Set up phishing reporting
Let employees report suspicious messages from Gmail or Outlook and review non-simulation reports in elba.
Overview
The Report Phishing add-on gives employees a report action in Gmail or Outlook. Reporting is initiated by the employee and applies to the message they currently have open.
When a message is reported, elba determines whether it is part of an elba phishing simulation:
- A reported simulation is associated with the employee's campaign result.
- A message that is not an elba simulation is stored in the Email Reports inbox for administrators to review.
The presence of a message in Email Reports does not determine whether it is malicious. Your security team should review it according to your incident-response process.
Before you install the add-on
Confirm:
- Whether your organization uses Google Workspace or Microsoft 365 for email
- Who is permitted to install or approve add-ons for your tenant
- Which employees or organizational groups should receive the add-on
- Who will monitor the Email Reports inbox
If administrators should receive notifications for newly reported non-simulation messages, configure Slack, Microsoft Teams, or Google Chat as the relevant organization channel. Email is not used as a fallback for this administrator alert.
Install from the current product link
Use the installation link displayed in elba rather than a saved marketplace URL. This ensures that you open the listing currently associated with your workspace and email provider.
- Open Phishing in the elba admin portal.
- During activation, open the Add-on step. If phishing is already active, open Email Reports and select Configure add-on.
- Select the install action shown for your email provider.
- Review the listing, requested permissions, and publisher details.
- Complete your provider's approval and assignment flow for the intended users.
- Confirm that the report action appears for a pilot user before assigning it more broadly.
The exact approval options are controlled by your Google Workspace or Microsoft 365 tenant policies.
Data sent when an employee reports a message
When an employee chooses Report Phishing, the add-on sends information from the selected message to elba so the report can be processed. Depending on the email provider and message, this can include:
- Subject
- Sender and recipient information
- Message body
- Message identifier
- Attachment information or content available to the add-on
Reporting is scoped to the message the employee has selected. Employees should follow your organization's data-handling policy when reporting messages that may contain sensitive information.
Employee experience
To report a message, the employee:
- Opens the suspicious message in Gmail or Outlook.
- Opens the elba Report Phishing add-on or action.
- Selects Report.
- Waits for the confirmation shown by the add-on.
Employees should avoid interacting further with a suspicious message after reporting it and follow any additional incident-response guidance from your organization.
Review reported messages
Open Phishing > Email Reports in the elba admin portal.
- Unread contains newly reported non-simulation messages.
- Read contains reports that an administrator has marked as reviewed.
Open a report to inspect its available details. Mark it as read after your team has triaged it according to your security process.
When configured, elba can notify administrators of a new non-simulation report through Slack, Microsoft Teams, or Google Chat. The notification is a prompt to review the report; it is not a classification of the message.
Validate the setup
Use a small pilot group before a broad rollout.
- Confirm that the add-on is visible in the supported mail client.
- Report an elba simulation and verify that the campaign result records the report.
- Using a benign internal test message, confirm that a non-simulation report appears under Unread.
- Mark the test report as read and confirm that it moves to Read.
- If administrator alerts are configured, confirm delivery in the selected chat channel.
Do not use a message containing real credentials, regulated data, or other sensitive content for this test.
Troubleshooting
The installation page is unavailable
Return to the Add-on or Email Reports view in elba and open the current link again. Also check whether your email administrator restricts marketplace applications or requires an approval request.
The report action does not appear
Confirm that the add-on was assigned to the affected user and that deployment has completed in the email provider. Then restart or refresh the mail client.
Administrators receive no alert
Check that Slack, Microsoft Teams, or Google Chat is connected and selected for the organization. Reported messages can still appear in Email Reports even when an administrator chat alert is not delivered.
AI scenario builder
Create and edit phishing training scenarios with AI-assisted generation, previews, translations, and supported personalization variables.
User management
Synchronize employees from your identity provider, control enrollment, manage groups and roles, and review communication settings.