Managed Security Awareness Initial Setup - Step 5

Updated Sep 15, 2023

Step 5: Configure the Report Email button for Microsoft 365

Note: This step only applies if your organization uses Microsoft 365® as your email service and you want to deploy the Report Email button to report phishing emails.

The Arctic Wolf Managed Security Awareness® (MA) Report Phishing feature enables your organization to identify, search, and analyze phishing emails after installing a Report Email button in Microsoft Office 365. The Report Phishing feature is available to all MA customers that use Microsoft 365 as their email service and includes:

If you are a standard MA customer, the Reported Phishing page includes Reported Emails and Phishing Button Settings. If you have MA+, the Reported Phishing page includes Reported Simulations, Reported Emails, and Phishing Button Settings.

Requirements

Note: If you do not meet all of these requirements, the Report Email button may not function as expected.

Before you begin

Steps

  1. Create an Azure app registration to allow Microsoft Graph API access to Arctic Wolf.
  2. Deploy the Report Email button through Microsoft 365 admin center.

Step 1: Create an Azure app registration to allow Microsoft Graph API access to Arctic Wolf

  1. If you are using:

    • Microsoft Entra ID — Sign in to the Azure AD admin center, and then click Azure Active Directory.
    • Microsoft 365 — Click Apps > Admin, and then click Show all.
  2. Register your Report Email button:

    1. In the navigation menu, under Identity, click Applications > App registrations.

    2. Click + New registration.

    3. On the Register an application page, do these actions:

      • Name — Enter the name that you want displayed for your application. We recommend naming it Arctic Wolf Report Email Button.
      • Supported account types — Select Accounts in this organizational directory only (Single tenant).

        Note: Multi-tenancy is not supported.

    4. Click Register.

      The Overview page for the newly registered application opens.

  3. Assign permissions to your Report Email button:

    1. In the navigation menu, under Manage, click API permissions.

    2. Click + Add a permission.

    3. Click Microsoft Graph.

    4. Click Application permissions.

      Note: Do not click Delegated permissions. This will not provide the API permissions required for MA setup and generates an insufficient permissions error message.

    5. In the Select permissions search box, enter Mail.ReadWrite, expand Mail, and then select the Mail.ReadWrite checkbox.

    6. Click Add permissions.

    7. In the Configured permissions section, click Grant admin consent for <company_name>.

    8. On the Grant admin consent confirmation dialog, click Yes.

      Your Microsoft Graph permissions should look like this:

  4. Generate a client secret for your Email Report button:

    1. In the navigation pane, under Manage, click Certificates & secrets.

    2. Click the Client secrets tab, and then click + New client secret.

    3. On the Add a client secret page, do these actions:

      • Description — Enter a meaningful description for the client secret. For example, Arctic Wolf Report Email Button Secret.
      • Expires — Select 730 days (24 months) from the list.
    4. Click Add. Your new client secret appears on the Client secrets tab.

    5. In the Value column, click Copy to clipboard to copy the client secret, and then save it in a safe encrypted location, such as a password manager.

      Notes:

      • The client secret Value is time-sensitive. It is only viewable during the application registration, so it must be saved now.
      • Do not share the client secret with anyone outside of authorized personnel.
      • If Arctic Wolf requires a copy of the client secret, we will provide you with a secure transfer link, such as Egnyte.
  5. Obtain the ID values for your Email Report button:

    1. In the navigation pane, click Overview.
    2. Take note of these fields and their associated values:
      • Application (client) ID
      • Directory (tenant) ID
  6. Integrate your Report Email button credentials with MA and test your connection:

    1. In a new browser tab, sign in to the MA Portal.
    2. In the menu, click Reported Phishing.
    3. On the Phishing Button Settings tab, enter these values that you copied earlier:
      • Application (Client) ID — Enter the Application (client) ID.
      • Directory (Tenant) ID — Enter the Directory (tenant) ID.
      • Client Secret Value — Enter the Value of the client secret.
      • Client Secret Value Expiration Date — Enter the Expires value.
    4. Click Test Connection, and then do one of these actions:
      • If the "Connection Successful" message appears, click Acknowledge, and then click Save Credentials.
      • If errors persist, submit a ticket in the Arctic Wolf portal.
    5. In the Grant Permissions section, turn on the Automatically move emails to junk toggle.

