Phishing Reporter

Phishing Reporter helps users to report the suspicious email for analysis and start an incident investigation with Incident Responder.

To run phishing reporter add-in, make sure you have all pre-requisites of Visual Studio 2010 Tools for Office Runtime.

The main function of Phishing Reporter is to make users easily report suspicious emails to their incident responder. When a user detects a suspicious email by clicking on the Suspicious Email Reporter button, he/she reports it to the incident responder module for analysis. Then, the platform investigates this suspicious email either by its own engine or with third-party integrated services. Click to see “ How does an investigation mechanism work?”

Benefits to the security operation centre (SOC)

  • It gives the ability to conduct an incident investigation and response without violating the privacy of users.

  • It strengthens the last line of defence by transforming users into “proactive agents” that detect and report attacks.[1]

Benefits to an email user

  • Users report suspicious an email with a single click.

  • It allows a user to send a suspicious email to analysis services and get a risk score.

  • Users receive immediate feedback.

[1] It is a way of proactively involving users to protect the institution’s security by getting employees to report suspicious emails.


This outlook add-in compatible with the below version of Outlook




Microsoft Windows


Outlook 2010


Outlook 2013


Outlook 2016


Microsoft Exchange & OWA


Microsoft Outlook on iPhone


Microsoft Outlook on Android


Microsoft Outlook on Mac


Google G-Suite


How Does the Add-in Work?

In Outlook, where the add-in is installed, the working principle works as follows:

  1. When add-in opened:

    a. Sends a heartbeat to server

    b. Get order from the server, if there was an investigation or action

  2. When add-in runs:

    a. Sends the heartbeat to the server in periodic time [1]

    b. If any order comes from the server, then start to do this investigation or action [2]

    c. If an error occurred then it logs it to the client-side then send it to our server

  3. When outlook closes itself, then add-in close:

[1] The add-in optimizes this process according to network and machine performance by itself.

[2] When conducting the investigation, the add-in optimizes this process according to the computer and the network situation.

Logging Mechanism

The platform's Add-in logs all problems and reports both of user’s computer (C:\Users\Public\KeepnetLabs\Log) and keepnet server.

In order to resolve the problem, please check the logs.

Outlook add-in log directory
  • Older Logs: Add-in compresses and archives older logs in .zip format bigger than 8MB

  • Installer: Add-in keeps the logs that appeared during the installation.

  • Keepnet Outlook Add-in Log: The log file that keeps the logs created when add-in functions.

Minimum Computer Specifications

  • Outlook Versions: Outlook 2007/2010/2013/2016

  • CPU Usage: 0% to 5% of CPU

  • RAM Usage: 120~ MB of RAM

  • Disk Usage: 3MB disk space

  • Network Traffic: payload size + http requests size = Approx. 230kbps

Generating Add-in

To get the most up-to-date version of the plugin, you can access the Incident Response> Outlook Plugin page from the Keepnet cloud interface. You can create an add-in as you like in the following criteria.


When you have logged in to the Platform, the Outlook Add-in menu helps you prepare custom plugins.



Add-In Name

The name you would like to give your Add-in

Brand Name

Brand name of the Add-in you would like to give

Send Suspicious Emails To

The email address suspicious email will be delivered

Suspicious Subject and Content

Notification message about Suspicious Subject and Content

Thank You Message

Thank You Message content

Delete Message

Delete Message content

Warning Label

Warning Label content

Add-In Logo

Put a logo for your Add-In

Other Optional Features


Report the suspicious email to the server (it’s activated by default)

Move it to the spam box

Move the suspicious email to the spam box

Delete original email

Delete the original email content

Track user actions

Log user’s actions (beta)

Investigate email from user’s inbox

Action to analyse suspicious content from user inbox

Send a copy of the email to us

Bend the copy of suspicious content to Keepnet Labs

Proxy Settings

The feature to be used if the proxy server support is desired

On-Premise Settings

The values to create their own custom plugin need to be defined by firms that use on-premise.

Phishing Reporter Announcement Email Template

To inform your users about the Phishing Reporter Outlook add-in, you can use the following text.

Dear …. Team,

We are happy to announce to you the new outlook function: “Suspicious (Phishing) E-mail Reporter”.

This Outlook add-in will help you to easily and instantly report suspicious emails to Information Security Team for analysis.

Please read the instructions below to understand how to use this add-on.

What is Phishing Reporter add-in?

Phishing Reporter add-on is a button placed on Microsoft Outlook’s menu bar under the “Home” tab. This button will enable you to report suspicious email to us.

It will also give us the opportunity to timely identify email-borne cyber-threats and take certain actions at the system level before any damage occurs.

What will the add-on bring?

  • You can report attacks with a single click.

  • Timely notifications of "Phishing" attacks will help the information security team to be more proactive and will reinforce our company’s cybersecurity posture.

  • The add-in will help you to be more aware of cyber risks.

A Sample Usage

  1. The user clicks on the “ Report Phishing” button to report the suspicious email, then he/she is asked whether to delete the original email or not.

  2. The user is then appreciated by his/her attentive action.

  3. At the end of this process, the result of the analysis of the suspicious email you reported will be sent to you via email.