Files
Anthropic-Cybersecurity-Skills/skills/building-phishing-reporting-button-workflow/SKILL.md
T
mukul975 886658219f Add MITRE Fight Fraud Framework (F3 v1.1) mappings to fraud-relevant skills
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing,
  account takeover, banking malware, BEC, identity/KYC, payment/card fraud,
  money-mule/cash-out, ransomware extortion, DFIR, threat intel)
- Map each skill to F3 v1.1 tactics + precise technique IDs, including the
  two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and
  Monetization (FA0002)
- All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle
  (github.com/center-for-threat-informed-defense/fight-fraud-framework):
  0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs
- mitre_f3 kept as a separate block from mitre_attack (F3 redefines several
  ATT&CK tactics for the fraud context)
- Add docs/mitre-f3-mapping.md schema reference
- Update README: F3 as the 6th framework, dedicated F3 section + badge
2026-06-20 16:06:04 +02:00

4.9 KiB

name, description, domain, subdomain, tags, mitre_attack, mitre_f3, version, author, license, nist_csf
name description domain subdomain tags mitre_attack mitre_f3 version author license nist_csf
building-phishing-reporting-button-workflow Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters. cybersecurity phishing-defense
phishing-reporting
email-security
incident-response
security-awareness
outlook
microsoft-365
soar
T1566.001
T1566.002
T1598.003
T1204.001
T1534
version tactics techniques
1.1
reconnaissance
resource-development
initial-access
stealth
id name tactic source
T1598 Phishing for Information reconnaissance attack
id name tactic source
T1660 Phishing initial-access attack
id name tactic source
T1672 Email Spoofing stealth attack
id name tactic source
F1020.002 Create Fake Materials: Fake Website resource-development f3
1.0 mahipal Apache-2.0
PR.AT-01
DE.CM-09
RS.CO-02
DE.AE-02

Building Phishing Reporting Button Workflow

Overview

A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70%+ report rates in phishing simulations.

When to Use

  • When deploying or configuring building phishing reporting button workflow capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Microsoft 365 or Google Workspace with administrative access
  • SOAR platform or automation capability (Microsoft Sentinel, Splunk SOAR, Cortex XSOAR)
  • Dedicated reporting mailbox for phishing submissions
  • Email security gateway with message retraction capability
  • Security awareness training platform for feedback loop

Workflow

Step 1: Deploy Phishing Report Button

  • Enable Microsoft built-in Report button via Security & Compliance Center
  • Configure user reported settings: route to reporting mailbox and Microsoft
  • For third-party: deploy KnowBe4 Phish Alert Button or Cofense Reporter
  • Verify button appears in Outlook desktop, web, and mobile clients
  • Configure report options: Report Phishing, Report Junk, Report Not Junk

Step 2: Build Automated Triage Pipeline

  • Configure reporting mailbox monitored by SOAR platform
  • Auto-extract IOCs from reported emails: URLs, attachments, sender info, headers
  • Submit URLs to VirusTotal, URLScan.io for reputation check
  • Submit attachments to sandbox for dynamic analysis
  • Check sender against known threat intelligence feeds
  • Auto-classify: confirmed phishing, spam, simulation, legitimate

Step 3: Implement Response Actions

  • Confirmed phishing: auto-retract from all inboxes, block sender domain
  • Confirmed spam: move to junk for all recipients
  • Simulation email: mark as correctly reported, credit user
  • Legitimate email: return to inbox, notify reporter
  • Generate IOC report for threat intelligence team

Step 4: Create Feedback Loop

  • Send automated thank-you response to reporter within 5 minutes
  • Include classification result when analysis completes
  • Track reporter accuracy and engagement metrics
  • Recognize top reporters in monthly security newsletter
  • Feed reporting metrics into security awareness training program

Step 5: Measure and Optimize

  • Track mean time to triage (target: under 10 minutes automated)
  • Monitor report volume trends and false positive rates
  • Measure user reporting rate in phishing simulations
  • Report on confirmed threats caught by user reports vs. gateway
  • Optimize automation rules based on classification accuracy

Tools & Resources

  • Microsoft Report Button: Built-in Outlook phishing reporting
  • Cofense Reporter + Triage: Enterprise phishing reporting and automated analysis
  • KnowBe4 Phish Alert Button: Integrated reporting with simulation platform
  • Microsoft Sentinel: SOAR automation for triage workflow
  • Proofpoint CLEAR: Closed-loop email analysis and response

Validation

  • Report button visible and functional across all Outlook platforms
  • Reported email arrives in dedicated mailbox within 60 seconds
  • Automated triage classifies test phishing email correctly
  • Auto-retraction removes confirmed phishing from all inboxes
  • Reporter receives feedback notification with classification
  • Metrics dashboard shows report volume and accuracy trends