Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Log in to Microsoft 365 Admin Center and go to Add-ins.
Click +Deploy Add-in and click Next. Under Deploy a custom add-in, click Download custom apps.
Select I have the manifesto.xml file.
Click Upload.
Now proceed to Configure Add-in.
Assign the users who will have access to the add-in. Choose one of the following:
Everyone: The add-in will be installed on every user under the Microsoft 365 tenant (recommended).
Specific Users/Groups: The add-in will be installed on the selected group or user.
Just me: The add-in will be installed only on your mail account.
Now proceed to the Deployment Method.
Select a Deployment Method.
Fixed (Default, Recommended)
Available
Optional
Click Deploy.
You will receive an email notification confirming your successful deployment. It may take up to 24 hours for the add-in to be displayed on the users' email applications. Users may need to relaunch email applications.
Once you have received notification that the deployment was successful, click on Next, and then Finish to complete the process.
To uninstall the Phishing Reporter add-in from Microsoft 365 user accounts, follow these steps:
Log in to and go to .
Select the add-in you want to uninstall.
Click Remove add-in and then Remove to complete the process.
It may take up to 24 hours for the add-in to be uninstalled. Users may need to relaunch email applications.
The Phishing Reporter Page View feature fails due to Microsoft's deprecation of legacy Exchange Online tokens earlier than expected date, June 2025.
Microsoft 365 users utilizing the Phishing Reporter Page View feature.
If you are using the Phishing Reporter Page View version, it may fail with the following empty message:
Microsoft has deprecated legacy Exchange Online tokens, which the Phishing Reporter previously relied upon for authentication and access.
Customers can turn on legacy Exchange Online tokens following below documentation.
It can take up to 24 hours before all requests from Outlook add-ins for legacy tokens are allowed.
A more permanent solution, we highly recommend using Microsoft Ribbon Phishing Reporter that utilises Graph API and no dependency on Exchange Online tokens.
A: Legacy tokens turned off for all tenants before the scheduled date before June.
Feb 17th, 2025
Legacy tokens turned off for all tenants. Admins can reenable legacy tokens via PowerShell.
Jun 2025
Legacy tokens turned off for all tenants. Admins can no longer reenable legacy tokens via PowerShell and must contact Microsoft for any exception.
Oct 2025
Legacy tokens turned off for all tenants. Exceptions are no longer allowed.
Use this chart to determine which Phishing Reporter add-in is best suited for your Microsoft 365 environment. The right choice depends on how your employees access Outlook—whether through desktop apps, web browsers, or mobile devices.
Outlook on Windows (Classic)
✅ Supported (only version 2404 build 17530.15000)
✅ Supported
✅ Supported
Outlook on Windows (New)
✅ Supported
✅ Supported
❌ Not Supported
Outlook Classic 2016+ on Windows (Exchange)
❌ Not Supported
A: You can try to re-deploy the add-in. If it still does not appear, you should contact the support team of the email service provider.
A: The platform uses “Code Signing with Microsoft Authenticode” to protect tools against hacking attempt. For more information, please click here.
A: Yes, it is. Many institutions manage the add-in (install, uninstall, enable, disable) with central administration tools, such as Microsoft SCCM, IBM Bigfix.
A: Yes, if you distribute the Phishing Reporter Add-In as an XML package (Microsoft 365), it will be available in both OWA/Outlook applications and will also function within the Outlook application on iOS.
A: The add-in works in shared mailboxes in the Outlook Desktop Application. However, it is not supported in shared mailboxes in OWA (Outlook Web Access).
A: No, the new Outlook application on Windows 11 does not support MSI-based add-ins. It is designed to work primarily with web-based add-ins such as XML add-in of Keepnet Phishing Reporter. If you need MSI-based add-ins, we recommend using the classic Outlook for Windows desktop application. For more information, please find information under the "Extensibility" section in this document.
A: No, you can't use the add-in if you open OWA in a mobile browser. Microsoft 365 does not support third-party add-ins in mobile browsers for OWA. Please use the Outlook app instead.
