Microsoft Ribbon Phishing Reporter
PreviousHow to Deploy the Add-in in Microsoft 365NextHow to Deploy the Add-in in Exchange Admin Center
Last updated
Was this helpful?
Last updated
Was this helpful?
The Microsoft Ribbon Phishing Reporter allows your users to easily report suspicious emails and help protect your organization from cyberattacks. When you integrate the Phishing Reporter with Microsoft's integrated spam-reporting feature, the Phishing Reporter will appear in the Outlook ribbon.
When your users click the Phishing Reporter to report an email, they can provide your IT team with an early warning about potential threats. You can receive reported emails in the Microsoft 365 Defender platform and the Keepnet Incident Responder page.
To learn how to install the Microsoft Ribbon Phishing Reporter and how your users can use the Phishing Reporter in their mail clients, see the sections below.
If you use the phishing feature in the Keepnet Incident Responder menu, the Microsoft Ribbon Phishing Reporter will also track if your users report our simulated phishing emails. You can use this feature to see which users successfully identify potential threats.
Here is an example view of the ribbon phishing reporter on Outlook.
When using the new Outlook Ribbon, clicking the Phishing Report button opens a pop-up window instead of a side panel.
The pop-up provides the same reporting options but appears as a temporary dialog in the center of the screen.
This is the default experience for some Outlook versions, including Outlook on Windows with the new Ribbon UI.
The following table identifies which Outlook clients support the integrated spam-reporting feature. See the full list here from Microsoft official documentation.
Outlook on the web
Supported*
Supported*
Classic Outlook on Windows
Version 2404 (Build 17530.15000)
Supported
Outlook on Mac
Version 16.81 (23121700) or later
Outlook on Android
Not available
Outlook on iOS
Not available
* In Outlook on the web and the new Outlook on Windows, the integrated spam-reporting feature isn't supported for Microsoft 365 consumer accounts. Microsoft 365 Consumer accounts (Outlook.com, Hotmail, Live.com) are for personal use and don’t support the integrated spam-reporting feature in Outlook on the web or the new Outlook on Windows.
Before you can install the Microsoft Ribbon Phishing Reporter for your organization, your organization will need to have a Microsoft 365 mail server and license. The Phishing Reporter is compatible with the following email clients and requirements.
The Microsoft Ribbon Phishing Reporter supports installation for shared mailboxes. This feature requires that Graph API and Nested App Authentication single sign-on (NAA-SSO) permissions are authorized in your Microsoft 365 tenant. See installation steps 5 through 9 below for how to authorize these permissions.
Customize Phishing Reporter for your organization's needs
Go to Phishing Reporter > Manage and Download section and click “Connect Account”
Log in to your Microsoft 365 account using your admin credentials.
Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
Once you accept the permissions, the GRAPH Authorization Successful window will display.
Click the Download icon below the Microsoft Ribbon Phishing Reporter option to download the PhishingReporterRibbon.xml file.
In a new tab of your browser, log in to your Microsoft 365 admin center.
From the menu on the left side of the page, click Settings.
From the Settings drop-down menu, select Integrated apps.
Click Add-ins at the top-right corner of the page. The Add-ins page will open
On the Add-ins page, click Deploy Add-In. The Deploy a new add-in pop-up window will open.
In the pop-up window, click Next.
Click Upload custom apps.
Select the I have the manifest file (.xml) on this device option. Then, click Choose File and select the PhishingReporterRibbon.xml file that you downloaded in step 6.
Click Upload to install the Phishing Reporter. The Configure add-in pop-up window will open.
From the pop-up window, select which users will have access to the Phishing Reporter and which method you would like to use to deploy the Phishing Reporter.
We recommend that you allow all users to access the Phishing Reporter. We also recommend that you use the Fixed deployment method.
Click Next, and additional app permissions will display.
Once you have read the permissions, click Save. The Deploy Phishing Reporter pop-up window will open.
The expected timeframe for the Phishing Reporter to deploy is 24 hours, but timeframes can vary. For more information about deploying add-ins, see Microsoft's Deploy add-ins in the Microsoft 365 admin center article.