Step 2: Deploy the Report Email button through Microsoft 365 admin center

  1. Download the Arctic Wolf Report Email Button Manifest file:

    1. In the MA Portal, click Settings > Administrator Toolkit.
    2. In the Search field, enter Arctic Wolf Report Email Button Manifest File, and then click Download.
    3. (Optional) To validate the checksum value for the Arctic Wolf Report Email Button Manifest File you can download a checksum file for SHA-256 or MD5:
      • In the Search field enter Checksums, and then download the file corresponding to the checksum value generator you use.
      • Generate the hash value for the manifest file. The value should match the checksum file.

        Note: If the checksum value does not match, consider the file corrupt, delete it from your computer, and re-download the manifest file from the Administrator Toolkit. If the issue persists, submit a ticket in the Arctic Wolf Portal.

  2. In a separate browser tab, sign in to the Microsoft 365 admin center.

  3. Click Settings > Integrated apps.

  4. Click the Upload custom apps tab.

  5. On the Upload Apps to deploy page, in the App Type list, select Office Add-in, and then select the Upload manifest file (.xml) from device option.

  6. Click Choose File, and then upload the manifest file you downloaded from the Administrator Toolkit.

    The Manifest file validated confirmation message appears.

  7. Click Next.

  8. On the Add users page, in the Assign users section, do these steps:

    1. Select the Specific users/groups option.
    2. In the Specific users/groups field, enter the names of users or a user group to receive the Report Email button.

      Note: Arctic Wolf recommends that you:

      • Use the same MA User group you used when you enrolled users into MA.

        See Enroll users to your MA program for more information. Be aware that you may experience unexpected results if you use a nested group because Outlook Add-ins do not always support nested groups. If the Report Email button does not appear within 48 hours, add individual groups or users.

      • Add a group with limited users if you want a phased approach for rolling out the Report Email button. For example, add your IT team only.

        See Get started with Integrated apps for more information.

      • Only select Entire organization if all users in the tenant are MA users. If non-MA users exist in the tenant, they will experience errors when reporting an email.

    3. Click Next.
  9. On the Accept permissions requests page, read the App Permissions and Capabilities, and then click Next.

    Note: These permissions are different than the permissions set in the Azure app.

  10. On the Review and finish deployment page, review your settings, and then click Finish deployment.

    Note: The deployment may take a few minutes to complete. Do not refresh or close the page.

  11. When the deployment is finished running, on the Deployment completed page, click View this deployment to see details of the completed add-in.

    Note: It may take up to 24 hours for the Report Email button to appear in Outlook desktop app.

  12. After the Report Email button is visible in Outlook, create a test email with these values. You will use this email later to make sure the Report Email button works as expected:

    • To — Your email address.

      Tip: Arctic Wolf recommends only sending the test email to yourself.

    • Subject — Test Report Email Button for Managed Security Awareness.

    • Body — Testing the Report Email button for Managed Security Awareness.

    • (Optional) If you have an email signature, remove it from the body of the email to avoid any issues that could occur from filtering.

  13. Click Send.

    The test email is sent to your email address.

  14. Verify that the deployment of the Report Email button works as expected:

    1. Go to your email, click the test email, and then click Report Email.
    2. In the MA Portal menu, click Reported Phishing.
    3. Click the Reported Emails tab.
    4. Find your test email in the Reported Emails table. If you are:
      • Successful — The Report Email button was successfully installed.
      • Not successful — Submit a ticket from your Arctic Wolf Portal.

Next steps