✅ Supported
✅ Supported
Outlook on MacOS (Microsoft 365)
✅ Supported (Version 16.81 (23121700) or later)
✅ Supported
❌ Not Supported
Outlook on MacOS (Exchange)
❌ Not Supported
❌ Not Supported
❌ Not Supported
Outlook on Web MacOS (Exchange)
❌ Not Supported
✅ Supported
❌ Not Supported
Outlook on the Web (Microsoft 365)
✅ Supported
✅ Supported
❌ Not Supported
Outlook on the Web (Exchange)
❌ Not Supported
✅ Supported
❌ Not Supported
Outlook on iOS (Microsoft 365)
❌ Not Supported
✅ Supported
❌ Not Supported
Outlook on Android (Microsoft 365)
❌ Not Supported
✅ Supported
❌ Not Supported
Outlook on iOS (Exchange)
❌ Not Supported
❌ Not Supported
❌ Not Supported
Outlook on Android (Exchange)
❌ Not Supported
❌ Not Supported
❌ Not Supported
Shared Mailboxes (Outlook Desktop)
❌ Not Supported
❌ Not Supported
✅ Supported (only within Classic Outlook)
Shared Mailboxes (Microsoft 365)
❌ Not Supported
❌ Not Supported
❌ Not Supported
Mobile Browser (OWA)
❌ Not Supported
❌ Not Supported
❌ Not Supported
Installation Method
Deploy via Microsoft 365 Admin Center (Manifest XML)
Deploy via Microsoft 365 Admin Center (Manifest XML)
Manual deployment via GPO or SCCM Tools
User Experience
Ribbon button
Side panel in reading view
Ribbon button (Classic Outlook interface only)
In order to use the Phishing Reporter add-in in the Exchange environment, your platform must meet the following requirements.
Exchange 2013 - version (15.0.847.32) or above
Exchange 2016 - version (15.1.225.42) or above
Exchange 2019
To deploy the Phishing Reporter add-in, follow the steps below.
Log in to the Microsoft 365 Admin interface.
Go to Microsoft 365 Admin Center > Settings > Integrated Apps > Add-ins.
If you have Exchange 2013 or a different Exchange Admin interface, you can try Exchange Admin Center > Organization > Apps. You may also search the 'add-ins' word to find the related place.
It may take up to 12 hours for the add-in to be displayed on users' email applications. Users may need to relaunch their email applications.
To uninstall the Phishing Reporter add-in from Exchange Admin Center user accounts, follow these steps:
Log in to the Microsoft 365 Admin Center.
Go to Microsoft 365 Admin Center > Settings > Integrated Apps > Add-ins.
If you have Exchange 2013 or a different Exchange Admin interface, you can try Exchange Admin Center > Organization > Apps. You may also search the 'add-ins' word to find the related place.
It may take up to 12 hours for the add-in to be uninstalled. Users may need to relaunch email applications.
Click the (+) button and select Add from file. Install the Phishing Reporter .xml file that you previously downloaded and click Next.
Make sure that these options are selected:
Make this add-in available to users in your organization
Mandatory is always enabled
Users can't disable this add-in.
Click Save to complete the process.
Click the add-in you want to uninstall.
Click the trash bin icon and then click Yes to complete the process.
This text has been prepared for customers to use who want to inform their users about the Phishing Reporter add-in.
Dear …. Team,
We are happy to announce to you a new email function: “Suspicious (Phishing) E-mail Reporter”.This add-in will help you to easily and instantly report suspicious emails to Information Security Team for analysis.
Please read the instructions below to understand how to use this add-in.
What is the Phishing Reporter add-in?
The Phishing Reporter add-on is a button placed on your email menu bar. This button will enable you to report suspicious emails to us. It will also give us the opportunity to timely identify email-born cyber threats and take action before any damage occurs.
What will the add-on bring?
You can report email attacks with a single click.
Timely notifications of "Phishing" attacks will help the information security team be more proactive and reinforce our company’s cybersecurity posture.
The add-in will help you be more aware of cyber risks.
A Sample Usage
The user clicks on the “Report Phishing” button to report the suspicious email, then he/she is asked whether to delete the original email or not.
At the end of this process, the result of the analysis of the suspicious email you reported will be sent to you via email.
The user is then appreciated for his/her attentive action.
The Microsoft Ribbon Phishing Reporter allows your users to easily report suspicious emails and help protect your organization from cyberattacks. When you integrate the Phishing Reporter with Microsoft's integrated spam-reporting feature, the Phishing Reporter will appear in the Outlook ribbon.
When your users click the Phishing Reporter to report an email, they can provide your IT team with an early warning about potential threats. You can receive reported emails in the Microsoft 365 Defender platform and the Keepnet Incident Responder page.
To learn how to install the Microsoft Ribbon Phishing Reporter and how your users can use the Phishing Reporter in their mail clients, see the sections below.
If you use the phishing feature in the Keepnet Incident Responder menu, the Microsoft Ribbon Phishing Reporter will also track if your users report our simulated phishing emails. You can use this feature to see which users successfully identify potential threats.
Here is an example view of the ribbon phishing reporter on Outlook.
