Building Phishing Reporting Button Workflow Overview A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70…

, eml_content, re.MULTILINE | re.IGNORECASE)\n if subj_match:\n iocs.subject = subj_match.group(1).strip()\n\n # Extract URLs\n urls = re.findall(r'https?://[^\\s\u003c>\"\\']+', eml_content)\n iocs.urls = list(set(urls))\n\n # Extract domains from URLs\n for url in iocs.urls:\n domain_match = re.search(r'https?://([^/:\\s]+)', url)\n if domain_match:\n domain = domain_match.group(1).lower()\n if domain not in iocs.domains:\n iocs.domains.append(domain)\n\n # Extract IP addresses from headers\n ips = re.findall(r'\\b(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\b', eml_content)\n iocs.ip_addresses = list(set(ips))\n\n # Extract attachment filenames\n attachments = re.findall(\n r'filename[*]?=(?:\"([^\"]+)\"|([^\\s;]+))',\n eml_content, re.IGNORECASE\n )\n for groups in attachments:\n name = groups[0] or groups[1]\n if name and name not in iocs.attachment_names:\n iocs.attachment_names.append(name)\n\n return iocs\n\n\ndef triage_report(eml_content: str, simulation_subjects: list = None) -> TriageResult:\n \"\"\"Classify a reported email.\"\"\"\n result = TriageResult()\n iocs = extract_iocs(eml_content)\n result.iocs = asdict(iocs)\n\n score = 0\n body_lower = eml_content.lower()\n\n # Check if it's a known simulation\n if simulation_subjects:\n for sim_subj in simulation_subjects:\n if sim_subj.lower() in iocs.subject.lower():\n result.classification = \"simulation\"\n result.confidence = 0.95\n result.recommended_action = \"Credit reporter in training platform\"\n result.auto_actionable = True\n return result\n\n # Check phishing indicators\n for pattern, desc, weight in PHISHING_INDICATORS:\n if re.search(pattern, body_lower):\n result.indicators.append(desc)\n score += weight\n\n # Check for authentication failures\n auth_results = re.search(r'Authentication-Results:.*?(spf=fail|dkim=fail|dmarc=fail)',\n eml_content, re.IGNORECASE | re.DOTALL)\n if auth_results:\n result.indicators.append(f\"Authentication failure: {auth_results.group(1)}\")\n score += 20\n\n # Check Reply-To mismatch\n if iocs.reply_to and iocs.sender_address:\n reply_domain = re.search(r'@([\\w.-]+)', iocs.reply_to)\n sender_domain = re.search(r'@([\\w.-]+)', iocs.sender_address)\n if reply_domain and sender_domain:\n if reply_domain.group(1) != sender_domain.group(1):\n result.indicators.append(\"Reply-To domain mismatch\")\n score += 15\n\n # Check for suspicious attachment types\n risky_extensions = ['.exe', '.scr', '.bat', '.cmd', '.ps1', '.vbs',\n '.js', '.wsf', '.hta', '.iso', '.img']\n for att in iocs.attachment_names:\n if any(att.lower().endswith(ext) for ext in risky_extensions):\n result.indicators.append(f\"Risky attachment: {att}\")\n score += 25\n\n # Classify\n if score >= 50:\n result.classification = \"confirmed_phishing\"\n result.confidence = min(score / 100, 0.95)\n result.recommended_action = \"Retract from all inboxes, block sender domain\"\n result.auto_actionable = True\n elif score >= 25:\n result.classification = \"suspicious\"\n result.confidence = score / 100\n result.recommended_action = \"Escalate to SOC analyst for manual review\"\n result.auto_actionable = False\n elif score >= 10:\n result.classification = \"spam\"\n result.confidence = 0.6\n result.recommended_action = \"Move to junk for all recipients\"\n result.auto_actionable = True\n else:\n result.classification = \"clean\"\n result.confidence = 0.7\n result.recommended_action = \"Return to inbox, notify reporter\"\n result.auto_actionable = True\n\n return result\n\n\ndef calculate_metrics(reports: list) -> ReportingMetrics:\n \"\"\"Calculate phishing reporting program metrics.\"\"\"\n metrics = ReportingMetrics()\n metrics.total_reports = len(reports)\n\n reporter_counts = Counter()\n triage_times = []\n\n for report in reports:\n classification = report.get(\"classification\", \"\")\n if classification == \"confirmed_phishing\":\n metrics.confirmed_phishing += 1\n elif classification == \"spam\":\n metrics.confirmed_spam += 1\n elif classification == \"simulation\":\n metrics.simulation_reports += 1\n elif classification == \"clean\":\n metrics.false_positives += 1\n\n reporter = report.get(\"reporter\", \"\")\n if reporter:\n reporter_counts[reporter] += 1\n\n triage_time = report.get(\"triage_time_minutes\", 0)\n if triage_time > 0:\n triage_times.append(triage_time)\n\n if triage_times:\n metrics.mean_triage_time_min = sum(triage_times) / len(triage_times)\n\n metrics.top_reporters = [\n {\"reporter\": r, \"count\": c}\n for r, c in reporter_counts.most_common(10)\n ]\n\n if metrics.total_reports > 0:\n metrics.report_rate = (\n (metrics.confirmed_phishing + metrics.simulation_reports) /\n metrics.total_reports * 100\n )\n\n return metrics\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Phishing Report Triage Engine\")\n subparsers = parser.add_subparsers(dest=\"command\")\n\n triage_parser = subparsers.add_parser(\"triage\", help=\"Triage reported email\")\n triage_parser.add_argument(\"--eml-file\", required=True)\n triage_parser.add_argument(\"--sim-subjects\", nargs=\"*\", default=[])\n\n metrics_parser = subparsers.add_parser(\"metrics\", help=\"Calculate reporting metrics\")\n metrics_parser.add_argument(\"--reports-file\", required=True)\n\n ioc_parser = subparsers.add_parser(\"extract-iocs\", help=\"Extract IOCs from email\")\n ioc_parser.add_argument(\"--eml-file\", required=True)\n\n parser.add_argument(\"--json\", action=\"store_true\")\n