The Phish Alert Button (PAB) add-in for Microsoft Outlook, Microsoft Exchange, Microsoft 365, and Google Workspace gives your users the ability to report suspicious emails.

In this article, you will learn how to enable and configure the PAB, choose the PAB installation guide best suited for your organization, and how to set up multiple PAB instances.

To learn how installing the PAB can benefit your organization and for best practices, see our Best Practices for Phish Alert Button (PAB) Implementation article.

What Data Is Sent to Our Servers?

The PAB communicates with our API over TLS 1.2, which is securely encrypted. The external IP address, user agent, and other standard browser information are sent to us as part of the standard HTTPS communication.

The information that is sent from the user's machine to our servers is listed below:

• License Key
• PAB version
• Operating system (OS)
• Operating system architecture
  • This includes 32-bit or 64 bit.
• Microsoft Outlook version
• Windows configured language
  • This is the language code. For example, EN for English, DE for German, and so on.
• Operating System ID
  • This is a random GUID generated for each individual workstation.
• User's email address
  • We do not store your users' email addresses unless it is already in our system.

When the user reports an email that is not a simulated phishing email, the reported email will not be sent to us unless you have the Send Us a Copy setting enabled in your Account Settings. When this setting is enabled, reported emails are forwarded to us, and to the email addresses specified in your Account Settings. For more information about this setting, see the Enable and Configure PAB section below.

Enable PAB

Before you install the PAB, you will need to enable and configure the PAB in your Account Settings. To enable the PAB, follow the steps below.

1. Log in to your KnowBe4 console and navigate to your Account Settings screen. This screen will look different depending on your account version.
   • Free Version: If you have a free account, log in to your console and click the Get Started button. When you click, you will be taken to the Phish Alert Enabled screen. Skip to Step 3 for further instructions.
   • Paid Version: If you have a paid account, log in to your console and click on your email address in the top-right corner of the screen. Then, select Account Settings.
2. Navigate to Account Integrations > Phish Alert.
3. Select the Enable Phish Alert checkbox.
4. Click the Add Phish Alert Instance button.
   Note:If you have already enabled and configured one PAB instance, a pop-up window will ask you to confirm if you would like to create a new instance. For more information about setting up multiple instances, see our Set Up Multiple Phish Alert Button Instances article.
   

Phish Alert Settings

Configure your PAB by filling out the fields in your Account Settings. For information about these fields, see the screenshot and list below:

1. Enable Phish Alert: Select this check box if you would like to enable PAB for your account. If you deploy the PAB in your organization but you don't select this check box, your organization's PAB reports will not be recorded.
2. Select PAB Version: From the drop-down menu, select the version of the PAB you want to edit for this PAB instance.
   Note:Depending on the version of the PAB you select, different fields will be displayed underneath the Email Format section. For example, the Enable Microsoft 365 Defender Integration toggle will display for Microsoft PABs, and the Enable Automatic PAB Activation toggle will appear if you select the Google PAB. For additional information, you can review the corresponding PAB product manual for the selected PAB version.
3. Setting Name: Enter a name for your PAB instance.
4. Icon: Upload your own custom icon for the PAB. If you do not upload a custom icon, the default PAB icon will be used. To learn more about the image requirements for the icon, see our article on Change the Phish Alert Button (PAB) Icon article. If you have previously installed the PAB and this is your first time adding a custom icon, you will need to reinstall the PAB for the change to occur.
5. License Key: This field displays the license key associated with this PAB instance. Use the license key to install the PAB on your workstations. If you are using Google Apps with the Google Workspace Chrome extension, your license key is automatically built into your config .json file.
   Note:A two-digit environment indicator is included at the beginning of the PAB license key, to specify which environment the license key is from, such as the US, EU, CA, etc. The environment indicator is not available for the PAB for Outlook or HCL Domino (Lotus).
6. Limit CRID Validation: Enable this setting to allow a reported email with any Campaign Recipient ID (CRID) header to be classified as a simulated phishing email. When this option is not selected, the PAB uses CRID validation to detect whether or not an email that is marked with a training header is a simulated phishing email. If an email has a valid CRID and is reported for the first time within the past hour from the same account where the PAB was installed, it will be treated as a simulated phishing email. A simulated phishing email will be deleted and only shown as reported in the KSAT console instead of being forwarded to PhishER. The PAB for HCL Domino (Lotus) does not use CRID validation.
   Important:Enabling this setting is not recommended. However, you can enable this setting if CRID validation is causing simulated phishing emails to be reported as non-simulated phishing emails.
7. Email Format (Hybrid PAB and Microsoft Ribbon PAB Only): Select how forwarded emails from the PAB should be formatted.
8. Send Non-Simulated Emails to: If a user reports a non-simulated email, you can send a copy of this email to specific users in your organization. To send these users a copy of these emails, enter the users' email addresses in this field. Email addresses must be separated by commas. Any simulated emails will not be forwarded.
9. Add PhishER Email Address: Click this button to add the first reporting email address from your PhishER account in the Send Non-Simulated Emails to: field.
   Note:If you set up an account with PhishER already enabled, the reporting email address will be automatically entered in the field. If you would like to remove this email address from the list, click the Remove PhishER Email Addresses button.
10. Send Us a Copy: Enable this setting to send a copy of reported non-simulated phishing emails to KnowBe4 analysis. This email will include the original email header. We can use these emails to create phishing templates to use in future simulated phishing attacks. To learn more about sharing emails with us, see our Share Reported Phishing Emails with KnowBe4 Using the Phish Alert Button (PAB) article.