When using the new Outlook Ribbon, clicking the Phishing Report button opens a pop-up window instead of a side panel.
The pop-up provides the same reporting options but appears as a temporary dialog in the center of the screen.
This is the default experience for some Outlook versions, including Outlook on Windows with the new Ribbon UI.
The following table identifies which Outlook clients support the integrated spam-reporting feature. See the .
* In Outlook on the web and the new Outlook on Windows, the integrated spam-reporting feature isn't supported for . Microsoft 365 Consumer accounts (, Hotmail, ) are for personal use and don’t support the integrated spam-reporting feature in Outlook on the web or the new Outlook on Windows.
Before you can install the Microsoft Ribbon Phishing Reporter for your organization, your organization will need to have a Microsoft 365 mail server and license. The Phishing Reporter is compatible with the above email clients and requirements.
The Microsoft Ribbon Phishing Reporter supports installation for . This feature requires that Graph API and Nested App Authentication single sign-on (NAA-SSO) permissions are authorized in your Microsoft 365 tenant. See installation steps 5 through 9 below for how to authorize these permissions.
Customize for your organization's needs
Go to Phishing Reporter, scroll down to the bottom and click the Manage and Download button.
Click 'Authorize' for Delegated Access permissions.
Suggested to authorize Application-Level Access only for organizations using Conditional Access or Advanced Identity Policies, since managed device or policy restrictions may cause token acquisition to fail when using delegated permissions. Please click for more information.
Log in to your Microsoft 365 account using your admin credentials.
Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
Once you accept the permissions, the GRAPH APIs Authorization Successful window will display.
Click the Download icon below the Microsoft Ribbon Phishing Reporter option to download the PhishingReporterRibbon.xml file.
In a new tab of your browser, log in to your Microsoft 365 admin center.
From the menu on the left side of the page, click Settings.
From the Settings drop-down menu, select Integrated apps.
Click Add-ins at the top-right corner of the page. The Add-ins page will open
On the Add-ins page, click Deploy Add-In. The Deploy a new add-in pop-up window will open.
In the pop-up window, click Next.
Click Upload custom apps.
Select the I have the manifest file (.xml) on this device option. Then, click Choose File and select the PhishingReporterRibbon.xml file that you downloaded in step 6.
Click Upload to install the Phishing Reporter. The Configure add-in pop-up window will open.
From the pop-up window, select which users will have access to the Phishing Reporter and which method you would like to use to deploy the Phishing Reporter.
Click Next, and additional app permissions will display.
Once you have read the permissions, click Save. The Deploy Phishing Reporter pop-up window will open.
The expected timeframe for the Phishing Reporter to deploy is 24 hours, but timeframes can vary. For more information about deploying add-ins, see Microsoft's article.
Once the pop-up window displays a confirmation that the add-in successfully deployed, click Next. The Announce add-in pop-up window will open and display a message about announcement recommendations from Microsoft.
Click Close to close the pop-up window.
"We were unable to process this item. Please try again later." message in the Ribbon Phishing Reporter in Outlook.
The suggested solution is to ""
It is recommended because:
Compatibility Issues with Classic Outlook
The Microsoft Ribbon Phishing Reporter add-in might not be fully supported or optimized in the classic (legacy) Outlook for Windows except Version 2404 (Build 17530.15000). See
Microsoft is shifting support toward New Outlook, which has improved integration with cloud-based services and add-ins.
Performance & Connectivity Fixes in New Outlook
New Outlook is built on a web-based architecture, offering better compatibility with Microsoft 365 cloud services, including phishing reporting.
It resolves time-out errors caused by outdated local add-in frameworks.
Bug Fixes & Updates
Microsoft frequently updates the New Outlook, while the classic version may have outdated code that affects add-in performance.
Cloud Integration & Service Connectivity
The Phishing Reporter add-in relies on Microsoft 365 cloud APIs to submit reports.
If the classic Outlook version struggles with these connections, switching to the New Outlook can ensure a more stable connection.
Try Enabling "New Outlook" as suggested.
The following issue occurs because Microsoft Conditional Access requires devices or sessions to be compliant before granting access to protected resources. When the Keepnet Phishing Reporter add-in attempts to connect via Delegated Access (i.e., on behalf of a signed-in user), the organization’s Conditional Access policies may block the request if it does not originate from a compliant or trusted device.
This is common when:
The organization enforces device compliance via Intune or Azure AD.
The user accessing the Phishing Reporter add-in is considered an external identity.
Application-level permissions allow the Keepnet Phishing Reporter add-in to access Microsoft 365 mailboxes and perform phishing reporting tasks without requiring a signed-in user. The add-in authenticates using its own identity instead of a user’s.
