Threat Defense phishing templates simulate real-life phishing attacks and are used to accurately gauge how your organization handles phishing attacks. Part of “handling” a phishing attack may include reporting the email via the Report Message add-in for Outlook. QuickHelp recommends this configuration as its best practice.


This document outlines how to configure Exchange to allow QuickHelp to track these reported emails.


To track phishing Reporting, you will need to do all the following:


Enable the Report Message Outlook add-in

Designate an existing email account or create a new mailbox (to receive a copy of all reported emails)

Enable forwarding

Create a Bcc rule

Add the BrainStorm Threat Defense contact email

Configure forwarding


Enable the Report Message Outlook add-in

The Report Message add-in for Outlook and Outlook on the web allows end users to easily report phishing emails. BrainStorm Threat Defense can track these reported emails and provide the data to you in a QuickHelp Admin Portal Campaign dashboard. If you have not enabled this add-in for your organization, please find instructions here.


Designate an email account (to receive a copy of all reported emails)

When an end user reports an email as phishing, a message is sent to Microsoft, but you also need to send a copy of this email to a user in your M365 tenant. While you can use an existing user, we strongly recommend creating a new user expressly for this purpose. This email will be used for the email forwarding, Bcc rule, and forward to a Threat Defense Email steps.


Enable forwarding

  1. Click here to access the Microsoft Security Settings page.
  2. Select the designated internal user into input 'Add an exchange online mailbox to send reported messages to.'
  3. Log in to the Office 365 Security & Compliance Admin Center
  4. Click Threat Management > Policy > Anti-Spam
  5. Click Create policy > Outbound
  6. Enter a name in the Name field (e.g. Forwarding for Threat Defense)
  7. Enter a description in the Description field (optional)
  8. Click Next
  9. Enter the email of and select the designated internal user (see above) in the Users field
  10. Click Next
  11. Enter 1000 in the Set an external message limit field
  12. Enter 1000 in the Set an internal message limit field
  13. Enter 10000 in the Set a daily message limit field
  14. Select No action, alert only from the Restriction placed on users who reach the message limit pulldown menu
  15. Select On - Forwarding is enabled from the Automatic Forwarding rules pulldown menu
  16. Click Next
  17. Review the configuration
  18. Click Create

    NOTE: Make sure that this policy is on and has the appropriate Priority



Create a Bcc Rule

This allows the reported email to be Bcc'ed to the designated internal user (see above).

  1. Log in to the Exchange admin center
  2. Click Mail flow > Rules
  3. Click the + icon
  4. Click Create a new rule…
  5. Enter a name in the Name field
  6. Click More options…

    NOTE: You must click More options… at this point in order to have the correct options in the *Apply this rule if… pulldown menu for the next step.

  7. Select The recipient … > address includes any of these words from the *Apply this rule if… pulldown menu

  8. Enter phish@office365.microsoft.com in the specify words or phrases dialog

  9. Click the + icon

  10. Click OK

  11. Click add condition

  12. Select Any attachment … > content includes any of these words from the new *Apply this rule if… pulldown menu

  13. Enter bs-phishing-email-reporting in the specify words or phrases dialog

  14. Click the + icon
  15. Click OK

  16. Select Add recipients… > to the Bcc box from the *Do the following… pulldown menu

  17. Find and select the designated internal user from above

  18. Click Add

  19. Click OK

  20. Click Save


Add the BrainStorm Threat Defense Contact

For QuickHelp to track Reported emails, these emails need to be forwarded to a BrainStorm Threat Defense email which should exist as an external contact in your M365 tenant.


  1. Log in to the Exchange admin center
  2. Click Recipients > Contacts
  3. Click Add a contact
  4. Choose Mail user from the Contact type pulldown menu
  5. Enter BrainStorm in the First name field
  6. Enter Reporting in the Last name field
  7. Enter BrainStorm Reporting in the Display name field
  8. Enter brainstormreporting@brainstorminc.com in the Email field

    NOTE: While the First, Last, and Display name fields can contain other information (we recommend using our suggestions), the Email field must contain this exact email.

  9. Enter bsireporting in the Alias field

  10. Enter bsireporting as the User ID

  11. Select an organizational domain from the Domain pulldown menu

  12. Enter a password in the New password field
    You can set up any password.

  13. Enter the same password in the Confirm password field

  14. Click Add


Configure forwarding

This steps will enable automatic forwarding of any email sent to your internal email (above) to the BrainStorm Threat Defense Reporting email contact.


  1. Log in to the Exchange admin center
  2. Click Recipients > Mailboxes
  3. Search for the designated internal user (not the BrainStorm Threat Defense contact you just created)
  4. Click on the User Display Name
  5. Click Manage mail flow settings under Mail flow settings
  6. Click Email forwarding > Edit
  7. Enable Forward all emails sent to this mailbox
  8. Find and select brainstormreporting@brainstorminc.com as the Forwarding address
  9. Enable Keep a copy of forwarded email in this mailbox
  10. Click Save


With Tracking enabled, you will be able to see Reported emails both by individuals within a campaign or an aggregated count by Campaign on the main Simulated Phishing Dashboard.


By User*


By Campaign