Get instant support with our search!
Microsoft Report Button Integration Configuration Guide (Full Guide)
Microsoft Report Phish Button
Integration Guide
MetaCompliance Phish • Customer Setup Guide
| Setup time: 30-45 mins | No app permissions required | No disruption to real phishing workflows |
1. What This Guide Is For
This guide explains how to integrate MetaCompliance Phish simulations with the Microsoft built-in Report Phish button, using a mail flow rule in Exchange Admin Center. No app permissions, API access, or additional software installation is required.
This integration ensures:
- Users continue reporting suspicious emails using the native Microsoft experience - no behaviour change required
- MetaCompliance simulation emails are correctly identified and tracked
- Real phishing investigations remain completely unaffected
2. What This Integration Does and Does Not Touch
A common concern when setting up integrations is the level of access involved. This integration is deliberately lightweight.
| ✓ What it DOES | ✗ What it does NOT do |
|---|---|
| Routes MetaCompliance simulation emails to MC for tracking | Access your email content, headers, or attachments |
| Keep simulation reporting separate from real phishing incidents | Require any app registration or Graph API permissions |
| Preserve your existing Microsoft reporting workflow | Affect how real phishing emails are investigated or routed |
| Optionally retain a copy in your SecOps mailbox | Require Microsoft Defender Plan 2 or E5 licensing |
3. When Do I Need This?
Configure this integration if either of the following applies:
- You do not want to deploy the MetaCompliance Outlook add-in
- Your users are already reporting emails using Microsoft's built-in Report Phish button
4. How the Integration Works
The diagram below shows the end-to-end flow once the integration is configured. Understanding this flow will help you follow the setup steps and troubleshoot if anything is unexpected.
| 1. User clicks Microsoft Report Phish button |
| ▼ |
| 2. Email forwarded to your Shared Mailbox |
| ▼ |
| 3. Mail Flow Rule identifies MC simulation |
| ▼ |
| 4. Forwarded to MetaCompliance |
| ▼ |
| 5. Reported in MC Dashboard |
In plain terms: when a user reports a phishing email, Microsoft forwards it to a shared mailbox you control. A mail flow rule you create then checks whether that email is a MetaCompliance simulation — if it is, it is forwarded to MetaCompliance for tracking. Anything else (real phishing reports) continues through your normal SecOps workflow, completely unaffected.
5. Prerequisites
Already have SPF & DKIM configured? If SPF and DKIM are already correctly set up for all your sending domains, skip to Section 5.2.
5.1 Email Authentication — SPF and DKIM
To integrate with this workflow, we require SPF and DKIM to be configured for your domains. If you are unsure if this is in place, please see guidance from Microsoft below as required:
SPF:Set up SPF identify valid email sources for your Microsoft 365 domain - Microsoft Defender for Office 365 | Microsoft Learn
DKIM: How to use DKIM for email in your custom domain - Microsoft Defender for Office 365 | Microsoft Learn
5.2 Microsoft Defender Configuration
Before creating the mail flow rule, confirm all three of the following are in place:
A shared reporting mailbox exists
Microsoft recommends marking this as a SecOps mailbox. If you don't have one, create it before continuing.
Helpful guide (steps 1–2 only): MetaCompliance Defender Integration Guide
The built-in Report button is enabled in Outlook
In Microsoft 365 Defender, navigate to Settings > Email & Collaboration > User Reported Settings and confirm:
- Use the built-in Report button in Outlook is selected
- Monitor reported messages in Outlook is enabled
Reported items are directed to your mailbox
In the same settings page, under Send reported messages to, select one of:
- My reporting mailbox only — reports go to your mailbox only
- Microsoft and my reporting mailbox — reports go to both Microsoft and your mailbox. If you choose this option, also complete Section 5.3.
Exchange Admin access
You must have permission to create mail flow rules in the Exchange Admin Center: admin.exchange.microsoft.com
5.3 Advanced Delivery — Register MetaCompliance as a Phishing Simulation Provider
Do you send reported emails to Microsoft? Complete this section if you selected “Microsoft and my reporting mailbox” in Section 5.2. If you selected “My reporting mailbox only,” this step is optional but still recommended — it also protects how simulations are delivered in the first place.
When reported messages are sent to Microsoft, Defender inspects them as potential threats. Without an explicit exception, a reported simulation can be read as a genuine phishing signal: its links may be detonated by Safe Links, attachments scanned by Safe Attachments, and the sending address or URLs flagged for future filtering.
Registering MetaCompliance as a Phishing Simulation provider tells Microsoft these messages are sanctioned training, so they are exempted from filtering and threat analysis while users can still report them normally.
Where to configure
Microsoft 365 Defender → Email & collaboration → Policies & rules → Threat policies → Advanced Delivery
What to add
Add MetaCompliance as a Phishing Simulation provider, and include:
- Sending domains
- Sending IP addresses – listed in the link below.
Please note you only need to add the IP address that matches what region you have been onboarded with for use of our MetaCompliance platform. If you are unsure, please contact your Account Manager or Customer Success Manager.
Required sending IP addresses (all data centres): MetaCompliance Mail Server IP Addresses
What this achieves
- Simulation emails are explicitly trusted by Microsoft
- They are not blocked or quarantined
- They are not triggered by Safe Links or Safe Attachments
- They are not treated as real phishing signals
- Users can still report them normally for awareness training
6. Step-by-Step: Create the Mail Flow Rule
Estimated time: 15–20 minutes once prerequisites are confirmed.
Step 1: Open Mail Flow Rules
- Go to Exchange Admin Center: admin.exchange.microsoft.com
- Navigate to Mail flow → Rules
- Select Add a rule → Create a new rule
Step 2: Name the Rule
Use a clear, recognisable name. For example:
MetaCompliance Phish Simulation Reporting
Step 3: Set the Conditions
Configure both conditions.