When enabled, the Phishing Reporter add-in acts as a trusted service with organization-wide permissions granted by an administrator. This ensures that Keepnet can operate under Conditional Access, perform automated operations, and maintain consistent behavior even when users are not logged in.
If your organization enforces Conditional Access, device compliance, or automated identity checks, Delegated Access will fail because it depends on the user’s compliance state.
Application-Level Access ensures:
Uninterrupted operation of the Phishing Reporter add-in across all mailboxes.
Centralized and consistent access across departments and tenants.
Secure authentication compatible with Conditional Access requirements.
Use Application-Level Access if:
You require organization-wide authentication for all users.
Conditional Access or advanced identity enforcement is active.
Consistency across departments/regions is needed.
Admin Consent Required: Only global administrators can grant Application-Level permissions.
Least Privilege Principle: Assign only the permissions needed for the Phishing Reporter add-in to operate.
Governance: Regularly audit app-only permissions to ensure compliance.
Use Application-Level Access for:
Reliable, organization-wide authentication and identity mapping.
Compatibility with Conditional Access and advanced identity controls.
Keep Delegated Access for:
End-user actions like phishing report submission from the Outlook ribbon.
This error (AADSTS530004) indicates that your Microsoft 365 tenant blocks delegated access under Conditional Access rules.
To resolve it, configure Application-Level Access (App-only) for the Keepnet Phishing Reporter add-in and reauthorize the application with admin consent
Microsoft Ribbon Phishing Reporter helps users report suspicious emails quickly and easily across multiple email platforms. This section visually showcases how the Phishing Reporter button appears in different environments—Outlook Desktop (New/Classic), Outlook Web (OWA), Outlook on Mac, Mobile (IOS/Android).
In the redesigned New Outlook interface, the Phishing Reporter button is placed conveniently in the top toolbar when viewing an email.
Open your Inbox.
Select the suspicious email.
Click the Phishing Reporter button in the toolbar at the top.
In Classic Outlook, the reporter button is accessible directly from the ribbon while reading or previewing an email.
Click Inbox from your folder list.
Open the email you want to report.
Click the Phishing Reporter button on the ribbon toolbar.
If you’re using Outlook on the web, the reporter button is clearly visible in the action toolbar when viewing a message.
Go to your Inbox.
Open the suspicious email.
Click the Phishing Reporter icon in the top menu.
For Outlook on macOS, the reporter button is available under the Report dropdown.
Select the email in your Inbox.
Click the Report dropdown from the top toolbar.
Choose Phishing Reporter.
The mobile version of Outlook provides access to the reporter through the contextual options menu:
While viewing a suspicious email, tap the three dots (•••) in the upper-right.
Tap on the Suspicious Email Reporter icon.
A: No, Microsoft Ribbon Phishing Reporter automatically deletes the reported email and does not provide an option to prompt employees for confirmation before deletion.
A: As of March 2025, Microsoft does not support Outlook Mobile. Please refer to the supported clients list for updates:
A: No, Microsoft does not allow modifications to the pop-up box. Its size is automatically adjusted.
A: No, Microsoft does not support adding a language selection option within the pop-up. The language is automatically set based on the user’s Outlook language settings.
A: Microsoft currently provides the Ribbon Phishing Reporter for preview purposes only on Outlook Desktop for Mac. While it may be visible, it is not fully functional. Please refer to the supported clients list for details:
A: Yes, after an email is reported, Microsoft displays a message confirming its deletion. This message includes an "Undo" option, allowing employees to recover the reported email if needed.
A: Yes, you can deploy both of them, and your employees can use either the Ribbon Add-in or the Page View Add-in based on their preference.
A: In classic Outlook on Windows, the Phishing Reporter processes one reported message at a time. If you attempt to report another email while the first one is still being processed, a notification dialog will appear, informing you that the previous report is still in progress.
To report multiple emails, please wait for the current report to complete before submitting the next one. This limitation ensures that each report is properly processed without conflicts.
A: The Microsoft Ribbon Phishing Reporter requires specific Microsoft Graph API permissions to function effectively within an organization’s Microsoft 365 environment. These permissions allow the application to interact with users’ emails, retrieve necessary details for reporting phishing attempts, and ensure smooth integration with the email infrastructure.
Below is a breakdown of the permissions required and their purpose:
1. Mail Permissions
Mail.Read: Allows the Phishing Reporter to read the user’s email to retrieve necessary email details such as headers, attachments, and content.
Mail.Read.Shared: Extends read access to shared mailboxes, ensuring that the application can retrieve phishing emails reported from shared accounts.