PAB Specific Settings

The settings below will allow you to customize the PAB and will vary based on the PAB version you select.

1. Enable Microsoft 365 Defender Integration: Select this check box if you would like to send a copy of reported emails to Microsoft's Submissions page. For more information, see our Integrate Microsoft Defender for Office 365 with the Phish Alert Button (PAB)
   Note:If you enable this setting but don’t enable the Allow users to leave comments and disposition setting, your users can only select the Phishing or Suspicious or Spam or Junk  disposition for reported emails.
2. Submit Reported Emails to: Enter the email address associated with your Microsoft account’s Submissions page and SecOps mailbox.
3. Save a copy of reported emails: Select this check box if you would like the PAB to save a copy of reported emails in the Sent folder of the user who reported them.
4. Autofill Phishing Languages with PAB Locale (Hybrid PAB and Microsoft Ribbon PAB Only): If you enable this setting, the PAB will autofill your users' profiles with their preferred phishing languages if that field is blank. For more information on how to set individual user languages, see our Localization Guide.
5. Enable Email Forwarding (Hybrid PAB and Microsoft Ribbon PAB Only): If you enable this setting, you will be able to forward emails to services that require email forwarding, such as Proofpoint. Enter any additional forwarding email addresses in the Send Non-Simulated Emails to: field, and change the Email Format setting to MSG.
6. Exclude original body text from reported emails (Hybrid PAB, Gmail Add-on PAB, Microsoft Ribbon PAB, and PAB for Outlook Only): Select this check box to exclude the body text in the copy of reported emails. The original body text will only be included in the attached EML or MSG file.
7. Send email headers as TXT attachments: Select this check box if you would like to include the headers of the reported message in a text (.TXT) file attachment.

8. Add the reported message's headers to the forwarded message's body: When your users report a non-simulated email, the message headers will be added to the forwarded message's body. This requires that you have a forwarding address in the Send Non-Simulated Emails to: section of your PAB settings.

9. Allow users to leave comments and disposition: Enable this setting to allow your users to add comments and decide the disposition of an email when they use the PAB. For more information, see our Phish Alert Button (PAB) User Comments and Email Disposition Guide.
10. Disable Unknown Email Disposition: Select this check box if you would like to exclude the Unknown disposition from options your users can choose when they use the PAB.
11. Default Disposition: Select a disposition option to set as the default disposition for your PAB instance. The default disposition is the option that will be displayed as selected when users click the PAB.
12. Send Dispositioned Emails to: Enter the additional forwarding email addresses based on the reported email's disposition in the disposition fields below. For more information, see our Phish Alert Button (PAB) User Comments and Email Disposition Guide article.

Language Settings

This section of the settings will allow you to modify the language settings and messages displayed to your PAB users.

1. Add Language: Click this button to add additional languages to your PAB instances. This feature is only compatible with specific versions of the PAB. To see if your version of the PAB is compatible with the additional languages feature, see our Phish Alert Button (PAB) Language Aware Feature Guide.
2. Language drop-down menu: From the drop-down menu, select a language you would like to use for the PAB instance.
3. Make Default: Select this check box to set this language as the default language for your PAB instance. 
4. Forwarded Email Prefix: This prefix will be added before the original subject line when a non-simulated phishing email is forwarded to the recipients you set in the Send Non-Simulated Emails to: field.
5. Confirmation Message: This message will be displayed to users after they click the PAB. By default, this message asks the user to confirm whether or not they want to report the email. This field has a maximum of 255 characters.
6. Show a response when the user reports a non-simulated phishing email: If you enable this setting, the user will see this message when they report a non-simulated phishing email. This field has a maximum of 469 characters for the Client PAB and 500 characters for the Server PAB.
7. Show a response when the user reports a phishing security test email (Paid Only): If you enable this setting, the user will see this message when they report a simulated phishing email. This field has a maximum of 469 characters for the Client PAB and 500 characters for the Server PAB.
8. Response Duration __ seconds: Set the length of time the email response messages appear on the screen. The maximum duration is 60 seconds.
9. Button Text: This is the text that will appear on the PAB in the user's email client.
10. Button Group Text: This is the text that will appear under the PAB in the user's email client.
11. Comments and Disposition Settings: Enter your own text to customize the labels and descriptions for the PAB dispositions. If you do not customize the dispositions, the default text will be used. To display the disposition descriptions to your users, turn on the toggles next to the disposition label fields. For more information, see our Phish Alert Button (PAB) User Comments and Email Disposition Guide.

