Integrating Microsoft Defender with Keepnet Phishing Reporter

This integration allows your employees to report suspicious emails using the Keepnet Phishing Reporter button, forwarding them to both your SOC team and Microsoft Defender. Additionally, reported emails are sent to Keepnet’s Incident Responder, enabling deeper analysis and enhanced tracking while maintaining your current reporting workflow.

Key Benefits:

• Dual Reporting: Emails reported via the Keepnet Phishing Reporter button are forwarded to both Microsoft Defender and Keepnet’s Incident Responder (if Incident Responder is purchased) for comprehensive threat analysis.

• SOC/IT Reporting: Reported emails are also delivered to the SOC/IT team's mailbox for manual review and internal investigation.

• Simulation Tracking: During phishing simulations, Keepnet tracks users who report simulation emails, enabling administrators to measure awareness and deliver targeted training.

Steps to Set Up the Integration

Please follow the steps below.

1. Log in using your global admin credentials and navigate to the Microsoft 365 Defender portal > Investigation & Response > Actions & Submissions > Submissions.

2. Click the User reported settings option in the right-hand panel.

3. In the 'Send reported items to:' section, please select the 'Microsoft and my reporting mailbox' option.

4. In the 'Add an Exchange Online mailbox to send reported messages to:' field, enter the email address, such as your SecOps mailbox or a Shared email address. If you don't have an email address, please create a shared mailbox.

5. Click the Save button to apply changes.

After you have configured these settings in Microsoft 365 Defender, you’ll now need to configure the rest of the settings in the Keepnet platform under the Phishing Reporter menu.

• Log in to the Keepnet platform.

• From the left menu, click Phishing Reporter, then go to Settings.

• Customize your Phishing Reporter button as needed.

• After customization, click on the Email Settings tab and follow the steps below:

  • Enable the Microsoft 365 Defender Integration option.

  • In the 'Defender Submission Email' field, enter the same address used in step 6 of the Microsoft Defender configuration.

  • Optionally, if you also want the SOC team to receive reported suspicious emails in their inboxes, please enable the 'Information Email' option and complete the required fields.

• After configuring these, click MANAGE AND DOWNLOAD.

• Click the CONNECT button to authorize Graph API access, so Keepnet Phishing Reporter can work with your Microsoft 365.

• Upon successful authorization:

  • Download the Ribbon or Page View version of the reporter button as an XML file.

  • Follow the deployment steps below to add the button to users’ Outlook apps.

You can now deploy the Keepnet Phishing Reporter button to test groups or all users using one of the following methods:

1. Deploy Microsoft Ribbon Phishing Reporter

2. Suggested: Deploy Microsoft Page View Phishing Reporter

What Happens When a User Reports a Suspicious Email?

When an employee reports a suspicious email using the Keepnet Phishing Reporter, the following workflow is triggered:

1. The reported email is sent to Microsoft Defender under the Submissions page for automated analysis.

2. The email is simultaneously forwarded to Keepnet Incident Responder (if licensed) for advanced case management, automated triage, and analysis.

3. The same reported email is also sent to SOC/IT teams (if enabled), as well as any configured CC or BCC recipients, for manual investigation and review.