Starting May 10, 2021, the ExchangeManifest and M365Manifest files will be combined into a single file, PhishAlertManifest, for an easier installation process. For more information on this new process, please see our Hybrid Phish Alert Button Product Manual.
The Phish Alert Button (PAB) add-in for Exchange 2013/2016/2019 gives your end-users the ability to report suspicious emails and empowers your employees to take an active role in managing the problem of phishing and other types of malicious emails. The tool can also provide your IT or risk management team with early warning of possible phishing attacks or malicious emails so they may take timely and effective actions to prevent security breaches or network compromise.
Paid Integration: If you are using our full-featured Phishing and Training console, the PAB will also track if your users report our simulated phishing emails, so you can see which users are successfully identifying potentially malicious emails.
We encourage you to inform all of your users of this tool before making it accessible. Below are helpful resources that you can use to assist with your implementation of the PAB:
- Best Practices for PAB Implementation (For admins)
- How do I Use the Phish Alert Button for Exchange? (For end-users)
For instructions on how to enable and configure your PAB in the admin portal, visit our main PAB article.
For more information on PAB's compatibility with different mail clients and servers, see our PAB Compatibility Matrix.
This installation requires one of the following mail servers:
- Exchange 2013 - version 15.0.847.32 (SP1) or newer
- Exchange 2016 - version 188.8.131.52 (RTM) or newer
- Exchange 2019
- Microsoft 365 (formerly Office 365)
- Please note: If your user is using Outlook Online the Exchange version of PAB will not display.
- If you're using OSX High Sierra versions of 10.13.3 or newer, PAB is supported by Mac Outlook 2016.
You must enable and configure your PAB in the admin portal and download the following file to begin installation:
- ExchangeManifest.xml file (download)
If you are using Internet Explorer, please click here to follow the necessary steps to run PAB on your PCs.
How to Install in the Exchange Admin Center
To deploy the PAB on your Exchange server, please:
- Log in to your mail server Admin portal. Then navigate to Exchange Admin Center > Organization > Add-ins. If you are using Exchange 2013 and have a different Admin Center view, please use these steps to access the Apps screen.
- Then click the (+) to add a new add-in and select the Add from file option.
- Click the Browse button and add the ExchangeManifest.xml file from your Account Settings and click Next.
- Make sure the Make this add-in available to users in your organization and the Mandatory, always enabled. Users can't disable this add-in options are checked.
- Click the Save button to finish the installation.
How to Install on Microsoft 365
The images below display the following installation steps performed in the Microsoft 365 admin portal. The Exchange interfaces will be slightly different but the instructions can still be performed.
In order to use the PAB, you must enable the Connected Experiences option in your Outlook. To do so, please follow the instructions below:
- Go to File > Options > Trust Center > Trust Center Settings.
- From Trust Center Settings, go to Privacy Options then Privacy.
- Enable Optional Connected Experiences.
Once you've enabled Connected Experiences, follow the steps below to install the PAB.
If the steps below do not match your current view, click here to view an alternate way to reach the Add-ins page.
- Log in to your mail server Admin portal. Under the Settings menu, click Integrated Apps and then Add-ins at the top of the page.
- From the Add-ins screen, click Deploy Add-In. This will open a wizard, click Next to continue.
- From the Deploy a new add-in window, click the Upload custom apps option.
- Click Deploy Add-In.
- Click Next to advance through the wizard.
- Select Upload custom apps.
- From the Deploy, a new add-in screen, select I have a manifest file (.xlml) on this device then click Choose File.
- The Add From File pop-up window will open. Click the Choose File button. Then, locate and add the ExchangeManifest.xml file from your Account Settings and click the Upload button to install.
- Under Assign Users, select the Everyone option. We recommend that you select the Fixed option under Deployment Method, but you can choose any of the other deployment methods.
- Then click Deploy to finish the installation.
- This is how the add-in will look once configured in the Services & add-ins area. Please note, if you are using Microsoft 365, it can take up to an hour for the PAB add-in to be visible.
How to Uninstall
- Log in to your mail server Admin portal. Then, navigate to Admin centers > Exchange > dashboard > Services & add-ins.
- Select the Phish Alert add-in. Then, click Remove add-in.
The image below is only for the OWA version of PAB as it also works with the Outlook client.
Once installed, the PAB add-in will appear as clickable Phish Alert text on any open email.
A user can report any email as a phishing email. The reported email will be in the user's Sent Items as a forwarded message and will be deleted from the user's Inbox. If the user incorrectly reported the email, they can retrieve it from their Deleted items/Trash.
To instruct your users on how to use the PAB, you can provide our How do I use the Phish Alert Button for Exchange? article.
Note: The PAB uses Campaign Recipient ID (CRID) validation to detect whether or not an email that is marked with a training header is a simulated phishing email. If a message has a valid CRID and is reported for the first time (within the past hour) from the same account where the PAB was installed, it will be treated as simulated. A simulated message will be deleted and only shown as reported in the console instead of forwarded to PhishER.
New Outlook User Experience
The New Outlook experience is not compatible with the Exchange Server PAB through the Outlook Web App. This new experience is exclusive only to Microsoft 365 customers.
However, if you are using Exchange as your server and are not a Microsoft 365 customer, the Phish Alert Button will be supported by the Outlook Web App.
- Video: PAB Installation and User Experience
- How Do I Change the Phish Alert Text for Server-Based PAB (Exchange & Microsoft 365)
- Multiple Phish Alert Button Instances (Multi-PAB): Microsoft 365/Exchange
- PAB Compatibility Matrix
- FAQ: Phish Alert Button (PAB)