Download and Permissions

The settings below allow you to view documentation, download the PAB manifest file, and authorize permissions.

1. Save Phish Alert Settings: Click this button to save any changes made to your PAB settings.
2. View Guide: Click this button to open the product manual for the selected version of the PAB.
3. Download: Click this button to download the installation, manifest, or configuration file for the selected version of the PAB. One of the following files will be downloaded:
   1. PhishAlertButtonSetup.exe (PAB for Outlook)
   2. PhishAlertManifest.xml (PAB manifest for Microsoft products)
   3. PhishAlertManifestMSR.xml (Microsoft Ribbon Phish Alert Button)
   4. Phish_alert_configuration.json (Chrome Extension PAB config file)
4. Accept Microsoft Permissions to Authorize GRAPH APIs for the PAB: Click this button to open the Microsoft 365 page. Then, review and accept the permissions to authorize the PAB to use Microsoft's Graph APIs.

5. Authorize NAA-SSO for GRAPH APIs: Click this button to open the Microsoft 365 page. Then, review and accept the permissions to authorize the PAB to use Microsoft's Nested App Authentication (NAA-SSO).

   Note:If you select the Gmail PAB add-on version, the following button will be displayed.
   Send Gmail PAB Add-on Magic Mail: Click this button to send activation emails to your users using Magic Mail. For more information, see the Sending Activation Emails Using Magic Mail section of our Gmail Phish Alert Button (PAB) Add-on Product Manual.
   Note:All settings, except Enable Phish Alert and Send Non-Simulated Emails to:, will be applied to the mail client once it has restarted. The updated settings for the Send Non-Simulated Emails to: option will be applied once a user clicks the PAB to report an email.

PAB Installation Guides

Installation of the PAB depends on the mail environment in your organization. Our PAB installation guides are listed below:

• Hybrid Phish Alert Button Product Manual
  • This product manual is for the hybrid PAB for Microsoft 365 and Microsoft Exchange
• Gmail Phish Alert Button Add-On Product Manual
• Microsoft Outlook (EXE Version) Phish Alert Button Product Manual
• Google Workspace (Chrome) Phish Alert Button Product Manual
• Microsoft Ribbon Phish Alert Button Product Manual

In addition to our installation guides, you can review our PAB Compatibility Matrix to determine which PAB is right for your organization.

Multiple PAB Instances

You can set up multiple instances of the PAB for your organization. Setting up multiple instances allows you to define unique settings for specific users, such as prompt messages or additional languages. When you add a PAB instance, you will receive an additional license key and you can customize the instance's settings.

To set up multiple PAB instances, see the articles below:

• How to Set Up Multiple Phish Alert Button Instances
  • Multiple Phish Alert Button Instances (Multi-PAB): Microsoft 365/Exchange
  • Multiple Phish Alert Button Instances (Multi-PAB): Chrome/Google Workspace

PAB Reporting

The PAB is available for both free and paid KnowBe4 accounts. The PAB offers additional information about your users' clicks based on your account type.

• If you have a free account, your console Dashboard will display a graph that tracks how many phishing emails your users have reported. You can download a CSV file of this data, which will include the date and number of times your users clicked the PAB.

• If you have a paid account, your Dashboard will display a graph that tracks how many phishing emails your users have reported. You can download a CSV file that includes the following data: the date, the number of times the PAB was used, and whether the emails were simulated or non-simulated.

  You can see which phishing emails a user reported in their user profile area, as well as on the Users tab of any phishing campaign in the console.

PAB User Activity

You can see which of your users are reporting messages with the PAB by navigating to Account Integrations > Phish Alert > See PAB User Activity.

From your Account Settings, you can view the PAB User Activity page. This page includes data such as when your users last used the PAB and how many times they've used the PAB. To see the PAB User Activity page, follow the steps below:

1. In your KSAT console, click your email address at the top-right corner of the page and select Account Settings.
2. Navigate to Account Integrations > Phish Alert.
3. Click See PAB User Activity. Once you click this link, the page will open.

The PAB User Activity page displays each user's email address along with their PAB instance, activity, and the globally unique identifier (GUID) for their workstation. The Latest Activity column displays the date and time when the user last used the PAB. The Activity Count column displays the total number of times the user has used the PAB.