How to set up a rule to send phishing attack alerts in Microsoft Exchange

Empower your employees to easily notify IT security personnel of a phishing attack with a simple Exchange rule. Learn how to set one up below.

When it comes to enterprise phishing emails, the most effective defence is a well-trained and educated workforce. While technologies like artificial intelligence and machine learning may stop many phishing emails from getting through to user inboxes, those tech solutions cannot overcome the careless click of a malicious link when the technology fails.

2018 report from Comodo Security shows that about 50% of an enterprise’s computer using employees will click on a link sent via email from an unknown user without first thinking of the potential consequences. To overcome this lack of urgency, IT professionals should task the entire workforce with the responsibility of immediately reporting phishing emails when they are uncovered.

The Office 365 add-in, Report Message, allows Outlook users to report a phishing or other suspicious email with the click of a single icon on the standard Office Ribbon interface. However, by adding a new rule to Microsoft Exchange, your organisation’s IT security team can also receive a copy of the report and be notified – with no additional effort on the employee’s part.

Set up the Rule

Creating or modifying rules using the following technique requires Exchange Online Administrator authentication status. This tutorial also assumes you have installed and enabled the Report Message add-in for Outlook.

Open the online portal to Office 365 and logon with administrator credentials. Navigate to the Admin Center and then open the Exchange Admin Center submenu. Click the Mail Flow link in the left navigation bar. You should see a screen similar to the screenshot below. (Please note this example has no rules yet)

Click on the Plus button to create a new rule. Name your new rule (Phishing Submission) and then open the Apply this rule if dropdown box. Choose the entry: The recipient address includes. Add these two email addresses to the list as shown in the below screenshot.

  • junk@office365.microsoft.com
  • phish@office365.microsoft.com

In the Do the following box, choose the Bcc the message to entry and add the appropriate security administrator or team as designated by your intrusion detection policy. Set the Audit this rule with severity level to medium, as shown in the below screenshot, and click Save.

Once this rule is established, whenever an employee reports an email using the Report Message add-in, the appropriate security personnel will receive a copy of the message automatically. This will allow your security teams to act swiftly and decisively to mitigate and counteract phishing attacks in accordance with your organisation’s policies.