The Phish Alert Button (PAB) add-in for Microsoft Outlook, Microsoft Exchange, Microsoft 365, and Google Workspace gives your users the ability to report suspicious emails.
In this article, you will learn how to enable and configure the PAB, choose the PAB installation guide best suited for your organization, and how to set up multiple PAB instances.
To learn how installing the PAB can benefit your organization and for best practices, see our Best Practices for Phish Alert Button (PAB) Implementation article.
What Data Is Sent to Our Servers?
The PAB communicates with our API over TLS 1.2, which is securely encrypted. The external IP address, user agent, and other standard browser information are sent to us as part of the standard HTTPS communication.
The information that is sent from the user's machine to our servers is listed below:
- License Key
- PAB version
- Operating system (OS)
- Operating system architecture
- This includes 32-bit or 64 bit.
- Microsoft Outlook version
- Windows configured language
- This is the language code. For example, EN for English, DE for German, and so on.
- Operating System ID
- This is a random GUID generated for each individual workstation.
- User's email address
- We do not store your users' email addresses unless it is already in our system.
When the user reports an email that is not a simulated phishing email, the reported email will not be sent to us unless you have the Send Us a Copy setting enabled in your Account Settings. When this setting is enabled, reported emails are forwarded to us, and to the email addresses specified in your Account Settings. For more information about this setting, see the Enable and Configure PAB section below.
Enable and Configure PAB
Before you install the PAB, you will need to enable and configure the PAB in your Account Settings. To enable and configure the PAB, follow the steps below.
- Log in to your KnowBe4 console and navigate to your Account Settings screen. This screen will look different depending on your account version.
Free Version: If you have a free account, log in to your console and click the Get Started button. When you click, you will be taken to the Phish Alert Enabled screen. Skip to Step 3 for further instructions.
Paid Version: If you have a paid account, log in to your console and click on your email address in the top-right corner of the screen. Then, select Account Settings.
- Navigate to Account Integrations > Phish Alert.
- Select the Enable Phish Alert checkbox.
- Click the green Add Phish Alert Instance button.
Note: If you have already enabled and configured one PAB instance, a pop-up window will ask you to confirm if you would like to create a new instance. For more information about setting up multiple instances, see our How to Set Up Multiple Phish Alert Button Instances article.
Configure your PAB by filling out the fields in your Account Settings. For information about these fields, see the screenshot and list below:
- Enable Phish Alert: Select this check box if you would like to enable Phish Alert Button for your account. If you deploy the PAB in your organization but you don't select this check box, your organization's PAB reports will not be recorded.
- Setting Name: Enter a name for your Phish Alert Button instance.
License Key: This field displays the license key associated with this PAB instance. Use the license key to install the Phish Alert Button on your workstations. If you are using Google Apps with the Google Workspace Chrome extension, your license key is automatically built into your config .json file.
Note: A 2-digit environment indicator is included at the beginning of the PAB license key, to specify which environment the license key is from (US, EU, CA, etc.). The environment indicator is not available for the PAB for Outlook or HCL Domino (Lotus).
- Send Non-Simulated Emails to: If a user reports a non-simulated email, you can send a copy of this email to specific users in your organization. To send these users a copy of these emails, enter the users' email addresses in this field. Email addresses must be separated by commas. Any simulated emails will not be forwarded.
Icon: Upload your own custom icon for the Phish Alert Button. If you do not upload a custom icon, the default PAB icon will be used. To learn more about the image requirements for the icon, see our article on How to Change the Phish Alert Button (PAB) Icon article.
If you have previously installed the Phish Alert Button and this is your first time adding a custom icon, you will need to reinstall the PAB for the change to occur.
