How to handle phishy emails on #PhishyFriday

#Phishing emails will continue to be a problem for time to come. As well as training your staff to recognise a #phish when it appears, give them the ability to do something about it.


If you use Office 365 as an email solution you can add the National Cyber Security Centre (NCSC) suspicious email reporting service to be automatically notified when your users report a phishing email. Notifying the NCSC will enable them to analyse the suspect email and any websites it links to. They will use any additional information you’ve provided to look for and monitor the suspicious activity. If they discover an activity that they believe is malicious, they may:

  • seek to block the address the email came from, so it can no longer send emails

  • work with hosting companies to remove links to malicious websites

  • raise awareness of commonly reported suspicious emails and methods used

This is a free public service which ensures that members of the public can report any phishing email from potential scammers, so that fraudulent activity can be prevented, and the public are kept safe.


The following guide will show you or your IT team how to configure and incorporate office 365 to allow the report phishing button to automatically send a report to the Suspicious Email Reporting Service (SERS)


Using the O365 Outlook Add-in. You must ensure your organisation is happy to accept the terms of use of this product prior to proceeding.


** Guidance Intended for Office 365 Administrators Only **

** IT Managers / System Administrators **


It is now possible to also report phishing emails to SERS when using the Report Phishing Add-in found in Outlook 365.


Currently the “Report Phishing” add-in is only available to corporate or business versions of O365. The add-in is not currently available to users with home, or student licences.


The add-in can be found by navigating to the Bu­­siness Apps page and searching for “Report Phishing”. The add-in can be added using the one click install button.


Once the add-in has been added to your organisation, you will be required to include the SERS service on reports sent via the button.

  1. Firstly, login to the Microsoft 365 Admin Center -> Exchange Admin Center.

  2. From here navigate to Mail Flow -> Rules.

  3. Click the ‘Create New Rule’ button. A ‘New Rule’ window will be displayed. Enter a name for your rule – “Report Phishing to SERS”

  4. Apply this rule if -> The recipient is phish@office365.microsoft.com

  5. Do the following -> Bcc the message to report@phishing.gov.uk

  6. Click the “Save” button

The rule should appear as:

The rule will be added, now all emails reported using the “Report Phishing Add-in” will also be routed to SERS.


If you wish to see the emails that are being reported to our service, it is recommend that you add your own email address in addition to the SERS address in step 5.


If you have any questions about this guide, please refer to your IT helpdesk.


How we handle the information you send to us

  • Information provided to the NCSC is protected in the same way we protect our own confidential information: It is held securely, with strictly limited access.

  • We may share details with our Law Enforcement partners, such as the National Crime Agency and the City of London Police, to help identify investigation and mitigation opportunities.

  • The information we hold is exempt from Freedom of Information requests.

  • For further detail on how we handle information you send us, please see our Privacy Statement.

Further detail can be found here.


Guidance to provide internal staff

Once the above has been implemented, you may wish to inform staff of the changes


Example Guidance

Changes have been made to Outlook, you will now either have access or enhancements to the “Report Phishing’ button.


Email reported using this button will be submitted to Microsoft and to the NCSC Suspicious Email Reporting Service. Microsoft uses these submissions to improve the effectiveness of email protection technologies. The NCSC Suspicious Email Reporting Service will analyse and take down any phishing attempts found within these emails.


If you receive any email that looks to be a Phishing email, please ensure you report it by using one of the following buttons. By reporting suspicious emails, you will be doing your part to keep yourself, colleagues, and organisation safe.


People who have the add-in assigned to them will see the following icons:


In Outlook, the icon looks like this:


In Outlook on the web, the icon looks like this:



Upon selecting ‘Report Phishing’ the user will be further prompted to confirm that the selected email is Phishing, prior to the report being sent. Pressing report will send the report.


If the “Report Phishing” button is not available, but you still wish to report a suspicious email to the Suspicious Email Reporting Service, you can do so by forwarding the email in question to report@phishing.gov.uk

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the South East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South East is not responsible for the content of external internet sites that link to this site or which are linked from it.