Integrating Microsoft Defender for Office with the PAB
You can integrate the Phish Alert Button (PAB) with Microsoft Defender for Office to send emails to Microsoft’s Submissions page for analysis. In the Microsoft 365 Defender platform, the Submissions page receives emails that users reported with Microsoft’s Report button. With this integration, you can allow your users to report suspicious emails to your organization and Microsoft with a single action. When users report KnowBe4’s simulated phishing emails with the Report button, Microsoft can mistakenly classify these emails as threats. This integration also helps Microsoft recognize KnowBe4’s simulated phishing emails and avoid false positives for users’ reported emails.
To learn more about integrating Microsoft 365 Defender with the PAB, see the sections below.
Before you configure this integration, you'll need to enable and configure the PAB in your KMSAT Account Settings. For more information, see the Enable and Configure section of our Phish Alert Button (PAB) Product Manual.
You'll also need to enable the Microsoft 365 Defender for Office service for your organization’s mail server. Then, configure a security operations (SecOps) mailbox for your Microsoft account so that emails can be sent to your Submissions page. For more information, see Microsoft's Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy article.
Configuring the Integration
To configure this integration, you’ll need to allow third-party reporting tools for your Microsoft 365 Defender platform. For more information, see Microsoft’s Options for third-party reporting tools article. To allow the third-party reporting tools, follow the steps below:
- Log in to your Microsoft 365 account using your admin credentials.
- Navigate to the Microsoft 365 Defender portal > Settings > Email & collaboration.
- Click User reported settings. Or, you can access the User reported settings page by navigating to https://security.microsoft.com/securitysettings/userSubmission.
- On the User reported settings page, select the Monitor reported messages in Outlook check box to enable the reporting options.
- Under the Select an Outlook report button configuration section, select Use a non-Microsoft add-in button.
Important: If you select this option, Microsoft's Report button will be disabled automatically.
- In the Add an exchange online mailbox to send reported messages to: field, enter the email address associated with your Microsoft account’s Submissions page and SecOps mailbox.
Note: Enter the same email address that you used to configure your SecOps mailbox. For more information, see Microsoft's Use the Microsoft 365 Defender portal to configure SecOps mailboxes in the advanced delivery policy article.
- (Optional) You can select the Allow reporting for quarantined messages. Only admins can report quarantined Teams messages. check box to allow your users to report emails from their quarantine folder.
After you have configured these settings in Microsoft 365 Defender, you’ll need to configure the integration in your KMSAT console. To configure the integration in KMSAT, follow the steps below:
- Log into your KMSAT console.
- Click your email address at the top-right corner of the page. From the drop-down menu that opens, select Account Settings.
- Navigate to Account Integrations > Phish Alert.
- Click the + icon next to the PAB instance to view your settings.
- Select the Enable Microsoft 365 Defender Integration check box.
- In the Submit Reported Emails to: field, enter the email address associated with your Microsoft account’s Submissions page and SecOps mailbox.
Important: In addition to entering the email address associated with your Microsoft account, you must select a method to provide a copy of users’ reported emails to your organization’s admins. Enter an email address in the Send Non-Simulated Emails to: field, or select the Save a copy of reported emails check box.
- (Optional) You can select the Save a copy of reported emails check box if you would like the PAB to save a copy of reported emails in the Sent folder of the user who reported them.
- Click the Save Phish Alert Settings button.
- At the bottom of the page, click the Save Changes button.
Once you've configured the integration, your users can use the PAB to report suspicious emails to both KnowBe4 and Microsoft.
When a user reports an email, they must select a disposition. By default, they can select the Phishing/Suspicious or Spam/Junk disposition. If you have enabled the User Comments and Email Disposition feature, your users can also add comments and select the Unknown disposition.
If a user selects the Unknown disposition, the reported email is initially labeled as Phishing in Microsoft’s Submissions page. For more information, see our Adding User Comments and Email Disposition to the Phish Alert Button article.
After a user reports an email, the email will be deleted from their inbox and two copies of the reported emails will be sent. The first copy will be sent to the email address entered in the Send Non-Simulated Emails to: field in your KMSAT Account Settings. The second copy will be sent to the email address in the Submit Reported Emails to: field in your KMSAT Account Settings, associated with Microsoft Defender’s Submissions page. If the Save a copy of reported emails setting is enabled, a copy of the reported email is also saved in the user’s Sent folder.
Once an email is submitted to Microsoft, it will display on the Submissions page of your Microsoft 365 Defender portal within a few minutes. Then, you can analyze the email and report it to Microsoft as a clean, spam, or phishing email.