Limit CRID Validation: Enable this setting to allow a reported email with any Campaign Recipient ID (CRID) header to be classified as a simulated phishing email. When this option is not selected, the PAB uses CRID validation to detect whether or not an email that is marked with a training header is a simulated phishing email. If an email has a valid CRID and is reported for the first time within the past hour from the same account where the PAB was installed, it will be treated as a simulated phishing email. A simulated phishing email will be deleted and only shown as reported in the KMSAT console instead of being forwarded to PhishER. The PAB for HCL Domino (Lotus) does not use CRID validation.
Note: Enabling this setting is not recommended. However, you can enable this setting if CRID validation is causing simulated phishing emails to be reported as non-simulated phishing emails.
Add PhishER Email Address: Click this button to add the first reporting email address from your PhishER account in the Send Non-Simulated Emails to: field.
Note: If you set up an account with PhishER already enabled, the reporting email address will be automatically entered in the field. If you would like to remove this email address from the list, click the Remove PhishER Email Addresses button.
- Send Us a Copy: Enable this setting to send a copy of reported non-simulated phishing emails to KnowBe4 analysis. This email will include the original email header. We can use these emails to create phishing templates to use in future simulated phishing attacks. To learn more about sharing emails with us, see our Sharing Reported Phishing Emails with KnowBe4 with the Phish Alert Button (PAB) article.
- Email Format (Hybrid PAB Only): Select how forwarded emails from the PAB should be formatted.
Enable Microsoft 365 Defender Integration: Select this check box if you would like to send a copy of reported emails to Microsoft's Submissions page. For more information, see our How to Integrate Microsoft Defender for Office 365 with the Phish Alert Button (PAB)
Note: If you enable this setting but don’t enable the Allow users to leave comments and disposition setting, your users can only select the Phishing/Suspicious or Spam/Junk disposition for reported emails.
- Submit Reported Emails to: Enter the email address associated with your Microsoft account’s Submissions page and SecOps mailbox.
- Save a copy of reported emails: Select this check box if you would like the PAB to save a copy of reported emails in the Sent folder of the user who reported them.
- Autofill Phishing Languages with PAB Locale (Hybrid PAB Only): If you enable this setting, the PAB will autofill your users' profiles with their preferred phishing languages if that field is blank. For more information on how to set individual user languages, see our Localization Guide.
- Enable Email Forwarding (Hybrid PAB Only): If you enable this setting, you will be able to forward emails to services that require email forwarding, such as Proofpoint. Enter the additional forwarding email address(es) in the Send Non-Simulated Emails to: field, and change the Email Format setting to .MSG.
- Exclude original body text from reported emails (Hybrid PAB and Gmail Add-on PAB Only): Select this check box to exclude the body text in the copy of reported emails. The original body text will only be included in the attached EML or MSG file.
- Enable Automatic PAB Activation (Gmail Add-on PAB Only): Select this check box to enable automatic activation for the Gmail Add-on PAB. For more information, see our Using Automatic Activation for the Gmail Add-on Phish Alert Button (PAB) article.
- Add the reported message's headers to the forwarded message's body (Exchange version of the Office Add-in PAB only): Select this check box to include the headers of the reported message in the body of the forwarded message.
- Allow users to leave comments and disposition: Enable this setting to allow your users to add comments and decide the disposition of an email when they use the PAB. For more information, see our Adding User Comments and Email Disposition to the Phish Alert Button article.
- Disable Unknown Email Disposition: Select this check box if you would like to exclude the Unknown disposition from options your users can choose when they use the PAB.
- Send Dispositioned Emails to: Enter the additional forwarding email addresses based on the reported email's disposition in the disposition fields below. For more information, see our Adding User Comments and Email Disposition to the Phish Alert Button article.
- Please Select A Language (Language drop-down menu): From the drop-down menu, select a language you would like to use for the PAB instance.
- Make Default: Select this check box to set this language as the default language for your PAB instance.
- Forwarded Email Prefix: This prefix will be added before the original subject line when a non-simulated phishing email is forwarded to the recipients you set in the Send Non-Simulated Emails to: field.
