creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 06:54:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/building-phishing-reporting-button-workflow/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

4.4 KiB
Raw Blame History

name, description, domain, subdomain, tags, mitre_attack, version, author, license, nist_csf
name description domain subdomain tags mitre_attack version author license nist_csf
building-phishing-reporting-button-workflow Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters. cybersecurity phishing-defense
phishing-reporting
email-security
incident-response
security-awareness
outlook
microsoft-365
soar
T1566
T1204
T1534
1.0 mahipal Apache-2.0
PR.AT-01
DE.CM-09
RS.CO-02
DE.AE-02

Building Phishing Reporting Button Workflow

Overview

A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70%+ report rates in phishing simulations.

When to Use

  • When deploying or configuring building phishing reporting button workflow capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Microsoft 365 or Google Workspace with administrative access
  • SOAR platform or automation capability (Microsoft Sentinel, Splunk SOAR, Cortex XSOAR)
  • Dedicated reporting mailbox for phishing submissions
  • Email security gateway with message retraction capability
  • Security awareness training platform for feedback loop

Workflow

Step 1: Deploy Phishing Report Button

  • Enable Microsoft built-in Report button via Security & Compliance Center
  • Configure user reported settings: route to reporting mailbox and Microsoft
  • For third-party: deploy KnowBe4 Phish Alert Button or Cofense Reporter
  • Verify button appears in Outlook desktop, web, and mobile clients
  • Configure report options: Report Phishing, Report Junk, Report Not Junk

Step 2: Build Automated Triage Pipeline

  • Configure reporting mailbox monitored by SOAR platform
  • Auto-extract IOCs from reported emails: URLs, attachments, sender info, headers
  • Submit URLs to VirusTotal, URLScan.io for reputation check
  • Submit attachments to sandbox for dynamic analysis
  • Check sender against known threat intelligence feeds
  • Auto-classify: confirmed phishing, spam, simulation, legitimate

Step 3: Implement Response Actions

  • Confirmed phishing: auto-retract from all inboxes, block sender domain
  • Confirmed spam: move to junk for all recipients
  • Simulation email: mark as correctly reported, credit user
  • Legitimate email: return to inbox, notify reporter
  • Generate IOC report for threat intelligence team

Step 4: Create Feedback Loop

  • Send automated thank-you response to reporter within 5 minutes
  • Include classification result when analysis completes
  • Track reporter accuracy and engagement metrics
  • Recognize top reporters in monthly security newsletter
  • Feed reporting metrics into security awareness training program

Step 5: Measure and Optimize

  • Track mean time to triage (target: under 10 minutes automated)
  • Monitor report volume trends and false positive rates
  • Measure user reporting rate in phishing simulations
  • Report on confirmed threats caught by user reports vs. gateway
  • Optimize automation rules based on classification accuracy

Tools & Resources

  • Microsoft Report Button: Built-in Outlook phishing reporting
  • Cofense Reporter + Triage: Enterprise phishing reporting and automated analysis
  • KnowBe4 Phish Alert Button: Integrated reporting with simulation platform
  • Microsoft Sentinel: SOAR automation for triage workflow
  • Proofpoint CLEAR: Closed-loop email analysis and response

Validation

  • Report button visible and functional across all Outlook platforms
  • Reported email arrives in dedicated mailbox within 60 seconds
  • Automated triage classifies test phishing email correctly
  • Auto-retraction removes confirmed phishing from all inboxes
  • Reporter receives feedback notification with classification
  • Metrics dashboard shows report volume and accuracy trends
Reference in New Issue View Git Blame Copy Permalink