# Set up O365 to Forward Phishing Emails to Radiant Security

In this guide, you will configure Microsoft 365 to automatically forward suspected phishing emails to Radiant Security. Radiant needs access to the original reported message for analysis, which is done by forwarding emails from your dedicated in-house phishing mailbox to a Radiant-managed mailbox for triage and investigation.

<figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FrSz6KV5Bsatt1UBrDuyD%2FSet_Up_O365_To_Forward_Phishing_Emails_01.webp?alt=media&#x26;token=57af815a-c506-4716-939d-c1369014b320" alt=""><figcaption></figcaption></figure>

### Prerequisites

* [ ] This configuration requires that you are an administrator of the O365 account.

### Create a dedicated phishing mailbox

{% hint style="info" %}
**Note**: If your organization already has a phishing mailbox, skip to [**Enable Report Phish button**](#enable-the-report-phishing-button).
{% endhint %}

In this step, you will create a dedicated phishing mailbox for your organization.

1. Log in to the [Admin Exchange Center](https://admin.exchange.microsoft.com/) portal.
2. From the menu, navigate to **Recipients** > **Mailboxes**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FBkLmo3vSiGmjQstUJpSW%2FSet_Up_O365_To_Forward_Phishing_Emails_02.webp?alt=media&#x26;token=f8428429-125d-47d0-8e9b-8aa5f12be375" alt="" width="277"><figcaption></figcaption></figure></div>

3. Click + **Add a shared mailbox**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fod5Iubrywo1E8qZ75VSG%2FSet_Up_O365_To_Forward_Phishing_Emails_03.webp?alt=media&#x26;token=7cd09207-36ac-4caa-a3f0-f35d6da25c71" alt="" width="375"><figcaption></figcaption></figure></div>

4. Fill in the details for the mailbox:
   * **Display Name**: `Phishing Mailbox`
   * **Email address**: `phishing`
   * **Select Domain**: \<select your domain>

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FJstBHCiKQsaI7eUhKwnq%2FSet_Up_O365_To_Forward_Phishing_Emails_04.webp?alt=media&#x26;token=6566eec1-a9a4-4bae-a94b-b09322d39114" alt="" width="375"><figcaption></figcaption></figure></div>

5. Click **Create** to save the new mailbox.

### Enable auto-forwarding to Radiant Security

Next, enable auto-forwarding O365 to automatically forward emails from your new dedicated phishing mailbox to Radiant Security. You can choose to do this in O365 client or in the Outlook application. Complete the following series of steps to enable auto-forwarding.

#### **Add Radiant Security as a Trusted Domain**

In this step, you will enable forwarding emails from your domain to our external domain.

1. From the [Exchange Admin Center](https://admin.exchange.microsoft.com/#/remotedomains) menu, navigate to **Mail flow** > **Remote domains**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FGMivyi2Ifqa60Z9eawHa%2FSet_Up_O365_To_Forward_Phishing_Emails_05.webp?alt=media&#x26;token=cac610ef-dfcd-4e2b-a2dd-bfd820eb4526" alt="" width="282"><figcaption></figcaption></figure></div>

2. Click **+ Add a Remote Domain.**
3. Fill in the details for the external domain:
   * Name: `Radiant Security`
   * Remote Domain: [`report.radiantsecurity.ai`](http://report.radiantsecurity.ai/)
4. Click **Next**.
5. On the **Email reply types** page, confirm that **Allow automatic forwarding** is enabled.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F6J5qTApcctjR1VDFRDmy%2FSet_Up_O365_To_Forward_Phishing_Emails_06.webp?alt=media&#x26;token=fdd98b81-981f-4647-ac96-2343817160a9" alt="" width="271"><figcaption></figcaption></figure></div>

6. Keep all default settings unchanged and click **Next**.
7. Click **Next** to skip the **Message** **reporting** and **Text** **and character set** pages, leaving them with the default settings.
8. Click **Save** to add the external domain.
9. Click **Done**.

#### **Add “Radiant Security Alerts” as a contact**

In this step, you’ll add Radiant Security as a contact so that we receive the forwarded phishing emails to a mailbox on our side.

