Usually, organizations have mailboxes that can be used to receive emails reported as phishing by users to be investigated. Defend will monitor the specified abuse mailbox to see what is being reported by end-users and automatically remediate malicious and persistent phishing threats. Event notifications can also be configured to notify admins when specific actions have occurred regarding the abuse mailbox, as well as provide a feedback loop to users, ensuring they understand they are helping keep your organization secure.

Reported emails can be attached as EML files and sent to the abuse mailbox through a variety of methods:

• Emails reported using reporting buttons on the email summary page
• Phish alert buttons such as:
  • KnowBe4's Phish Alert Button (PAB)
  • Microsoft's report phish button
• Emails forwarded as an attachment

Expand the sections below to learn more:

• To configure the abuse mailbox, follow the steps below:

  1. Log in to your Defend console.
  2. Navigate to Settings > Abuse Mailbox Automation.
  3. Enter the address of your abuse mailbox.
  4. Use the Automatic Remediation drop-down menu to select whether emails classified as dangerous after reanalysis are all automatically remediated.
  5. Select which notifications are sent to users. The notifications can be sent for the following scenarios:
     • On submission
     • Benign reanalysis
     • Dangerous reanalysis
     • Phish text reanalysis
  6. Specify the email signature to be displayed at the bottom of the user notification emails.
  7. Select Save Changes at the top of the page.
  8. The Disabled status will change to Active when Abuse Mailbox is successfully configured.

     

  Note: To allow KnowBe4 to send these notification emails on behalf of your organization, you may need to re-authenticate to Microsoft 365 on the Settings page. The specified Phishing Mailbox address is used to send the notification emails.

• Admins can monitor emails reported to the abuse mailbox in the Defend console. The Abuse Mailbox page displays the reported emails. Emails are grouped at a campaign level to aid efficient investigation and remediation.

  At the top of the page, the following statistics are displayed:

  • Number of submissions analyzed
  • Number waiting to be analyzed
  • Number of dangerous campaigns reported
  • Number of benign campaigns reported
  • The accuracy of the users sending emails to the abuse mailbox
  • Number of campaigns remediated

  There is also a filtering option to help you triage the data. You can filter by status or reanalysis results. You can export the data to a CSV file.

  

  The Abuse Mailbox Automation table has details on campaigns submitted with status tags attached that update dynamically as the investigation progresses. Clicking on a line entry will open a right-hand panel displaying further campaign details. You can also view the emails for investigation purposes.

  If you don't have Auto-Remediation enabled, the right-hand panel will allow you to remediate the emails in the campaign. All further instances of the campaign will be auto-remediated.

  

  Note: If you have added a phishing test entry to your Allow List, and a user submits the test email to the abuse mailbox, the email will display as Dangerous. This feature is because entries on the allow list bypass phishing test scanning algorithms.

• The following tags may appear on your abuse mailbox page.

  Reanalysis Tag	Description
  	The email has been reanalyzed and is benign. These are usually spam or graymail emails that have been submitted by users who believe them to be a phishing email.
  	The email has been reanalyzed and is dangerous. If you have auto-remediate enabled, this will be remediated according to your settings. If it is set to disable, you will have an Action Required status for you to review and remediate manually if required.
  	Displayed when the abuse mailbox submission is awaiting reanalysis.
  	The email has been reanalyzed and found to be benign with some suspicious elements, but not enough to be marked as dangerous. You can view the email to investigate further.
  	Emails marked as a phishing test will help you ascertain who understands the risk to your organization.

  Status Tag	Description
  	The emails in this campaign have been auto-remediated according to your specified settings.
  	The emails in this campaign have been remediated by you or another admin according to your settings.
  	Displayed when auto-remediation is disabled, allowing you to investigate and remediate emails that have been found as dangerous on reanalysis.
  	The email submitted to abuse mailbox is benign. There is no action required by admins.

• Admin notifications can be configured for the following abuse mailbox triggers:

  • New submission to Abuse Mailbox email address
  • Abuse Mailbox Reanalysis updated to Dangerous
  • Abuse Mailbox Reanalysis updated to Benign
  • Abuse Mailbox Reanalysis updated to inconclusive

  For full details, see the Defend - Event Notifications article.

• You can configure notifications to be sent to users in the following scenarios:

  • On submission
  • Benign reanalysis
  • Dangerous reanalysis
  • Phish text reanalysis

  Example notification emails can be seen below:

  

  
  
  

  

   

   

• The abuse mailbox address needs to be added to Microsoft Defender to integrate the Microsoft phish button with Defend. Follow the steps below to configure this feature:

  1. Log in to Microsoft Defender.
  2. Navigate to Security Center > Settings > Email and Collaboration > User Reported Settings > Reported Message > Destinations.
  3. Enter the abuse mailbox address in the Add an exchange online mailbox to send reported messages to text box.
  4. Select Microsoft and reporting Mailbox if you want to also report the email to Microsoft.
  5. Select Save.