Report Phishing from Outlook: The empowsec Add-In Guide

The most capable phishing defense in any organization is not a spam filter or a DNS policy - it is an employee who recognizes a suspicious email and does something about it. But recognizing a threat and reporting it are two different behaviors, and the gap between them is often a practical one: reporting feels like effort, and effort creates friction. The empowsec Outlook add-in is designed to remove that friction entirely. A single click from inside the email the employee is looking at is all it takes to submit a report - no forwarding, no copy-pasting headers, no opening a separate tool.
This article covers how the Outlook add-in works, what happens when an employee reports a simulation versus a real suspicious email, how risk credit is awarded, how the add-in is installed, and how administrators are kept informed about updates.
One Click Inside Outlook
The empowsec Outlook add-in adds a 'Report phishing' button directly inside the Outlook interface, available in both the desktop application and Outlook on the web. The button appears in the reading pane or message window when an employee is viewing any email, so the action is available at exactly the moment the employee decides they want to report something - not after they have navigated away to a different tool or tried to remember where to send a forward.
When the employee clicks the button, the add-in captures the email in full: the headers, which contain routing information, sender authentication records, and timestamps that are often critical for determining whether an email is legitimate; and the content of the message itself, including any links or attachments referenced. This full capture is what allows the security team to analyze the reported email properly, rather than receiving a forwarded copy that may have stripped or altered some of the original header data.
The submission happens immediately. From the employee's perspective, the experience is simple: they see something suspicious, they click 'Report phishing', and they receive a response. That response differs depending on what the reported email actually was.
Instant Feedback for Simulation Reports
When an employee reports an email that turns out to be an empowsec phishing simulation, the add-in provides instant positive feedback. The employee sees an in-add-in response - 'Nice catch - that was a simulation' - that confirms they identified the test correctly. This immediate feedback is important for two reasons.
First, it closes the loop on the simulation in a way that reinforces the desired behavior. Reporting a suspicious email is exactly what the security awareness program is trying to encourage, and positive confirmation at the moment of the action is the most effective way to reinforce a habit. If an employee reports a simulation and receives no response, or receives a generic acknowledgment that gives them no indication of whether they were right, the reinforcement value of the action is lost. The instant feedback transforms the report into a moment of positive recognition.
Second, it prevents confusion. Without a clear response, an employee who has just reported a simulation might be uncertain whether they did the right thing, whether the button worked, or whether they need to do anything else. The confirmation resolves all of that immediately and gives the employee confidence in the reporting workflow.
Reporting a simulation also earns the employee positive risk credit: 5 points are deducted from their risk score. This connects the reporting action directly to the risk scoring engine that tracks security behavior across the organization. Over time, employees who develop a consistent habit of reporting suspicious emails - whether simulations or real threats - build a record of positive security behavior that is reflected in a lower risk score.
Risk Credit for Reporting Real Phishing
When an employee reports an email that is not a simulation - a genuinely suspicious email from outside the organization - the report goes to the admin review queue for analysis. The security team can then examine the captured headers and content, classify the email, and determine whether it represents a real threat. If confirmed as genuine phishing, the reporting employee earns 8 points of positive risk credit, the highest single positive event in the risk scoring engine.
This higher credit value for real phishing reports reflects the real-world value of the action. An employee who identifies and reports an actual phishing email has contributed directly to the organization's threat visibility. They have potentially stopped a credential harvest or malware delivery that other colleagues might have fallen for, and they have handed the security team a sample that can be used to improve defenses. That contribution is meaningfully more valuable than reporting a controlled simulation, and the risk scoring engine reflects that distinction.
The combination of positive credit for both simulation and real reports creates a consistent incentive: reporting is always the right answer, and it is always rewarded. Employees do not need to know whether an email is real or a simulation to make the correct decision; they simply report anything that looks suspicious, and the system handles the rest.
Installation via Office Add-In Manifest
The empowsec Outlook add-in is installed through the standard Office add-in manifest system, which is the same mechanism used by all legitimate Office add-ins. This means the installation process follows a familiar, administrator-controlled workflow that most Microsoft 365 environments already have processes for.
The add-in manifest is deployed via the Microsoft 365 Admin Center or via Exchange administration, allowing centralized control over which users or groups receive the add-in. This centralized deployment means employees do not need to install anything themselves: the button simply appears in their Outlook interface after the administrator has completed the deployment. There is no end-user action required, which removes a common barrier to adoption and ensures consistent coverage across the organization.
Centralized deployment also means the add-in can be rolled out to the entire organization simultaneously rather than asking employees to install it individually. For large organizations, this matters: a reporting button that only some employees have installed is less useful than one that is available to everyone, because a threat that goes unreported by one employee might be caught by another who does have the button.
Add-In Version Notifications for Administrators
empowsec notifies administrators when a new version of the Outlook add-in is available. This ensures that the organization can stay on a current release without requiring administrators to manually check for updates. When a new version is released, the admin receives a notification, and the add-in manifest can be updated and redeployed through the same Microsoft 365 Admin Center process used for the initial installation.
Keeping the add-in current matters beyond just feature additions. Updates may include compatibility improvements for new versions of Outlook or Microsoft 365, changes to the Office add-in platform, or security-related updates to the submission handling. A notification-driven update process ensures these improvements reach the organization promptly, without requiring the security team to monitor a separate release feed.
What This Means for Your Team
- One-click reporting from inside Outlook desktop and web removes the friction that prevents employees from reporting suspicious emails even when they recognize them.
- Full email capture - headers and content - gives the security team the complete information they need for analysis, not a forwarded copy that may have lost critical header data.
- Instant positive feedback for simulation reports reinforces reporting behavior at exactly the right moment, making the habit more likely to stick.
- Risk credit of 5 points for simulation reports and 8 points for real phishing reports connects reporting directly to the risk scoring engine, making the behavior part of an employee's security record.
- Manifest-based deployment through Microsoft 365 Admin Center puts the button in front of all users without requiring individual installation, ensuring consistent coverage.


