HailBytes SAT

Outlook Phish Reporter Add-In

One-click employee phish reporting from Outlook — Microsoft 365, Outlook desktop, Outlook on the Web, and Outlook mobile. Reported messages land in the SAT analyst Reported Inbox with the original .eml preserved.

Talk to Sales Deploy SAT & Try It

How it works

1. Report from the ribbon

Employees see a HailBytes · Report Phish button on the Outlook ribbon (and the mobile message-action sheet). One click opens the task pane and posts the raw .eml to your SAT instance.

2. Triage in the Reported Inbox

Reports queue in the SAT admin UI. Analysts can mark each item simulation, real phish, or benign; bulk-action by domain or sender; and link real phish to a follow-up campaign.

3. Reward the reporter

Reporting a simulated phish counts as a positive engagement event. It feeds the resilience score, the department leaderboard, and the per-user training-vs-click view.

Where it runs

Surfaces

  • Outlook on the Web (Microsoft 365)
  • Outlook for Windows (new and classic)
  • Outlook for Mac
  • Outlook Mobile (iOS, Android)

Built on the Microsoft Office Add-in platform, so the same manifest covers desktop, web, and mobile.

Deployment

  • Centralized via the Microsoft 365 admin center (Integrated apps), pushed to all users or a selected group
  • Sideload from manifest for pilot users
  • AppSource listing planned — will replace sideload for self-serve installs

A signed manifest bundle is provided with the platform; no additional license cost.

What gets sent

The add-in posts the raw .eml (full headers, body, and attachments) to the configured SAT instance over HTTPS. Authentication uses an hsat_* API token scoped to the report endpoint; tokens never leave the user's mailbox profile.

Endpoint: POST /api/v1/reports/phish · Auth: Authorization: Bearer hsat_* · Body: multipart/form-data with the .eml attachment.

Idempotent: re-clicking the button on the same message returns the same row id, so duplicate reports collapse cleanly in the queue.

Edge cases the add-in handles

Oversized messages

Messages above the SAT instance limit (default 25 MiB) get a clear Report failed: HTTP 413 in the task pane — no silent drops.

Invalid token

If the token is rotated or revoked, the user sees Report failed: HTTP 401. Admins rotate tokens centrally; users don't have to fix anything locally.

Cross-tenant safety

A user in tenant A reporting a message generated by tenant B's campaign never links to the foreign campaign. Tested in controllers/api/reported_email_test.go.

Why employees actually use it

One click, no forwarding rules

Most "report phish" programs ask employees to forward to a mailbox, attach as .eml, or paste headers. Compliance dies on the first step. The ribbon button removes the workflow entirely.

Visible feedback

The task pane confirms Reported. Thanks! the moment the analyst queue accepts the message. Reporters get credit toward their resilience score automatically.

Ready to roll it out?

Deploy HailBytes SAT from Azure or AWS Marketplace, then push the add-in to your tenant from the Microsoft 365 admin center. Most teams are reporting from the ribbon within a single afternoon.

View Marketplace Listings Talk to Sales
{{ partial "demo-form.html" . }}

Get the Free HailBytes SAT Getting Started Guide

A 7-part email series covering everything from your first deployment to advanced configuration and real-world workflows. One email per day, no spam.