Mail.ReadWrite: Provides both read and write access to the user’s mailbox, enabling modifications or tagging of emails as needed.
2. User Profile Permissions
profile: Allows the Microsoft Ribbon Phishing Reporter to retrieve basic user profile information, ensuring accurate reporting and tracking.
This video tutorial shows the documentation steps for deploying Microsoft Ribbon Phishing Reporter add-in on M365.
Mail.Send: Enables the application to send emails, which may be necessary when forwarding reported phishing emails.
Mail.Send.Shared: Allows the application to send emails from shared mailboxes when the user has the appropriate permissions.
Outlook on the web
Supported*
Supported*
Classic Outlook on Windows
Version 2404 (Build 17530.15000)
Supported
Outlook on Mac
Version 16.81 (23121700) or later
Only in Preview, Not Fully Functional (see Preview the integrated spam-reporting feature in Outlook on Mac)
Outlook on Android
Not available
Outlook on iOS
Not available
Delegated Access
Add-in acts on behalf of a user, limited by that user’s permissions.
User-based
When a user reports a phishing email from Outlook.
Application-Level Access
Add-in acts as itself, using admin-granted permissions.
Tenant-wide
When the Phishing Reporter add-in performs identity mapping, mailbox scans, or Conditional Access operations.
The Microsoft Page View Phishing Reporter is a Microsoft Outlook add-in developed by Keepnet that enables your users to quickly and securely report suspicious emails with a single click—directly from their email view pane. This helps your organization detect threats early and respond to phishing attempts more effectively.
The Microsoft Page View Phishing Reporter is built using the Microsoft Graph API and is designed to provide a seamless, modern experience across all major Outlook platforms. Unlike the traditional Microsoft Ribbon Phishing Reporter that appears in the toolbar, the Page View version is embedded directly within the email view pane, providing a more integrated user interface.
to view the list of compatible Outlook platforms that support the Microsoft Page View Phishing Reporter.
This cross-platform and cross-browser support ensures that your users can report suspicious emails consistently and securely on Outlook platforms, regardless of the device or environment they’re using.
When a user clicks the Phishing Reporter button, the reported suspicious email is sent to one or more destinations, depending on your organization's needs:
📌 Microsoft 365 Defender portal Emails can be submitted directly to Microsoft for further analysis and contribution to spam/phishing intelligence (optional setup). Please refer to for setup.
📌 SOC or IT team's inbox The reported email can be forwarded to your designated inbox for internal analysis and response (optional setup). Please for more information.
📌 Keepnet Incident Responder (if licensed) If your organization uses , the reported email is also logged in the portal for case management, automated response, and automated analysis.
This flexible approach allows your organization to respond quickly to threats using your preferred tools and workflows.
If you are running simulated phishing campaigns such as , , through Keepnet, the Phishing Reporter can automatically detect and log when a user reports a simulated phishing emails.
This allows you to:
Track individual user performance,
Identify who successfully recognized phishing simulation campaign emails, and
Generate behavior-based metrics for awareness training.
This feature helps improve your organization’s overall security posture by providing real-time insight into user vigilance. Please see the following hint for the 'real-time insights into user vigilance' explanation.
When an employee uses the Page View Phishing Reporter Add-in to report a suspicious email, the reported email will be sent with a detailed report directly to your designated SOC or IT email address.
The email that is sent to the SOC/IT team inbox includes:
The attached original email as an .eml or .msg file
The attached full message header of the original reported email as a headers.txt file
The reporting reason selected by the employee (e.g., spam, phishing, unsure)
This structured report helps your security team quickly understand the context and take action, without needing to follow up with the reporting user.
Here is an example view of the Microsoft Page View Phishing Reporter button on the New Outlook Desktop.
When using the Phishing Reporter button, clicking the report button opens a side panel instead of the pop-up window.
Before deploying the button, we recommend customizing it. This can be done in the Add-In Settings tab under the menu on the Keepnet platform.
Once customization is complete, stay on the Settings tab. Scroll down to the bottom and click Manage and Download. A pop-up will appear — select Authorize for Delegated Access to proceed.
Suggested to authorize Application-Level Access only for organizations using Conditional Access or Advanced Identity Policies, since managed device or policy restrictions may cause token acquisition to fail when using delegated permissions. Please click for more information.
Log in to your account using your global admin credentials.
Once you log in, the Permissions requested pop-up window will display. Read the permissions, then click Accept.
The Microsoft Page View Phishing Reporter requires specific Microsoft Graph API permissions to function effectively within an organization’s Microsoft 365 environment. These permissions allow the application to interact with users’ emails, retrieve necessary details for reporting phishing attempts, and ensure smooth integration with the email infrastructure.
