Microsoft 365 (Defender for Office 365)

Purpose

This guide shows Microsoft 365 admins how to configure the built-in Microsoft Defender “Report Phish” button so that reported emails are securely forwarded to CyberHoot at:

[email protected]

Messages are delivered as .eml attachments, allowing CyberHoot to:

Credit users for reporting simulated phishing
Update AttackPhish campaign results
Award HootScore points

Architecture Overview (Important)

Microsoft 365 uses two control layers:

Microsoft Defender (Outbound spam policy)
Controls whether external automatic forwarding is allowed at all
Exchange Mail Flow Rules (Transport rules)
Control where forwarded mail is allowed to go

Defender alone cannot restrict forwarding to a single address.
Transport rules are required for tight control.

Prerequisites

Microsoft Defender for Office 365
Global Admin or Security Admin role
Exchange Admin access
No transport rules that strip attachments (.eml)

PART 1 — Configure Microsoft Defender “Report Phish” Button

Step 1: Sign in to Microsoft 365 Defender

Go to: https://security.microsoft.com

Step 2: Open User Reported Settings

Navigate to:
Email & collaboration → User reported settings

Step 3: Enable Reporting

Configure the following:

Monitor reported messages in Outlook: Enabled
Send reported messages to:
- My reporting mailbox OR
- Microsoft and my reporting mailbox
Reporting mailbox address:[email protected]

Save settings.

Result:
When users click Report Phish in Outlook, the original message is forwarded as an .eml attachment to CyberHoot.

PART 2 — Allow External Forwarding (Restricted Scope)

Microsoft blocks external forwarding by default. You must allow it only for this purpose.

Step 4: Create a Custom Outbound Spam Policy

In Microsoft 365 Defender
Go to:
Email & collaboration → Policies & rules → Threat policies → Anti-spam
Open Outbound spam policies
Click Create policy

Policy Settings

Name: Allow Report Phish Forwarding
Automatic forwarding: On
Scope:
- Apply only to:
  - Users who will report phishing
    OR
  - A specific security group (recommended)

Set policy priority higher than Default.

Save.

This allows forwarding — but does not yet restrict the destination.

The post HowTo: Configure CyberHoot’s Report Phish Integration appeared first on CyberHoot.

HowTo: Configure CyberHoot’s Report Phish Integration

Purpose

Architecture Overview (Important)

Prerequisites

PART 1 — Configure Microsoft Defender “Report Phish” Button

Step 1: Sign in to Microsoft 365 Defender

Step 2: Open User Reported Settings

Step 3: Enable Reporting

PART 2 — Allow External Forwarding (Restricted Scope)

Step 4: Create a Custom Outbound Spam Policy

Oh hi there 👋
It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

Oh hi there 👋
It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

By rooter

Leave a Reply Cancel reply

You Missed

‘Teenage Mutant Ninja Turtles’ and ‘G.I. Joe’ Are Combining Into the Action Figures of Your ’80s Fever Dreams (Exclusive)

The Russo Brothers Say Steve Rogers Is Key to ‘Avengers: Doomsday’

I spent two days gigging at RentAHuman and didn’t make a single cent

There’s a tiny digital camera inside these retro 35mm film rolls

Purpose

Architecture Overview (Important)

Prerequisites

PART 1 — Configure Microsoft Defender “Report Phish” Button

Step 1: Sign in to Microsoft 365 Defender

Step 2: Open User Reported Settings

Step 3: Enable Reporting

PART 2 — Allow External Forwarding (Restricted Scope)

Step 4: Create a Custom Outbound Spam Policy

Oh hi there 👋It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

Oh hi there 👋It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

By rooter

Related Post

Leave a Reply Cancel reply

You Missed

Oh hi there 👋
It’s nice to meet you.

Oh hi there 👋
It’s nice to meet you.