PAB Enhancement: Outlook Report Message add-in
Answered
As a company that is making heavy use of Microsoft's outlook and ATP features, we'd like to include the legitimate junk and phishing messages that our users report with the PAB in our reporting. By having the PAB report the non simulated phishing emails to Microsoft, we would have better reporting metrics on incoming spam and junk, and this would also theoretically improve our company's ability to filter malicious email coming in before it reaches our users.
Patrick B.also shared the same idea in a comment: https://support.knowbe4.com/hc/en-us/community/posts/360020785033/comments/360005099754
Report Message Add-in: https://docs.microsoft.com/en-us/office365/securitycompliance/enable-the-report-message-add-in
-
Official comment
Hi Jacob,
Thanks for the great suggestion and for including links to a previous community board post as well as that Microsoft article. I've submitted a feature request on your behalf which is sent to our development team for their review.
Maddy
KnowBe4Comment actions -
Laura,
Thanks for reaching out! At this time the feedback provided by our community is still being reviewed and considered by our development teams. As such, there isn't an available timeline or estimate on if this will be developed. However, it would make a great feature!
Please let us know if you have more feedback or suggestions for our team. The more feedback we get, the more our development team sees an interest in certain products and content!
Kaiser
KnowBe4
-
We would love this feature as well, though I think there might be a novel workaround here. All Microsoft's Report Message Add-In does when an email is reported is forward an attachment of the email in question to either junk@office365.microsoft.com or phish@office365.microsoft.com. Per this setup article for Microsoft's add-in, it may be possible to intercept these messages when reporting and do something with them. On the KnowBe4 side, it doesn't look like emails are reported this way.
You choose which email addresses the emails get reported to in the PAB configuration. It may be possible to add phish@office365.microsoft.com to that list so that these get reported, assuming the email is formatted properly to enable this. On the flip side, if the PAB functionality could be replicated using an inbound email address (like Office 365 does), you could use Microsoft's add-in and set up transport rules to also forward messages to KnowBe4 when reporting, excluding messages which have the Phish testing email header. This could be problematic because the phish test header is in the attached email header, not the header of the email itself. Another transport rule could intercept phish test emails (based on header) and not allow them to be reported to Microsoft. You could also make this rule send the user an email saying they successfully identified a phish testing email.
I think adding Microsoft's phish reporting address to the "also send to" in the PAB setup might work. Setting things up the other way around probably won't (at least for now), though it is feasible. Just some food for thought. -
This is something I need to find a solution with too. We've used the Microsoft "report message" add-in for 365 for over 2 years. Getting my user base to do something different is going to be a challenge for us. Users have a hard enough time with change as it is and getting them to change a routine we ingrained into them (and screamed when they didn't) is difficult.
Moreover, what KB4's phishing tool does NOT do is send the email to Microsoft for analysis - this is more of a bigger problem for org's that rely strictly on Microsoft to handle threats and classify / quarantine email (for those sys admins like myself that pay extra for 365 ATP, this is a big deal).
Also, just leaving the Report Message button in place could also skew your security phishing campaign's results in that once the email is reported, there is a likelihood that through Microsoft's analysis of emails being reported, the links in emails will be marked as clicked with data entered as MS determines the weight/value of the messages being reported within the tool. With no way to have it report back to Knowbe4, the results of campaigns must be recalculated manually only after a detailed report from the MS plugin can be produced and timestamps correlated with Knowbe4’s results to then manually rule out false results. We are also discovering that using only KB4's phishing button, our security and compliance reports are going to need a revamp in how we analyze our organization's security posture.
I hope this is something Knowbe4 will fix and resolve soon as I'm stuck here on what to do and the reason I paid top dollar for KB4 is for automating these processes – this issue hinders one of the key selling points for me.
-
Hey Matt,
Thank you for that information this is something that we are increasingly seeing with our customer base and I've spoken to the Phish Alert Button Product manager on the issue personally.
I am going to send over another feature request on the item to give it more exposure and to let our development team know that this is something that it would be a great idea to implement for companies that are going to be using Microsoft's reporting tool exclusively.
In addition, an integration would more than likely help KnowBe4 stay off of Microsoft's blacklists as well.
Thank you for letting us know about this challenge you're facing with our platform. I'm hoping that we can quickly find a resolution for you on this one!
-
Hi Jean-Luc,
Thanks for sharing on this one! I've included your details to our dev team for further consideration on this request.
Please let us know if you have more feedback or suggestions for our team. The more feedback we get, the more our development team sees an interest in certain products and content!
-
With Microsoft addition of Automated Investigation and Response, it is more important now that there become a working solution.
I have tried utilizing Microsofts monitored mailbox that you can set up to receive copies of the emails from KnowB4's phish Alert, however KnowB4 must be stripping vital information when packaging it into an .eml file, as Microsoft is unable to grab the required headers for its analysis.
I also tried adding phish@office365.microsoft.com to the Phish Alert, this produced similar behavior. Microsoft claims they are compatible with both .eml and .msg, which is true, but when I directly send the .eml file that KnowB4 generates it is not.
They have passed blame to your side. Please look into this. Or at least send the email as .msg format as this seems to be the less problematic -
Hello Corey,
Thank you for contributing to our community board! To my understanding. The Phish Alert Button does not have the permissions to modify headers when packing a .eml. So I'm not sure that is what is occurring there. I'd be glad to open a ticket for you on this item for further investigation if you would like. Our team would love to investigate the matter more closely so we can work with Microsoft to get you a working solution!
Let me know if you'd like me to open a support ticket on your behalf I'd be glad to do so.
-
Just and FYI for KnowBe4 - As we roll out Microsoft's "Report Message" add-in across our organization, were going to be retiring KnowBe4's phish alert report button. We like the phish alert report button and it works well, but the benefits of Microsoft's Report Message add-in outweigh those of KnowBe4's and we don't want to confuse our users with redundant functionality. This means we get less value out of the KnowBe4 package as a whole, which is a shame.
If integration between Microsoft's solution and KnowBe4's solution is enhanced in the future, we will gladly revisit this choice.
-
Hello Alex,
I'm sorry that you're not finding what you need with our Phish Alert Button. I'll get that information over to our development team so that we can do our best to find a solution that works for you. I've also notified your CSM of this so when we do have a solution that meets your needs they can reach out to you so you can revisit this item.
We appreciate the feedback!
-
I'm really sad to see all these posts and this integration can't be setup. All things considered, KnowBe4 is awesome but this is an essential part of the subscription - there are so many o365-based clients that are requesting this, It's hard to believe this can't be worked around. I, too, have had to pull the plug on phish alert because we use Report Message too and nothing is getting done to resolve this! We keep getting told this would be sent to development but this has been said for almost a year and nothing done to fix it.
-
Hey Matt,
I apologize for the delay in responding on this one. I wanted to personally make sure that the product manager of the Phish Alert Button was aware of this request. While we don't have any additional movement on the item we absolutely understand your frustration and all of the correct people to make the decision on this are aware!
I thank you for your continued contributions and I'm hoping that we can have a solution for you that allows you to use the product in tandem with O365.
-
We are also at a crossroads, as we've switched to rely on O365 for mail filtering, we'd like to leverage their message marking capacities which need the functionality of their Report Message add on. We've had the phish alert button for a number of years, but are looking to solve this issue or switch out the button for our end users.
Please sign in to leave a comment.
Comments
17 comments