Deploy add-ins in the Microsoft 365 admin center article.

Installing to Shared Mailboxes

The Hybrid PAB supports installation for shared mailboxes. This feature requires that Graph API and Nested App Authentication single sign-on (NAA-SSO) permissions are authorized in your Microsoft 365 tenant. See steps 6 through 10 in the Accepting Required Permissions section above for instructions on how to authorize these permissions.

Important: Microsoft Outlook for iOS and Android does not currently support add-ins for shared mailboxes.

Prerequisites for Shared Mailbox Installation

Make sure you meet the requirements below to install the PAB for a shared mailbox:

  • Your mail environment must support the Outlook add-in API requirement set 1.8.
  • The PAB XML manifest you are using must have the following line: <SupportsSharedFolders>true</SupportsSharedFolders>

    Don't worry I'm from tech support

Important:If you installed the PhishAlertManifest.xml file before February 11, 2025, you will need to uninstall your current Phish Alert instance in Microsoft 365. Then, download and deploy a new PhishAlertManifest.xml file from your KSAT console. See this article's Uninstalling the Hybrid PAB and Installing the Hybrid PAB for Microsoft 365 sections for additional information.

Hybrid PAB User Experience

Once installed, the Hybrid PAB will automatically detect your users’ mail clients and configure the best PAB for each user. The user experience will be different for each user depending on their specific mail client.

Tip:You can also add languages to the Hybrid PAB using our language-aware feature. To learn more about our language-aware feature, see our Adding Languages to the Phish Alert Button article.

In the new version of Microsoft Outlook for Windows, you can pin the PAB add-in to the toolbar at the top of an open email. To pin the add-in, click the ellipsis icon (...) and select Customize actions. Or, you can also navigate to Settings > Mail > Customize actions. Then, select the Phish Alert add-in and click Save. When you open an email, you can click the PAB icon that displays on the toolbar. For more information about managing add-ins, visit Microsoft's Get an Office Add-in for Outlook article.

Important:Microsoft does not currently allow admins to pin the PAB add-in for all users in their organization. Each user must pin the add-in by customizing the actions for their account.

In the new version of Microsoft Outlook on the web, you can click the Phish Alert button that displays in the Apps launcher on an open email. To access the Apps launcher, click the Apps icon in the top-right corner of an open email. If the PAB does not display in the Apps launcher, you can click Add apps to open the Apps Store. From the Apps drop-down menu, click the Built for your org subtab to view the optional add-ins that your organization has approved. If the PAB add-in is available, you can select Phish Alert and click Add. Then, the PAB will display in the Apps launcher.

In the classic version of Microsoft Outlook for Windows, you can click the Phish Alert button in the Home tab of the toolbar at the top of an open email. Then, the PAB will display in the toolbar on the right side of the email.

Important:To use the PAB in Microsoft Outlook, you must enable the Reading Pane. For more information about enabling the Reading Pane, see Microsoft's Use and configure the Reading Pane to preview messages article.

In Microsoft Outlook for Mac, you can click the PAB add-in that displays in the toolbar on the right side of the page. You can also find the PAB by clicking the ellipsis icon (...) in the toolbar at the top of an open email. To pin the PAB add-in to the toolbar, click the Customize Toolbar… button.

Your users can click the PAB in any of these mail clients to report suspicious emails. When a user clicks the PAB, the reported email will be removed from their inbox and moved to their Sent Items folder as a forwarded email. If a user incorrectly reports an email, they can retrieve the email from their Deleted Items folder or Trash folder.

Updating and Uninstalling the Hybrid PAB

The method that you will use to uninstall the Hybrid PAB for your organization will differ depending on whether you use Microsoft 365 or the Microsoft Exchange Admin Center. If you need to redeploy the PAB XML manifest file, we recommend first removing your existing PAB installation.

Updating the Hybrid PAB for Microsoft 365

To update the Hybrid PAB for Microsoft 365, follow these steps:

  1. Log in to your KSAT console.
  2. Click on your email address in the top-right corner of the page, and select Account Settings.
  3. Navigate to Account Integrations > Phish Alert.
  4. From the Select PAB Version drop-down menu, select Hybrid PAB.
  5. Click the download icon next to the PAB manifest for Microsoft products option to download the PhishAlertManifest.xml file.
  6. Go to Settings > Integrated Apps > Add-ins in your Microsoft 365 admin center.
  7. Find your PAB add-in in the list.
  8. Select the add-in and click Update add-in.
  9. Upload your updated PhishAlertManifest.xml file.

Uninstalling the Hybrid PAB for Microsoft 365

To uninstall the Hybrid PAB for Microsoft 365, follow these steps:

  1. Go to Settings > Integrated Apps > Add-ins in your Microsoft 365 admin center.
  2. Find your PAB add-in in the list.
  3. Select the add-in and click Remove app.

Uninstalling the Hybrid PAB for the Exchange Admin Center

If you need to redeploy the PAB XML manifest file, we recommend first removing your existing PAB installation. To uninstall the Hybrid PAB, follow these steps:

  1. Go to Organization > Add-ins in your Exchange admin center.
  2. Find your PAB add-in in the list.
  3. Select the add-in and click Remove app.

Was this article helpful?

5 out of 6 found this helpful

Can't find what you're looking for?

Contact Support