Below is a breakdown of the permissions required and their purpose:
1. Mail Permissions
Mail.Read: Allows the Phishing Reporter to read the user’s email to retrieve necessary email details such as headers, attachments, and content.
Mail.Read.Shared: Extends read access to shared mailboxes, ensuring that the application can retrieve phishing emails reported from shared accounts.
Mail.ReadWrite: Provides both read and write access to the user’s mailbox, enabling modifications or tagging of emails as needed.
2. User Profile Permissions
profile: Allows the Microsoft Page View Phishing Reporter to retrieve basic user profile information, ensuring accurate reporting and tracking.
Once you accept the permissions, the GRAPH Authorization Successful window will display.
Click the Download button for the Page View button under the Microsoft 365 to download the Microsoft365PhishingReporterAddin.xml file.
In a new tab of your browser, log in to your .
From the menu on the left side of the page, click Settings.
From the Settings drop-down menu, select Integrated apps.
Click Add-ins at the top-right corner of the page.
On the add-ins page, click Deploy Add-In.
In the pop-up window, click Next.
Click the Upload custom apps button.
Select the 'I have the manifest file (.xml) on this device' option. Then, click Choose File and select the Microsoft365PhishingReporterAddin.xml file that you downloaded in step 6.
Click Upload to install the Microsoft Page View Phishing Reporter add-in.
From the pop-up window, select which users will have access to the Microsoft Page View Phishing Reporter and which method you would like to use to deploy the Phishing Reporter.
Click Next, and additional app permissions will display.
Once you have read the permissions, click Save.
The expected timeframe for the Phishing Reporter to deploy is 12 hours, but timeframes can vary. For more information about deploying add-ins, see Microsoft's article.
Once the pop-up window displays a confirmation that the add-in has been successfully deployed, click Next. The Announce add-in pop-up window will open and display a message about announcement recommendations from Microsoft.
Click Close to close the pop-up window.
The following issue occurs because Microsoft Conditional Access requires devices or sessions to be compliant before granting access to protected resources. When the Keepnet Phishing Reporter add-in attempts to connect via Delegated Access (i.e., on behalf of a signed-in user), the organization’s Conditional Access policies may block the request if it does not originate from a compliant or trusted device.
This is common when:
The organization enforces device compliance via Intune or Azure AD.
The user accessing the Phishing Reporter add-in is considered an external identity.
Application-level permissions allow the Keepnet Phishing Reporter add-in to access Microsoft 365 mailboxes and perform phishing reporting tasks without requiring a signed-in user. The add-in authenticates using its own identity instead of a user’s.
When enabled, the Phishing Reporter add-in acts as a trusted service with organization-wide permissions granted by an administrator. This ensures that Keepnet can operate under Conditional Access, perform automated operations, and maintain consistent behavior even when users are not logged in.
If your organization enforces Conditional Access, device compliance, or automated identity checks, Delegated Access will fail because it depends on the user’s compliance state.
Application-Level Access ensures:
Uninterrupted operation of the Phishing Reporter add-in across all mailboxes.
Centralized and consistent access across departments and tenants.
Secure authentication compatible with Conditional Access requirements.
Use Application-Level Access if:
You require organization-wide authentication for all users.
Conditional Access or advanced identity enforcement is active.
Consistency across departments/regions is needed.
Admin Consent Required: Only global administrators can grant Application-Level permissions.
Least Privilege Principle: Assign only the permissions needed for the Phishing Reporter add-in to operate.
Governance: Regularly audit app-only permissions to ensure compliance.
Use Application-Level Access for:
Reliable, organization-wide authentication and identity mapping.
Compatibility with Conditional Access and advanced identity controls.
Keep Delegated Access for:
End-user actions like phishing report submission from the Outlook ribbon.
This error (AADSTS530004) indicates that your Microsoft 365 tenant blocks delegated access under Conditional Access rules.
To resolve it, configure Application-Level Access (App-only) for the Keepnet Phishing Reporter add-in and reauthorize the application with admin consent
The following issue occurs because Microsoft Conditional Access or another security policy now requires multi-factor authentication (MFA) to access Microsoft Graph. When the Keepnet Phishing Reporter add-in attempts to authenticate using the On-Behalf-Of (OBO) flow, the request fails with the following error:
Unknown error: {"data":{},"status":"FAILED", "message":"OnBehalfOfCredential authentication failed: || AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000003-0000-0000-c000-000000000000'. Trace ID: Correlation ID: Timestamp: . The returned error contains a claims challenge."}
This is common when:
The organization has recently enabled or updated Conditional Access policies that enforce MFA for Microsoft Graph or specific applications.
