PAB User Comments and Email Disposition Guide
The User Comments and Email Disposition feature for the Phish Alert Button (PAB) allows your users to add comments and decide the disposition of an email when they use the PAB. This new feature can provide your IT security team with the reported email’s disposition as an early warning of possible phishing attacks or malicious emails. Then, your IT security team can then take effective action to prevent security or network compromise.
Note: The User Comments and Email Disposition feature is available for the Hybrid Phish Alert Button, Microsoft 365 (Outlook 2016 or above, Outlook Web Access), Microsoft Exchange (2013 or above), and for the Gmail Phish Alert Button (PAB) Add-on. This feature supports localized text entries.
Click the links below to learn how to enable this feature, how this feature works, and how your users can use this feature in their inboxes.
Enabling User Comments and Email Disposition
To allow your users to send comments and decide the email’s disposition, follow the steps below:
- Log in to your KnowBe4 console and navigate to your Account Settings screen. This screen will look different depending on your account version. For more information, see the Enable and Configure section of our Phish Alert Button (PAB) Product Manual.
- Navigate to Account Integrations > Phish Alert.
- Select the Enable Phish Alert check box.
- If a Phish Alert instance does not exist, click the green Add Phish Alert Instance button.
- Select the Allow users to leave comments and disposition check box.
When your users click the PAB to report an email, the sidebar will include options to suggest the disposition of the email. The possible dispositions are Phish/Suspicious, Spam/Junk, and Unknown. For more information about each of these dispositions, see the list below:
- Phish/Suspicious: These emails are sent by cybercriminals to entice you to click on a link or to give up personal or sensitive information.
- Spam/Junk: These emails are typically sent from companies trying to sell your users a product or service.
- Unknown: Your users can select this option if they are unsure whether an email is a phish or spam. This is the default setting.
You can set different email addresses as recipients based on the disposition that your users select. For example, you can specify one email address to receive spam emails and another email address to receive emails that your users suspect are malicious. To set a recipient, enter email addresses in the fields under Send Dispositioned Email to: (click to view).
Users are not required to suggest a disposition when using the Phish Alert Button. For more information on the difference between phishing and spam emails, see our How to Use the Phish Alert Button (PAB) Downloadable PDF File.
Your users can use the Add a comment section to tell your security team why they choose to classify the email as Phish/Suspicious, Spam/Junk, or Unknown. This text box can be used to explain any potential red flags that your users noticed in the email. These comments can help your security team get a better understanding of what indicators they should look out for when reviewing the reported emails. Users are not required to add a comment when using the Phish Alert Button.
When your users submit user comments, you can either view the comments in PhishER or in the PAB notification emails. In the PAB notification emails, the user comments will be attached as a .json file and displayed in the User Comments section.
For information about viewing user comments in PhishER, see the PhishER Integration section below.
You can also view your users' suggested dispositions and comments in your PhishER platform. Using PhishER, you can further categorize suspicious emails and determine if these emails are legitimate.
In PhishER, the Phish/Suspicious and Spam/Junk dispositions will appear as tags on individual emails. You can use these tags to separate your users' suggested dispositions from other tags in PhishER. The word User: will appear in front of the Phish/Suspicious and Spam/Junk tags. No tag will appear for an email that is reported as Unknown.
You can view all user comments in the Discussions tab on the right side of the Message Details page. Each user comment will appear in the corresponding email, along with the user's name.
If your organization uses Microsoft Defender for Office 365, you can send reported emails to Microsoft. If you enable both the User Comments and Email Disposition feature and the Enable Microsoft 365 Defender Integration feature, you can specify an email address for your Microsoft account’s Submissions page to receive reported emails with your users' suggested dispositions. For more information about this integration, see our How to Integrate Microsoft Defender for Office 365 with the Phish Alert Button (PAB).
The User Comments and Email Disposition feature is compatible with the Hybrid PAB, Microsoft 365 (Outlook 2016 or above, Outlook Web Access), Microsoft Exchange (2013 or above), and with the Gmail PAB Add-on. When a user clicks on the Phish Alert Button to report an email, the Phish Alert sidebar will appear. Once your users select the email's disposition and add comments, they will click on the Phish Alert button to report the email.