We send phishing simulation emails to user's Outlook clients with a 3rd party SaaS. I've also have globally enrolled the 'Report Message' add-in for all our users, that they're actively using. (Add-in from Microsoft themselves)
I've seen in the Defender 365 Admin portal that Microsoft automatically detects these simulation emails and puts them under "Phishing simulations".
Now, I want to make some sort of Exhange rule that 'rewards' the user after they've succesfully reported a simulation email from us. This could either be a notification that pops up, or an email.
The whole point of making this is to let users see that they've succesfully reported a simulation email, + minimizing labor to manually reply to these simulation emails in the 365 Defender portal.
Can someone guide me in the right direction to make such a rule?
I've already looked at numerous of Exchange rules, but I don't see an option anywhere to detect if a user has reported an email. On the other hand, detecting a phishing simulation of ours is quite easy since there's always an unique value in the email header that we can detect.
I was thinking about something like this:
User reports email > system checks if certain header value matches that of our phishing simulations > send notification/email to user who reported the email.
Thanks!
(Please go easy on me, since I'm quite new to this stuff!)
If there is a Mail Header added did you look at the https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/conditions-and-exceptions MessageHeaderField in a Transport Rule. Another way of doing it would be to write you own Outlook Add-in to detect the action but that is a lot more work to do.
The other thing you could do as it's not time critical is do demand based reporting eg run a script that scans the users mailbox to see if they did take action on the Phishing email. Eg if the email is sitting in the Inbox and marked as read you would call it a fail, if the reporting email is in the Sent Items or phishing email is deleted etc. This would allow a greater level of customization in the response eg next time do blah etc