Condition 1 — Recipient
- The recipient is → select your reporting mailbox
Condition 2 — Identify MetaCompliance Simulations
- The subject or body includes → enter the value for your region (see table below, this will be supplied by your Customer Success Manager / Support if not known. Please note: This must match the region of your platform access.):
| Region | Value to enter |
|---|---|
| IRE / NL | marlin.metacompliance.com |
| UK | bubbles-admin.metacompliance.com |
| US | dory.metacompliance.com |
| CA | hank.metacompliance.com |
| DACH | bruce-admin.metacompliance.com |
Step 4: Choose Your Action
This is an important decision. Choose the option that matches your SecOps team's needs:
| Option | Best when... | Action to select in Exchange |
|---|---|---|
| Redirect message | Your SecOps team does not need to review or log simulation reports — you want a clean separation between simulations and real incidents | Redirect the message to → MetaCompliance mailbox (see table below) |
| Send a copy (Add recipients) | Your SecOps team still wants visibility of reported simulation emails alongside real reports, for audit or monitoring purposes | Add recipients → include the MetaCompliance mailbox (see table below) |
MetaCompliance mailbox for your region:
| Region | MetaCompliance Mailbox |
|---|---|
| IRE | report@phish.ire.metacompliance.com |
| NL | report@phish.nl.metacompliance.com |
| UK | report@phish.uk.metacompliance.com |
| US | report@phish.us.metacompliance.com |
| CA | report@phish.ca.metacompliance.com |
| DACH | report@phish.dach.metacompliance.com |
Step 5: Save and Enable
- Review the rule conditions and action
- Save the rule
- Confirm the rule is enabled — a saved but disabled rule will not function
7. Testing the Integration
Before rolling this out broadly, validate that the end-to-end flow is working correctly. This typically takes less than 30 minutes.
Why test first? It is much easier to diagnose issues with one controlled simulation than to investigate reports of missing data after a live campaign has run.
How to Test
- Send a MetaCompliance phishing simulation to a test user in your organisation
- Have that user report the simulation email using the Microsoft Report Phish button in Outlook
- Wait up to 5 minutes
- Log in to the MetaCompliance dashboard and confirm the report appears in the Reported Emails audit page, with the correct user, date, and timestamp
What Success Looks Like
| Check | Expected result |
|---|---|
| Report appears in MC dashboard | Within approximately 5 minutes of the user reporting |
| Correct user attributed | The reporting user's email address is shown |
| Date and timestamp recorded | Matches the time of reporting |
| Real phishing workflow | Unaffected — real reports still route through your standard SecOps process |
| No false clicks or opens | The simulation email should not show as opened or clicked as a result of reporting |
If the Test Does Not Pass
Work through the checklist below before contacting support:
- Confirm the mail flow rule is enabled (not just saved)
- Verify the correct regional domain identifier is used in the rule condition
- Check that the rule recipient matches your exact reporting mailbox address
- Ensure the built-in Report Phish button is being used (not a third-party add-in)
- Allow sufficient DNS propagation time if SPF/DKIM were recently configured — up to 48 hours
8. Configuration Summary
Once complete, the following components will be configured across your environment:
| Component | Scope |
|---|---|
| SPF | Per domain (DNS TXT record) |
| DKIM | Per domain (DNS CNAME records + enabled in M365) |
| Mail flow rule | Per tenant (one rule covers all users) |
| Microsoft Defender settings | Per tenant (User Reported Settings) |
9. After Setup
Once setup and testing are complete, no further admin action is needed. Users continue using the Microsoft Report Phish button as normal, and MetaCompliance simulation reports will be captured automatically.
- Users continue using Microsoft's Report Phish button — no change to their experience
- Simulation emails are reported and tracked correctly in the MetaCompliance dashboard
- Real phishing investigations are completely unaffected
10. Troubleshooting & Common Misconfigurations
The issues below account for the majority of failed delivery or incorrect reporting cases. Work through them systematically before contacting support.
SPF Issues
- Multiple SPF records on the same domain — only one TXT record is permitted per domain
- Missing the Microsoft 365 include directive — ensure include:spf.protection.outlook.com is present
- Exceeding the 10 DNS lookup limit
- Soft fail (~all) used instead of strict fail (-all)
DKIM Issues
- DKIM not enabled in Microsoft 365 — DNS records alone are insufficient, it must be actively enabled
- Incorrect or incomplete CNAME records
- Only one selector configured — both selector1 and selector2 are required
- DKIM not configured for newly added domains
Domain Alignment Issues
- Mismatch between the visible From domain and the DKIM/SPF authenticated domain
- Third-party senders not properly authenticated
Mail Flow / Reporting Issues
- Mail flow rule targeting the wrong mailbox address — verify it exactly matches the Defender User Reported Settings destination
- Incorrect regional identifier used — double-check your region in the table in Section 6
- Rule not enabled — saved rules are disabled by default until manually enabled
- Rule incorrectly prioritised — if other rules run first and modify or redirect messages, the MC rule may not fire
General Setup Gaps
- New domains added to your environment without corresponding SPF/DKIM configuration
- DNS changes tested before propagation is complete — allow up to 48 hours
- Message headers not validated after setup — use a test simulation to confirm
11. Need Further Help?
If you have worked through the troubleshooting steps and the integration is still not functioning as expected, contact MetaCompliance Support with the following details:
- Your region
- The exact mail flow rule conditions and action you have configured
- Whether SPF and DKIM are confirmed as enabled for all sending domains
- The results of your test simulation (what appeared — or did not appear — in the MC dashboard)
MetaCompliance Support: support.metacompliance.com
MetaCompliance • Phish Integration Guide • Confidential