Forward phishing emails from Outlook on the web

In this article, you create an inbox rule in Outlook on the web that forwards messages from a single mailbox to Radiant Security based on conditions you define. Inbox rules let you forward a subset of messages (e.g, reports from a specific group of users or messages matching a subject pattern) without changing tenant-wide forwarding policy.

Prerequisites

Before you create the inbox rule, confirm the following:

• You have completed the steps in the phishing email forwarding overview, including enabling your monitored domains.

• You have access to the mailbox that receives phishing reports from end users (for example, [email protected]).

• You can sign in to Outlook on the web as the owner of that mailbox or with delegated access that allows rule management.

Create the conditional forwarding rule

1

Open the rule manager

Sign in to Outlook on the web as the owner of the mailbox that receives phishing reports. Click Rules > Manage Rules to open the rule manager.

2

Add a new rule

Click + Add new rule.

3

Configure the rule name, condition, and action

Set the following:

• Name: Forward to Radiant Security

• Condition: From the Add a condition dropdown, select the condition that matches the messages you want to forward. The example below uses From to match messages from specific senders.

• Action: From the Add an action dropdown, select Redirect, then enter [email protected].

Note: From is one of several conditions available. Choose the condition that best matches the messages you need to forward (e.g., Subject includes for messages with a specific phishing report tag, or To for messages sent to a particular alias). Adding multiple conditions combines them with AND.

4

Stop processing more rules

Select the Stop processing more rules checkbox. This prevents other rules from acting on a message after it has been redirected to Radiant.

Important note: Outlook processes inbox rules top to bottom and applies the first matching rule. If you have other rules that should run before the forwarding rule, move them higher in the rule list and leave Stop processing more rules disabled on those rules.

5

Save the rule

Click Save to create the rule.

Verify the integration

After you save the rule, confirm reports are reaching Radiant:

1. Send a message to the mailbox where you created the rule. The message must match the condition you set (e.g., if you used From, send the test message from one of the listed sender addresses).

2. Sign in to Radiant Security and check the Alerts and Cases tabs for the triaged report.

If the report does not appear, confirm the following:

• The rule's condition matches the test message you sent.

• The redirect action is set to exactly [email protected].

• The forwarding rule is positioned above any other rule that might process the message first.

• The mailbox owner's domain is enabled in Radiant's Monitored Domains tab.