args = parser.parse_args()\n\n if args.command == \"triage\":\n with open(args.eml_file, 'r', errors='replace') as f:\n content = f.read()\n result = triage_report(content, args.sim_subjects)\n if args.json:\n print(json.dumps(asdict(result), indent=2))\n else:\n print(f\"Classification: {result.classification}\")\n print(f\"Confidence: {result.confidence:.0%}\")\n print(f\"Action: {result.recommended_action}\")\n print(f\"Auto-actionable: {'Yes' if result.auto_actionable else 'No'}\")\n if result.indicators:\n print(f\"Indicators:\")\n for ind in result.indicators:\n print(f\" - {ind}\")\n\n elif args.command == \"metrics\":\n with open(args.reports_file) as f:\n reports = json.load(f)\n result = calculate_metrics(reports)\n if args.json:\n print(json.dumps(asdict(result), indent=2))\n else:\n print(f\"Total reports: {result.total_reports}\")\n print(f\"Confirmed phishing: {result.confirmed_phishing}\")\n print(f\"Spam: {result.confirmed_spam}\")\n print(f\"Simulations reported: {result.simulation_reports}\")\n print(f\"False positives: {result.false_positives}\")\n print(f\"Mean triage time: {result.mean_triage_time_min:.1f} min\")\n\n elif args.command == \"extract-iocs\":\n with open(args.eml_file, 'r', errors='replace') as f:\n content = f.read()\n iocs = extract_iocs(content)\n print(json.dumps(asdict(iocs), indent=2))\n\n else:\n parser.print_help()\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":10765,"content_sha256":"d4debce2fed19d07fd706d4e9643313cf2a19bbecf48e1025562eadb4c6fb313"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Building Phishing Reporting Button Workflow","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70%+ report rates in phishing simulations.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When deploying or configuring building phishing reporting button workflow capabilities in your environment","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When establishing security controls aligned to compliance requirements","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When building or improving security architecture for this domain","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When conducting security assessments that require this implementation","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Microsoft 365 or Google Workspace with administrative access","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SOAR platform or automation capability (Microsoft Sentinel, Splunk SOAR, Cortex XSOAR)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Dedicated reporting mailbox for phishing submissions","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Email security gateway with message retraction capability","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Security awareness training platform for feedback loop","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Deploy Phishing Report Button","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Enable Microsoft built-in Report button via Security & Compliance Center","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure user reported settings: route to reporting mailbox and Microsoft","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"For third-party: deploy KnowBe4 Phish Alert Button or Cofense Reporter","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Verify button appears in Outlook desktop, web, and mobile clients","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure report options: Report Phishing, Report Junk, Report Not Junk","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Build Automated Triage Pipeline","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Configure reporting mailbox monitored by SOAR platform","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Auto-extract IOCs from reported emails: URLs, attachments, sender info, headers","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Submit URLs to VirusTotal, URLScan.io for reputation check","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Submit attachments to sandbox for dynamic analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Check sender against known threat intelligence feeds","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Auto-classify: confirmed phishing, spam, simulation, legitimate","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Implement Response Actions","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Confirmed phishing: auto-retract from all inboxes, block sender domain","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Confirmed spam: move to junk for all recipients","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Simulation email: mark as correctly reported, credit user","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Legitimate email: return to inbox, notify reporter","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Generate IOC report for threat intelligence team","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Create Feedback Loop","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Send automated thank-you response to reporter within 5 minutes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Include classification result when analysis completes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Track reporter accuracy and engagement metrics","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Recognize top reporters in monthly security newsletter","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Feed reporting metrics into security