- Confirmation Message: This message will be displayed to users after they click the Phish Alert Button. By default, this message asks the user to confirm whether or not they want to report the email. This field has a maximum of 255 characters.
- Show a response when the user reports a non-simulated phishing email: If you enable this setting, the user will see this message when they report a non-simulated phishing email. This field has a maximum of 469 characters for the Client PAB and 500 characters for the Server PAB.
- Show a response when the user reports a phishing security test email (Paid Only): If you enable this setting, the user will see this message when they report a simulated phishing email. This field has a maximum of 469 characters for the Client PAB and 500 characters for the Server PAB.
- Response Duration __ seconds: Set the length of time the email response messages appear on the screen. The maximum duration is 60 seconds.
- Button Text: This is the text that will appear on the Phish Alert Button in the user's email client.
Button Group Text: This is the text will appear under the Phish Alert Button in the user's email client.
- Add Language: Click this button to add additional languages to your Phish Alert Button instances. This feature is only compatible with specific versions of the PAB. To see if your version of the PAB is compatible with the additional languages feature, see our Adding Languages to the Phish Alert Button article.
- Save Phish Alert Settings: Click this button to save any changes made to your Phish Alert Button settings.
- Outlook PAB installer for Windows: Download this PhishAlertButtonSetup.exe installation file to download the latest version of the PAB for Microsoft Outlook.
- PAB manifest for Microsoft products: Download this manifest file to install the PAB for Microsoft 365 or Microsoft Exchange.
- Chrome Extension PAB config file: Download this is the config file to install the PAB for Google Workspace.
Send Gmail PAB Add-on Magic Mail: Click this button to send activation emails to your users using Magic Mail. For more information, see the Sending Activation Emails Using Magic Mail section of our Gmail Phish Alert Button (PAB) Add-on Product Manual.
Note: All settings, except Enable Phish Alert and Send Non-Simulated Emails to:, will be applied to the mail client once it has restarted. The updated settings for the Send Non-Simulated Emails to: option will be applied once a user clicks the PAB to report an email.
PAB Installation Guides
Installation of the PAB depends on the mail environment in your organization. Our PAB installation guides are listed below:
Hybrid Phish Alert Button Product Manual
- This product manual is for the hybrid PAB for Microsoft 365 and Microsoft Exchange
- Gmail Add-On Product Manual
- Outlook (EXE Version) Product Manual
- Google Workspace (Chrome) Product Manual
In addition to our installation guides, you can watch review our Phish Alert Button Installations and User Experiences video tutorial and review our PAB Compatibility Matrix to determine which PAB is right for your organization.
Multiple PAB Instances
You can set up multiple instances of the PAB for your organization. Setting up multiple instances allows you to define unique settings for specific users, such as prompt messages or additional languages. When you add a PAB instance, you will receive an additional license key and you can customize the instance's settings.
To set up multiple PAB instances, see the articles below:
- How to Set Up Multiple Phish Alert Button Instances
If you have a paid account, your Dashboard will display a graph that tracks how many phishing emails your users have reported. You can download a CSV file that includes the following data: the date, the number of times the PAB was used, and whether the emails were simulated or non-simulated.
You can see which phishing emails a user reported in their user profile area, as well as on the Users tab of any phishing campaign in the console.
PAB User Activity
You can see which of your users are reporting messages with the PAB by navigating to Account Integrations > Phish Alert > See PAB User Activity.
From your Account Settings, you can view the PAB User Activity page. This page includes data such as when your users last used the PAB and how many times they've used the PAB. To see the PAB User Activity page, follow the steps below:
- In your KMSAT console, click your email address at the top-right corner of the page and select Account Settings.
- Navigate to Account Integrations > Phish Alert.
- Click See PAB User Activity. Once you click this link, the page will open.
The PAB User Activity page displays each user's email address along with their PAB instance, activity, and the globally unique identifier (GUID) for their workstation. The Latest Activity column displays the date and time when the user last used the PAB. The Activity Count column displays the total number of times the user has used the PAB.