Once the pop-up window displays a confirmation that the add-in successfully deployed, click Next. The Announce add-in pop-up window will open and display a message about announcement recommendations from Microsoft.
After you install and deploy the Phishing Reporter, you might receive an email from your mail service provider that contains information you can use to help you announce the Phishing Reporter add-in to your users. Keepnet does not send the email about the Phishing Reporter’s intended usage and benefits.
Click Close to close the pop-up window.
"We were unable to process this item. Please try again later." message in the Ribbon Phishing Reporter in Outlook.
The suggested solution is to "Toggling on New Outlook"
It is recommended because:
Compatibility Issues with Classic Outlook
The Microsoft Ribbon Phishing Reporter add-in might not be fully supported or optimized in the classic (legacy) Outlook for Windows except Version 2404 (Build 17530.15000). See Supported Clients
Microsoft is shifting support toward New Outlook, which has improved integration with cloud-based services and add-ins.
Performance & Connectivity Fixes in New Outlook
New Outlook is built on a web-based architecture, offering better compatibility with Microsoft 365 cloud services, including phishing reporting.
It resolves time-out errors caused by outdated local add-in frameworks.
Bug Fixes & Updates
Microsoft frequently updates the New Outlook, while the classic version may have outdated code that affects add-in performance.
Cloud Integration & Service Connectivity
The Phishing Reporter add-in relies on Microsoft 365 cloud APIs to submit reports.
If the classic Outlook version struggles with these connections, switching to the New Outlook can ensure a more stable connection.
Try Enabling "New Outlook" as suggested.
A: No, Microsoft Ribbon Phishing Reporter automatically deletes the reported email and does not provide an option to prompt employees for confirmation before deletion.
A: As of March 2025, Microsoft does not support Outlook Mobile. Please refer to the supported clients list for updates: Supported Clients
A: No, Microsoft does not allow modifications to the pop-up box. Its size is automatically adjusted.
A: No, Microsoft does not support adding a language selection option within the pop-up. The language is automatically set based on the user’s Outlook language settings.
A: Microsoft currently provides the Ribbon Phishing Reporter for preview purposes only on Outlook Desktop for Mac. While it may be visible, it is not fully functional. Please refer to the supported clients list for details: Supported Clients
A: Yes, after an email is reported, Microsoft displays a message confirming its deletion. This message includes an "Undo" option, allowing employees to recover the reported email if needed.
A: Yes, you can deploy both of them, and your employees can use either the Ribbon Add-in or the Page View Add-in based on their preference.
A: In classic Outlook on Windows, the Phishing Reporter processes one reported message at a time. If you attempt to report another email while the first one is still being processed, a notification dialog will appear, informing you that the previous report is still in progress.
To report multiple emails, please wait for the current report to complete before submitting the next one. This limitation ensures that each report is properly processed without conflicts.
A: The Microsoft Ribbon Phishing Reporter requires specific Microsoft Graph API permissions to function effectively within an organization’s Microsoft 365 environment. These permissions allow the application to interact with users’ emails, retrieve necessary details for reporting phishing attempts, and ensure smooth integration with the email infrastructure.
Below is a breakdown of the permissions required and their purpose:
1. Mail Permissions
Mail.Read: Allows the Phishing Reporter to read the user’s email to retrieve necessary email details such as headers, attachments, and content.
Mail.Read.Shared: Extends read access to shared mailboxes, ensuring that the application can retrieve phishing emails reported from shared accounts.
Mail.ReadWrite: Provides both read and write access to the user’s mailbox, enabling modifications or tagging of emails as needed.
Mail.ReadWrite.Shared: Extends read and write permissions to shared mailboxes for better handling of phishing reports.
Mail.Send: Enables the application to send emails, which may be necessary when forwarding reported phishing emails.
Mail.Send.Shared: Allows the application to send emails from shared mailboxes when the user has the appropriate permissions.
2. User Profile Permissions
openid: Grants access to the user's unique ID, helping in authentication and identity verification.
profile: Allows the Microsoft Ribbon Phishing Reporter to retrieve basic user profile information, ensuring accurate reporting and tracking.
Only in Preview, Not Fully Functional (see )
