SaaS Security - Office 365 Email - User Reported Phishing

Email users are key in fighting against phishing. Users can help to detect missed attacks, and let the security admins to block the detected attacks as well as future similar attacks.
Microsoft offers a built-in Mark as Phishing buttons in Outlook. When clicking on the buttons Microsoft gets notified on the suspected missed phishing, and many organizations encourage their users to report any suspicious email.
Avanan can integrate into this 'missed phishing' mechanism, present the reports in the portal, and allow the admins to investigate and take actions as needed. When enabled, SmartPhish will capture emails sent to This is the default behavior when phishing is reported on both the web and desktop clients.


  • Present potentially missed attacks in the Avanan console.

  • Integrated solution for the security admins to investigate and take actions.

  • Simple, powerful way to increase end-users involvement and interact with them.

Enable User Reported Phishing

  1. To enable this integration:

  2. Navigate to User Interaction > Configuration

    Find the Import Office365 emails reported by users. Select which type of event to generate - Alert or Phishing.

  3. Click Ok.


Enable Report Phishing in Outlook

The ability user reported on phishing is enabled by default in Outlook.

Office365 administrators can add the Report Message add-in to their users’ desktop clients if it is not already enabled. In order to do so, refer to this documentation from Microsoft.

Report email as phishing from Outlook

Web Client













Desktop Client















User Reported Phishing Screen

The user reported phishing screen allows to view the phishing reports made by the end users. Whenever a user marks an email as a suspected phishing, a new entry is created in the screen, and the administrator can review it and perform the relevant actions.

Available actions:

  1. Quarantine: move the reported email to the quarantine.

  2. Create blocklist rule: create a blocklist rule to block future similar attacks. Emails matching to the criteria can be quarantined as well.

  3. Decline: ignore the report. The corresponding event is also dismissed.
    Note that dismissing the event does not dismiss the corresponding entry in the reported phishing screen.