Understand your Phish Alert Report Notification

Learn what the suspected phishing email alert notifications contain.

A Phish Alert Report email notification will be sent to your specified email addresses when a user reports a suspected phishing email outside of a simulation.

NOTE: This requires the Forward Suspected Phishing Emails setting to be enabled on your Phish Alert Button settings.

The notification will look like this:

The notification email will include (depending on your Phish Alert settings):

• Summary details
• EML attachment

Summary Details

Here are what the summary components of the report email mean.

• Recipient

  • User who submitted the suspected phishing email

    Sender

  • The sender of the phishing email

    Subject

  • The subject of the phishing email

    Received At

  • The date/time the email was received in UTC

    Message ID

  • This is the unique identifier generated by the outgoing email server or client

  • It can be used in an Exchange message trace

    Network Message ID

  • This ID is assigned by Exchange when it processes an email. This corresponds to the X-MS-Exchange-Organization-Network-Message-Id message header
  • This can be used to manually submit an email to Microsoft for analysis as a suspected phish via the Microsoft 365 Security portal

There will also be a table summarising the suspected email’s attachments if present.

EML attachment

NOTE: This requires the Include Suspected Email as EML file attachment setting to be enabled in your Phish Alert Button settings.

The report notification will include an EML file attachment containing a reproduction of the suspected phishing email.

The notification’s body will inform you of the method used to construct the EML file. We currently offer 2 message data retrieval approaches.

• Office JavaScript API

  • This is the data provided by the Outlook Add-in. It provides enough data to give the summary in the notification and the body of the suspected email but in a sanitized form. It can’t provide message headers or attachments. The EML may appear strange when opened as a result.

    MS Graph API

  • We use the authorisation provided at add-in install or during sideloading testing to retrieve message data provided Retrieve Message Data via the MS Graph API on Behalf of a User using SSO is enabled.
  • This will include a less sanitized version of the email body, its message headers and attachments if the Include Suspected Email's Attachments in EML File option is enabled.

The EML generation process takes a graceful degradation approach so that if the MS Graph load fails we fall back to the Office JavaScript API data.