1. From the [Exchange Admin Center](https://admin.exchange.microsoft.com/#/contacts) menu, navigate to **Recipients** > **Contacts**.
2. Click **Add a mail contact**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F2rwxFcA7DIJlJVFgQ73F%2FSet_Up_O365_To_Forward_Phishing_Emails_07.webp?alt=media&#x26;token=47d0181c-9bbc-4477-9479-6b2b775ab186" alt="" width="310"><figcaption></figcaption></figure></div>

3. Fill in the following contact details:

   <div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FVei7gFEHDW56Nba92DLY%2FSet_Up_O365_To_Forward_Phishing_Emails_08.webp?alt=media&#x26;token=3c6bf958-4fe3-4856-8ea1-8b660927bf1d" alt="" width="303"><figcaption></figcaption></figure></div>

   * Display Name: `Radiant Security Alerts`
   * Alias: `radiant-security-alerts`
   * Email address: `alerts@report.radiantsecurity.ai`
4. Leave the remaining fields blank and click **Next**.
5. Click **Next** to skip the optional information page and click **Create** to finish the process.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FS1iOTOLhVnzlmKy3j5OZ%2FSet_Up_O365_To_Forward_Phishing_Emails_09.webp?alt=media&#x26;token=7d4f2b72-7cef-4ef2-9854-70a8713a550c" alt="" width="375"><figcaption></figcaption></figure></div>

&#x20;

### **Set up Auto-Forwarding**

In this step, you’ll configure O365 to automatically forward all suspected phishing emails to the new Radiant Security Alerts contact created in the previous step.

1. From the [Exchange Admin Center](https://admin.exchange.microsoft.com/#/mailboxes) menu, navigate to **Recipients** > **Mailboxes.**
2. Locate the **Phishing Mailbox** that you created in the first step and click on its row.
3. In the pop-out menu, click the **Mailbox** tab and then click **Manage** **email** **forwarding**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FIDxBtA7VX9V5A4kFAhrw%2FSet_Up_O365_To_Forward_Phishing_Emails_10.webp?alt=media&#x26;token=48d6d355-705d-4b76-8b65-52300b6a47fd" alt="" width="375"><figcaption></figcaption></figure></div>

4. Enable the **Forward** **all** **emails sent to this mailbox** option, and then click **Forward to an internal email address > Search email**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FQWjuGZBWhRmvzIpAmIQL%2FSet_Up_O365_To_Forward_Phishing_Emails_11.webp?alt=media&#x26;token=2d63794d-8d3e-479f-82dd-7e26f04eaf15" alt="" width="375"><figcaption></figcaption></figure></div>

5. Search for and select the **Radiant Security Alerts** contact created in the previous step and click **Add**.
6. Click **Save**.
7. Back on the mailbox configuration menu, click **Manage** **message** **size** **restriction**:
   * Sent messages maximum size (KB):

     `153600`
   * Received messages maximum size (KB):

     `153600`

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FQiPUJQP4gcgmdv2fiEQd%2FSet_Up_O365_To_Forward_Phishing_Emails_12.webp?alt=media&#x26;token=8c2730d5-77c3-4c69-9e71-d739b4e8fc82" alt="" width="375"><figcaption></figcaption></figure></div>

8. Click **Save**.&#x20;

### Enable the Report Phishing button

In this step, you’ll enable the O365 right-click action which allows a user to report suspected phishing emails to the dedicated phishing mailbox you created in the previous step.

1. Log in to [Microsoft 365 Defender](https://security.microsoft.com/homepage).
2. Go to the [User reported settings](https://security.microsoft.com/securitysettings/userSubmission) page. Alternatively, from the left side menu, navigate to **Investigation & Response >** **Actions & Submissions** > **Submissions**.
3. Click the gear icon.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Fynw6Wrg9b5EsZyteoNuN%2FSet_Up_O365_To_Forward_Phishing_Emails_13.webp?alt=media&#x26;token=7e23e540-682b-4267-985e-1ae6ed5d9999" alt="" width="375"><figcaption></figcaption></figure></div>

4. Select the **Monitor reported messages in Outlook** checkbox.
5. For **Select an Outlook report button configuration**:&#x20;
   * Select **Use the built-in Report button in Outlook**.
6. For **When a user reports an email**:
   * Select the **Ask the user to confirm before reporting** and **Show a success message after the message is reported** checkboxe&#x73;**.**

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FPy4wlXEp7DTlPeukmYeD%2FSet_Up_O365_To_Forward_Phishing_Emails_14.webp?alt=media&#x26;token=765138c0-7c1f-476c-8d56-b208b77cb677" alt="" width="563"><figcaption></figcaption></figure></div>

