Forward phishing emails from Microsoft 365

In this article, you configure Microsoft 365 to automatically forward user-reported phishing emails to Radiant Security. Radiant needs access to the original reported message for analysis, which is done by forwarding emails from your dedicated in-house phishing reporting mailbox to a Radiant-managed mailbox for triage and investigation.

This is the recommended path for Microsoft 365 customers using Microsoft's built-in Report Phishing button.

The setup has six phases. Complete them in order. When all six phases are complete, report a test email to confirm the integration is working.

Prerequisites

• Admin access to Microsoft 365, including the Exchange admin center and Microsoft Defender portal

• You have completed the steps in the phishing email forwarding overview, including enabling your monitored domains.

Create a dedicated phishing reporting mailbox

In this phase, you create a dedicated phishing reporting mailbox for your organization.

1. Sign in to the Exchange admin center and go to Recipients > Mailboxes.

1. Click + Add a shared mailbox.

2. Set the following:

   • Display name: Phishing Mailbox

   • Email address: phishing

   • Select domain: select your domain.

3. Click Create to save the new mailbox.

Add Radiant Security as a remote domain

In this phase, you enable forwarding emails from your domain to Radiant's external domain.

1. In the Exchange admin center, go to Mail flow > Remote domains.

2. Click + Add a remote domain and configure:

   • Name: Radiant Security

   • Remote domain: report.radiantsecurity.ai

   Click Next.

3. On the Email reply types page, confirm that Allow automatic forwarding is enabled.

1. Keep all default settings unchanged and click Next. Click Next again to skip the Message reporting and Text and character set pages, leaving them with the default settings. Click Save to add the external domain, then click Done.

Add Radiant Security as a contact

In this phase, you add Radiant Security as a contact so that Radiant receives the forwarded phishing emails to a mailbox on its side.

1. In the Exchange admin center, go to Recipients > Contacts.

2. Click Add a mail contact.

3. Set the following contact details:

   • Display name: Radiant Security Alerts

   • Alias: radiant-security-alerts

   • Email address: [email protected]

4. Leave the remaining fields blank and click Next. Skip the optional information page and click Create to finish the process.

Configure auto-forwarding from the phishing reporting mailbox

In this phase, you configure Microsoft 365 to automatically forward all suspected phishing emails to the Radiant Security Alerts contact created in the previous phase.

1. In the Exchange admin center, go to Recipients > Mailboxes. Locate the Phishing Mailbox you created in the first phase and click its row.

2. In the pop-out menu, click the Mailbox tab, then click Manage email forwarding.

1. Enable the Forward all emails sent to this mailbox option, then click Forward to an internal email address > Search email.

1. Search for and select the Radiant Security Alerts contact created in the previous phase, click Add, then click Save.

2. On the mailbox configuration menu, click Manage message size restriction and set:

   • Sent messages maximum size (KB): 153600

   • Received messages maximum size (KB): 153600

3. Click Save.

Allow external forwarding through the anti-spam outbound policy

In this phase, you create an outbound anti-spam policy for the phishing reporting mailbox so that messages from that mailbox can be forwarded externally.

1. Sign in to the Microsoft Defender portal and go to the Anti-spam policies page. You can also navigate from the left menu: Email & Collaboration > Policies & rules > Threat policies > Anti-spam policies.

2. Click + Create policy and select Outbound.

3. Set the following:

   • Name: Forwarding alerts to Radiant Security

   • Description: Policy used to forward possible phishing mails from the internal phishing@<domain> mailbox to Radiant Security

   Click Next.

4. Under Users, groups, and domains, in the Users field, select the Phishing Mailbox you created in the first phase. Leave Groups and Domains blank.

5. Under Protection settings, in the Forwarding rules field, set Automatic forwarding rules to On - Forwarding is enabled. Leave all other defaults unchanged.

1. Click Next to review the policy, then click Create to save the forward rule. Click Done to exit the page.

Enable the Report Phishing button

In this phase, you enable the Microsoft 365 right-click action which allows a user to report suspected phishing emails to the dedicated phishing reporting mailbox you created in the previous phase.

1. In the Microsoft Defender portal, go to the User reported settings page. You can also navigate from the left menu: Investigation & Response > Actions & Submissions > Submissions, then click the gear icon.

1. Select the Monitor reported messages in Outlook checkbox.

2. For Select an Outlook report button configuration, select Use the built-in Report button in Outlook.

3. For When a user reports an email, select both:

   • Ask the user to confirm before reporting

   • Show a success message after the message is reported

1. For Reported message destinations, select Microsoft and my reporting mailbox from the dropdown.

1. For Add an Exchange Online mailbox to send reported messages to, enter and select the mailbox you created in the Create a dedicated phishing reporting mailbox phase. It should appear as a suggested contact.

2. Leave all other default settings unchanged and click Save.

Manage Not Junk reports

Microsoft Defender enables the forwarding of "Not Junk" user reports by default. If your team does not want these specific reports to be triaged by Radiant, administrators can disable these notifications under Email & collaboration > Policies & rules > Alert policy in the Microsoft Defender portal.

Report a test email

In this phase, you report an email to confirm the integration is working and verify there is organizational knowledge on how to report phishing emails end-to-end.

1. From any mailbox in your organization, send a test message to yourself, then click on that email message.

2. Report the test message as phishing:

   • If you have configured the Report Phishing button, use it to report the test message as phishing.

   • If you have not configured the Report Phishing button, click the … icon and choose Other reply actions > Forward as attachment. In the To field, enter the dedicated phishing reporting mailbox address within your organization and send the email.

1. Sign in to Radiant Security and check the Alerts and Cases tabs for the triaged report.

If the report does not appear, confirm the following:

• The remote domain report.radiantsecurity.ai has Allow automatic forwarding enabled.

• The auto-forwarding rule on the phishing reporting mailbox is set to forward to the Radiant Security Alerts contact.

• The anti-spam outbound policy is applied to the phishing reporting mailbox and has Automatic forwarding rules set to On.

• The Report Phishing button is configured to send reports to the phishing reporting mailbox.

• The reporter's domain is enabled in Radiant's Monitored Domains tab.