awareness training program","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Measure and Optimize","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Track mean time to triage (target: under 10 minutes automated)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Monitor report volume trends and false positive rates","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Measure user reporting rate in phishing simulations","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Report on confirmed threats caught by user reports vs. gateway","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Optimize automation rules based on classification accuracy","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Tools & Resources","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Microsoft Report Button","type":"text","marks":[{"type":"strong"}]},{"text":": Built-in Outlook phishing reporting","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Cofense Reporter + Triage","type":"text","marks":[{"type":"strong"}]},{"text":": Enterprise phishing reporting and automated analysis","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"KnowBe4 Phish Alert Button","type":"text","marks":[{"type":"strong"}]},{"text":": Integrated reporting with simulation platform","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Microsoft Sentinel","type":"text","marks":[{"type":"strong"}]},{"text":": SOAR automation for triage workflow","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Proofpoint CLEAR","type":"text","marks":[{"type":"strong"}]},{"text":": Closed-loop email analysis and response","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Validation","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Report button visible and functional across all Outlook platforms","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Reported email arrives in dedicated mailbox within 60 seconds","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Automated triage classifies test phishing email correctly","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Auto-retraction removes confirmed phishing from all inboxes","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Reporter receives feedback notification with classification","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Metrics dashboard shows report volume and accuracy trends","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"building-phishing-reporting-button-workflow","tags":["phishing-reporting","email-security","incident-response","security-awareness","outlook","microsoft-365","soar"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/building-phishing-reporting-button-workflow/SKILL.md","repo_owner":"mukul975","body_sha256":"7ef204ca6abe409d97b9fae5a4766cfa83ba45b20aae759e5b8f1886f35f92a0","cluster_key":"ede5cc020e6164ec83ea6824da132a60941846429c6843cbd54bab589c7af757","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/building-phishing-reporting-button-workflow/SKILL.md","attachments":[{"id":"5be7f8f8-d334-5b4c-b45c-e55c95902596","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/5be7f8f8-d334-5b4c-b45c-e55c95902596/attachment.md","path":"assets/template.md","size":945,"sha256":"aef6420376efb1392d4942e2c6837f67e972f32b39fe0036ee119435eeb24645","contentType":"text/markdown; charset=utf-8"},{"id":"bd01cd53-4c87-5397-a459-1762df158d5d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/bd01cd53-4c87-5397-a459-1762df158d5d/attachment.md","path":"references/api-reference.md","size":1835,"sha256":"b563e4e874cd55fd23e2d0736707c52814d39e2162c461651cab4f0d69ff3e82","contentType":"text/markdown; charset=utf-8"},{"id":"01e21238-c22f-586b-bee6-e02eb54aad83","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/01e21238-c22f-586b-bee6-e02eb54aad83/attachment.md","path":"references/standards.md","size":1333,"sha256":"909b07e976d17c884d7ab0c3aef70667adc4a0babe6dc0f6ff4090dd84154a5a","contentType":"text/markdown; charset=utf-8"},{"id":"b02ba306-971b-5afe-bc93-56658fca6b55","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/b02ba306-971b-5afe-bc93-56658fca6b55/attachment.md","path":"references/workflows.md","size":1878,"sha256":"3c92f02df2f38fbd2c4f45c498d4ea27b2cf8ef5fa8a9536de8288f7e89f149c","contentType":"text/markdown; charset=utf-8"},{"id":"e4785d0e-a9c4-5671-b82e-eb01ddf7090c","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/e4785d0e-a9c4-5671-b82e-eb01ddf7090c/attachment.py","path":"scripts/agent.py","size":7320,"sha256":"0c27f9932263c6a89e7e0222b6bb2ed2ed6853a24678bfc92eec6c6c6f9c6cd7","contentType":"text/x-python; charset=utf-8"},{"id":"800482a0-8bed-5dc4-aad1-7515fd6e7935","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/800482a0-8bed-5dc4-aad1-7515fd6e7935/attachment.py","path":"scripts/process.py","size":10765,"sha256":"d4debce2fed19d07fd706d4e9643313cf2a19bbecf48e1025562eadb4c6fb313","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"ce7e027c3e1f4b3d094a986df7e700edb938a8b6313766bd095cdbda2bf13baa","attachment_count":6,"text_attachments":6,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/building-phishing-reporting-button-workflow/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["PR.AT-01","DE.CM-09","RS.CO-02","DE.AE-02"],"subdomain":"phishing-defense","import_tag":"clean-skills-v1","description":"Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters.","mitre_attack":["T1566","T1204","T1534"]}},"renderedAt":1782980644651}

Building Phishing Reporting Button Workflow Overview A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70…