7. On the section **Reported message destinations**, from the drop-down, select **Microsoft and my reporting mailbox**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FfPyDAfYRXWJKOSzIQIxM%2FSet_Up_O365_To_Forward_Phishing_Emails_15.webp?alt=media&#x26;token=4b7166da-f18b-4e90-82d8-5135a0d2790a" alt="" width="375"><figcaption></figcaption></figure></div>

8. For **Add an exchange online mailbox to send reported messages to**, enter and select the mailbox that you created in the [Create a dedicated phishing mailbox](#create-a-dedicated-phishing-mailbox) step. It should appear as a suggested contact.
9. Leave all other default settings unchanged and click **Save**.&#x20;

### Allow forwarding to an external email

1. Still on Microsoft 365 Defender, go to the [Anti-spam policies](https://security.microsoft.com/antispam) page. Alternatively, navigate to **Email & Collaboration** > **Policies & rules** > **Threat policies** > **Anti-spam policies**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F0Lb00XEibDgcuStDKYA1%2FSet_Up_O365_To_Forward_Phishing_Emails_16.webp?alt=media&#x26;token=a415f95f-9b91-4202-89bf-ca0d55d3b223" alt="" width="375"><figcaption></figcaption></figure></div>

2. Click **+ Create Policy** and select **Outbound**.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F0nGoA0lgSS8f8lBmqX4B%2FSet_Up_O365_To_Forward_Phishing_Emails_17.webp?alt=media&#x26;token=aae013fa-9bb4-4647-ad38-1de2c1a2071a" alt="" width="363"><figcaption></figcaption></figure></div>

3. Fill in the details for **Name your policy**:
   * Name: `Forwarding alerts to Radiant Security`
   * Description: `Policy used to forward possible phishing mails from the internal phishing@<domain> mail box to Radiant Security`

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2Furq3nL2LTmRtGfs5bTjL%2FSet_Up_O365_To_Forward_Phishing_Emails_18.webp?alt=media&#x26;token=31278fdc-87f6-4d5b-a8e8-3349ed256d7b" alt="" width="375"><figcaption></figcaption></figure></div>

4. Click **Next**.
5. Under **Users, groups, and domains**, for **Users** select the mail box created previously  `Phishing Mailbox`.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2FmsospEqglH6aNEO1BWSk%2FSet_Up_O365_To_Forward_Phishing_Emails_19.webp?alt=media&#x26;token=286b6ce7-7657-40c5-a678-6f0336a8f18b" alt="" width="375"><figcaption></figcaption></figure></div>

6. Leave **Groups** and **Domains** blank.
7. Under **Protection settings**, for **Forwarding** **rules** set **Automatic forwarding Rules** to **On - Forwarding is enabled**. Leave all default settings unchanged.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F3oJ2E9l2RjpwGoPwMllh%2FSet_Up_O365_To_Forward_Phishing_Emails_20.webp?alt=media&#x26;token=84adb87b-a770-4ebe-9c5f-b4dc5d9d468d" alt="" width="375"><figcaption></figcaption></figure></div>

8. Click **Next** to review and then click **Create** to save the forward rule.
9. Click **Done** to exit the page.

### Report a test email

In this step, you’ll report an email in order to make sure the integration is working and also that there is organizational knowledge on how to report phishing emails end-to-end.

1. Log into a mailbox within your organization, generate a test message by sending an email to yourself, and then click on that email message.
2. Report the test message as phishing.
   * In case you’ve configured the Report Phishing button, use it to easily report the test message as phishing
   * In case you haven’t configured the Report Phishing button, click the `…` and choose **Other reply actions** and then click **Forward as attachment**. In the  `To` field, enter the dedicated phishing mailbox address within your organization and send the email.

<div align="left"><figure><img src="https://2439665791-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPsFulb2ZOtSPcRSc2rXE%2Fuploads%2F9gZ2HjYoK6JZ2JmqMJ0z%2FSet_Up_O365_To_Forward_Phishing_Emails_21.webp?alt=media&#x26;token=5fb19353-c0ba-4e39-962e-6367aac794e7" alt="" width="375"><figcaption></figcaption></figure></div>

3. The email will take a couple of minutes to show up on Radiant.

### Managing "Not Junk" alerts

Microsoft Defender enables the forwarding of "Not Junk" user reports by default. If your team does not want these specific reports to be triaged by Radiant, administrators can disable these notifications under **Email & collaboration > Policies & rules > Alert policy** in the [Microsoft Defender Portal](https://security.microsoft.com/alertpoliciesv2).