The signed-in user has not yet completed MFA on the current device/session.
The claims challenge returned by Azure AD is not handled by the application during the On-Behalf-Of flow.
Ask your Azure AD / M365 administrator to:
Confirm MFA and Conditional Access requirements
Review the Conditional Access policies that apply to the Keepnet Phishing Reporter add-in and Microsoft Graph.
Ensure the user satisfies MFA
Have the affected user sign in to Microsoft 365 or Outlook and complete the required multi-factor authentication (e.g., Authenticator app, SMS, FIDO key).
If the error persists after the user has completed MFA and policies have been verified, share the Trace ID, Correlation ID, and Timestamp from the error message with your Azure AD administrator for further investigation.
The Microsoft Page View Phishing Reporter button enables users to report suspicious emails quickly and efficiently across various Outlook environments. This guide visually demonstrates how the Phishing Reporter button appears and can be accessed in different Outlook platforms: New Outlook, Classic Outlook, Outlook Web App (OWA), Outlook for Mac, and Outlook Mobile (iOS/Android).
In the redesigned New Outlook interface, the Phishing Reporter button is located in the right-hand apps panel while viewing an email.
Go to your Inbox.
Select the suspicious email.
Click the Apps icon (grid icon) on the right-hand side panel.
Choose Phishing Reporter from the list.
In the Classic Outlook interface, the button is integrated into the ribbon toolbar at the top.
Navigate to your Inbox.
Open the email you want to report.
Click the Phishing Reporter button on the ribbon at the top of the message window.
For users accessing Outlook via a web browser:
Open your Inbox in Outlook on the web.
Select the suspicious email.
Click the Apps icon (grid icon) located in the message view panel.
Click on Phishing Reporter.
In macOS versions of Outlook, the button is accessible through the top toolbar options.
Go to your Inbox and select the suspicious email.
Click the three-dot icon (•••) in the top-right corner.
Select Phishing Reporter from the dropdown menu.
On mobile devices, the reporting option is available via the message action menu:
While viewing the suspicious email, tap the three-dot menu (•••) in the top-right corner.
Tap on the Phishing Reporter icon from the list of options.
When using Keepnet’s Phishing Reporter, most users can report phishing emails with a single click — seamlessly and silently. However, some users may occasionally see a popup window or get redirected briefly to Microsoft’s login screen.
This behavior is expected, safe, and part of Microsoft’s secure authentication process.
Keepnet’s Phishing Reporter is designed to authenticate users automatically in the background. In most cases, if the user is already signed into Microsoft 365, the system can confirm their identity silently without any additional steps.
A small number of users may see a sign-in prompt because:
They haven’t used the add-in before, and the system needs their permission
Their Microsoft 365 session has expired, and reauthentication is required
Their browser or security settings block silent sign-in, which is common in private/incognito mode or stricter corporate environments
Microsoft requires additional verification, such as multi-factor authentication
In any of these cases, the system must briefly show a popup or redirect them to sign in securely before proceeding.
No. Once a user has signed in and given the necessary permissions, their session is remembered. They typically won’t be asked to sign in again unless:
Their session expires (after days or weeks)
Company policy or security tools clear their session
New permissions are requested
Popups or redirections are not errors — they’re part of Microsoft’s secure identity verification process. They ensure that only authorized users can access sensitive data and perform actions like reporting emails.
Keepnet follows Microsoft’s best practices to provide the most seamless experience possible, while maintaining strict security and compliance.
A: Yes. To enable a confirmation prompt, go to the Phishing Reporter menu and select the Settings tab. Within the tab, scroll down to the Dialog Box Settings section. Locate the Delete Reported Emails option, and select With Confirmation from the dropdown menu.
A: Yes, it works. Please visit to view the supported Outlook environments.
A: No, Microsoft does not allow customization of the size of the side panel. Its size is automatically adjusted.
A: Yes, you can add multiple languages from the . When an employee reports an email, the reporting side panel will appear, and they will be able to select their preferred language from the available language options before proceeding with the reporting.
A: Yes, if you use the 'Delete reported emails' option with 'Automatically', the reported email will be deleted automatically. The email will be sent to the Trash folder, where you can visit the folder and restore the deleted email.
A: No, it is not supported.
This video tutorial shows the documentation steps for deploying the Microsoft Page View Phishing Reporter add-in on M365.
Any additional comments the employee entered in the message box
Mail.Send: Enables the application to send emails, which may be necessary when forwarding reported phishing emails.
