Microsoft Page View Phishing Reporter
Last updated
Was this helpful?
Last updated
Was this helpful?
The Microsoft Page View Phishing Reporter is a Microsoft Outlook add-in developed by Keepnet that enables your users to quickly and securely report suspicious emails with a single click—directly from their email view pane. This helps your organization detect threats early and respond to phishing attempts more effectively.
The Microsoft Page View Phishing Reporter is built using the Microsoft Graph API and is designed to provide a seamless, modern experience across all major Outlook platforms. Unlike the traditional that appears in the toolbar, the Page View version is embedded directly within the email view pane, providing a more integrated user interface.
Outlook Web App (OWA)
Outlook Classic Desktop (Windows)
Outlook New Desktop (Windows)
Outlook Desktop App (macOS)
Outlook Mobile App (iOS and Android)
Google Chrome
Microsoft Edge
Mozilla Firefox
Safari
Opera
This cross-platform and cross-browser support ensures that your users can report suspicious emails consistently and securely on Outlook platforms, regardless of the device or environment they’re using.
When a user clicks the Phishing Reporter button, the reported suspicious email is sent to one or more destinations, depending on your organization's needs:
📌 Microsoft 365 Defender portal Emails can be submitted directly to Microsoft for further analysis and contribution to spam/phishing intelligence (optional setup).
This flexible approach allows your organization to respond quickly to threats using your preferred tools and workflows.
This allows you to:
Track individual user performance,
Identify who successfully recognized phishing simulation campaign emails, and
Generate behavior-based metrics for awareness training.
This feature helps improve your organization’s overall security posture by providing real-time insight into user vigilance. Please see the following hint for the 'real-time insights into user vigilance' explanation.
When an employee uses the Page View Phishing Reporter Add-in to report a suspicious email, the reported email will be sent with a detailed report directly to your designated SOC or IT email address.
The email that is sent to the SOC/IT team inbox includes:
The attached original email as an .eml or .msg file
The attached full message header of the original reported email as a headers.txt file
The reporting reason selected by the employee (e.g., spam, phishing, unsure)
Any additional comments the employee entered in the message box
This structured report helps your security team quickly understand the context and take action, without needing to follow up with the reporting user.
Here is an example view of the Microsoft Page View Phishing Reporter button on the New Outlook Desktop.
When using the Phishing Reporter button, clicking the report button opens a side panel instead of the pop-up window.
Once customization is complete, stay on the Settings tab. Scroll down to the bottom and click Manage and Download. A pop-up will appear—select Connect Account to proceed.
Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
The Microsoft Page View Phishing Reporter requires specific Microsoft Graph API permissions to function effectively within an organization’s Microsoft 365 environment. These permissions allow the application to interact with users’ emails, retrieve necessary details for reporting phishing attempts, and ensure smooth integration with the email infrastructure.
Below is a breakdown of the permissions required and their purpose:
1. Mail Permissions
Mail.Read: Allows the Phishing Reporter to read the user’s email to retrieve necessary email details such as headers, attachments, and content.
Mail.Read.Shared: Extends read access to shared mailboxes, ensuring that the application can retrieve phishing emails reported from shared accounts.
Mail.ReadWrite: Provides both read and write access to the user’s mailbox, enabling modifications or tagging of emails as needed.
Mail.ReadWrite.Shared: Extends read and write permissions to shared mailboxes for better handling of phishing reports.
Mail.Send: Enables the application to send emails, which may be necessary when forwarding reported phishing emails.
Mail.Send.Shared: Allows the application to send emails from shared mailboxes when the user has the appropriate permissions.
Mail.ReadBasic.All: Grants the application basic read-only access to all users’ mailboxes, allowing it to retrieve minimal message details (such as subject and sender address, attachment, body of the email) across the organization for lightweight analysis in Incident Responder or display the infomation of the reported email when it sent to SOC/IT email address.
Application.ReadWrite.All: Allows the application to read and write all applications in the directory. This is typically required when managing or registering applications programmatically to ensure integration with security tools like phishing reporters.
2. User Profile Permissions
openid: Grants access to the user's unique ID, helping in authentication and identity verification.
profile: Allows the Microsoft Page View Phishing Reporter to retrieve basic user profile information, ensuring accurate reporting and tracking.
User.Read.All: Provides the application with read access to the full set of user profiles in the directory, allowing it to collect necessary user metadata such as the userid for report association.
Once you accept the permissions, the GRAPH Authorization Successful window will display.
Click the Download button for the Page View button under the Microsoft 365 to download the Microsoft365PhishingReporterAddin.xml file.
From the menu on the left side of the page, click Settings.
From the Settings drop-down menu, select Integrated apps.
Click Add-ins at the top-right corner of the page.
On the add-ins page, click Deploy Add-In.
In the pop-up window, click Next.
Click the Upload custom apps button.
Select the 'I have the manifest file (.xml) on this device' option. Then, click Choose File and select the Microsoft365PhishingReporterAddin.xml file that you downloaded in step 6.
Click Upload to install the Microsoft Page View Phishing Reporter add-in.
From the pop-up window, select which users will have access to the Microsoft Page View Phishing Reporter and which method you would like to use to deploy the Phishing Reporter.
Click Next, and additional app permissions will display.
Once you have read the permissions, click Save.
Once the pop-up window displays a confirmation that the add-in has been successfully deployed, click Next. The Announce add-in pop-up window will open and display a message about announcement recommendations from Microsoft.
Click Close to close the pop-up window.
A: Yes. To enable a confirmation prompt, go to the Phishing Reporter menu and select the Settings tab. Within the tab, scroll down to the Dialog Box Settings section. Locate the Delete Reported Emails option, and select With Confirmation from the dropdown menu.
A: No, Microsoft does not allow customization of the size of the side panel. Its size is automatically adjusted.
A: Yes, if you use the 'Delete reported emails' option with 'Automatically', the reported email will be deleted automatically. The email will be sent to the Trash folder, where you can visit the folder and restore the deleted email.
📌 SOC or IT team's inbox The reported email can be forwarded to your designated inbox for internal analysis and response (optional setup). Please for more information.
📌 Keepnet Incident Responder (if licensed) If your organization uses , the reported email is also logged in the portal for case management, automated response, and automated analysis.
If you are running simulated phishing campaigns such as , , or sending training enrollments on the through Keepnet, the Phishing Reporter can automatically detect and log when a user reports a simulated phishing emails or training enrollment email.
If the "Turn off email forwarding for reported Phishing Simulation Emails" option is enabled by the admin while customizing the phishing reporter button, a pop-up message will appear thanking the user for their awareness each time they report simulation emails or training enrollment emails, reinforcing positive behavior. Please for more information about this option.
If you purchased the product, the email will also be sent for automated analysis, automated response, and case management.
Before deploying the button, we recommend customizing it. This can be done in the Add-In Settings tab under the menu on the Keepnet platform.
Log in to your account using your global admin credentials.
In a new tab of your browser, log in to your .
The expected timeframe for the Phishing Reporter to deploy is 12 hours, but timeframes can vary. For more information about deploying add-ins, see Microsoft's article.
A: Yes, it works. Please visit to view the supported Outlook environments.
A: Yes, you can add multiple languages from the . When an employee reports an email, the reporting side panel will appear, and they will be able to select their preferred language from the available language options before proceeding with the reporting.