Mail.Send.Shared: Allows the application to send emails from shared mailboxes when the user has the appropriate permissions.
After successfully completing MFA, retry using the Phishing Reporter add-in.
Review claims challenge handling (for advanced configurations)
If you are using custom integration or the Microsoft Authentication Library (MSAL) with the OBO flow, make sure that claims challenges are correctly handled as described in Microsoft’s documentation:
Handling MFA and Conditional Access claims: https://aka.ms/msal-conditional-access-claims
Handling claims in On-Behalf-Of flow: https://aka.ms/msal-conditional-access-claims-obo
They’re on a new device or browser that Microsoft doesn’t recognize
Delegated Access
Add-in acts on behalf of a user, limited by that user’s permissions.
User-based
When a user reports a phishing email from Outlook.
Application-Level Access
Add-in acts as itself, using admin-granted permissions.
Tenant-wide
When the Phishing Reporter add-in performs identity mapping, mailbox scans, or Conditional Access operations.
Go to script.google.com and click on the New Project button.
The new script file that is opened is saved with a project name.
In the Code.gs, paste the script code provided by the platform and save it.
Go to the settings icon and click Project Settings.
In the project settings, click: Show "appsscript.json" manifest file in editor.
Save the appscript.json file. Copy and save the manifest code.
Go to console.cloud.google.com and create a new project.
Name your project and select the location. Then click on Create to start your project.
Go to the API & Services page. Open the OAuth content screen page from the left menu and select your project.
Please make sure the User type option selected is Internal.
Click Create
On the OAuth content screen, fill in the App Name, User Support Email, App Logo and Developers Contact Email Address. Then click Save and Continue.
After that, click the Save and Continue button again on the Scope screen without making any changes. Then click Back to Dashboard.
Go to API & Services, open the Library page to search Gmail API, and then enable it.
Go to Project Settings and copy the Project Number.
Go to Project Settings, find the "Cloud Platform Project" title, and click on the Change Project button on script.google.com.
Paste the Project Number in the designated field and click Set Project.
Confirm the project change.
The change is enabled once the project change is confirmed.
If you don't want to test the add-in in your Gmail account, please go to the "Enable Google Workspace Marketplace SDK" part to distribute the add-in to the organization.
If you want to test and see the add-in functionality, logos, add-in name, description, and more information, you can deploy the add-in to your Gmail account for test purposes and remove it anytime.
Go to script.google.com
Select the add-in project.
Click on Deploy >Test Deployments > Install button.
Click Done.
The add-in will appear on your Gmail account shortly.
From the Library page, search for the Google Workspace Marketplace SDK and click on it.
Click the Enable button and activate Google Workspace Marketplace SDK.
Go back to script.google.com and click on the Deploy > New Deployment button.
Enter information in the Description field, click the Deploy button, and copy the Deployment ID.
Go back to the Console Cloud. Go to the API & Services page, find “Google Workspace Marketplace SDK” and click on it.
Go to the App Configuration tab and enable the Google Workspace add-on option and check Deploy using Apps Script Deployment ID.
Then paste the Deployment ID to the deployment field on the page and then fill in the following fields.
Developer Name with Keepnet Labs.
Fill in the Developer Website URL with https://keepnetlabs.com
Before saving, do not forget to select the Private option and then click Save.
Go to the Google Workspace Marketplace SDK page and click the Manage button to see the Store Listing menu.
Select the Category as "Web Project".
Select the Language as "English".
Fill in the Terms of Service URL, Private Policy URL, and Support URL with https://keepnetlabs.com for the add-in.
Under Distribution, select the Region that you will be deploying the add-in to and click Publish.
Please follow up the following steps to deploy the add-in to your target users.
To deploy the add-in, go to mail.google.com and click on the Google Apps icon in the top right-hand corner of the screen.
Scroll down to More from Google Workspace Marketplace and click on it.
Click Internal Apps and find the add-in
Click the Admin Install button to start the deployment process.
Click Continue to start the distribution of the extension.
Accept the required permissions to complete the deployment.
It may take up to 24 hours for this app to be installed for your entire Google Workspace domain or organizational unit.
Go to Google Admin > Apps > Google Workspace Marketplace apps > App list on the left menu.
Click on the Phishing Reporter add-in you want to uninstall.
Click the Delete App to complete the process.
It may take up to 24 hours for this app to be uninstalled for your entire Google Workspace domain or organizational unit.
A: No, there is no charge by Google.
A: Yes, you can use the Phishing Reporter add-in in the Gmail App on Android or IOS.
Upload your company logos. If you prefer, you can use the default logos below.