Outlook Report-a-Phish Button Changes

Microsoft recently announced some security-related changes to its Outlook add-ins and spam reporting functionality, which impacts the Beauceron Report-a-Phish button for Outlook users. This blog will highlight how we are addressing these changes.

Current Outlook Users (M365 or Exchange Online)

Starting in November 2024, Beauceron Security will roll out updates to all versions of our Report-a-Phish button for Outlook users.

Why make this change?

For security purposes, Microsoft will deprecate the use of its Exchange tokens, which the Beauceron Report-a-Phish button uses (in all formats).

These updates will be pushed out to your button automatically; however, due to these changes, there are steps below to allow the new authentication system to take place more easily.

This will require Beauceron Security to update our button to use the Microsoft Graph API.

Note: Beauceron Security’s platform already uses the Microsoft Graph API for other functionality, including our O365 User Sync and Analyst integrations.

What you will need to do:

Log in to your Beauceron tenant with an Administrator account.
Grant access to the application on behalf of your organization (pictured here) from the System Configuration:

Once you have granted this permission, the impacts will be different for end-users of the button:

For Outlook (2021 + M365) organizations, Microsoft will be launching a product called Nested App Authentication. This is expected to be released in October, at which time the authentication process to the button will be much simpler and safer. Until it is ready to be launched within our button, an authentication modal will launch each time the report-a-phish button is launched.

For legacy Outlook organizations (pre-2021 and non-M365) that do not support Nested App Authentication, an authentication modal will launch each time the report-a-phish button is launched.

What happens if I don’t make this change?

Each individual user would need to approve the connection the first time they report a phish.

Before January 2025, nothing.

After January 2025, an Exchange or M365 administrator will need to manually re-enable Exchange Online Tokens for the Report-a-Phish button add-in.

After June 2025, an Exchange or M365 administrator will need to contact Microsoft directly re-enable Exchange Online Tokens for the Report-a-Phish button add-in.

NEW Integrated Spam Reporting Add-in (M365 or Exchange Online)

For M365 and Exchange Online Outlook users, Microsoft recently launched a new integrated spam reporting add-in functionality for integrations like the Beauceron Report-a-Phish button.

Some of the upsides of using this version of our button:

More prominently featured in the ribbon so that you can report phish-y emails more easily.

Current reporting add-ins like the Beauceron Report-a-Phish button are often moved to the end of the Outlook ribbon, which is harder to find when you need to report something suspicious. This button version will be prominently displayed in old Outlook:

New Outlook users, in particular, will also have a much easier time finding this button, as all add-ins are currently hidden by default until the employee/user elects to pin them. This add-in will address that:

Some of the limitations of this version:

Microsoft currently does not support mobile (Android or iOS) versions of Outlook.

Microsoft currently does not support Outlook on Mac.

Less configurable if you want to change any of the text in the button.

Cannot host multiple questions about the user’s intent to report, as our standard button does.

Does not support the Beauceron Verified Sender feature.

While we have not yet launched this version, we will soon launch our Beta Version to select customers. If you would like to participate in the trial, please contact your Customer Success representative or our support team to learn more.

FAQs

Do these changes affect On-Prem Exchange users of the button?

No, however, because Microsoft now only officially supports Outlook LTSC 2021 or the subscription Microsoft 365 versions for connecting to Office365 services (https://learn.microsoft.com/en-us/microsoft-365-apps/end-of-support/microsoft-365-services-connectivity), any customers using legacy versions of Outlook 2016 and 2019 may want to consider updating their services if possible as these are end-of-life and are only receiving security updates. Microsoft has announced that all updates will cease in October 2025.

I am using Microsoft NEW Outlook which version of the Report A Phish Button should I install? The Standard Beauceron Report A Phish button or the Integrated Spam Report A Phish Button.

We recommend using our standard button to take advantage of Beauceron’s additional features, including the use of Verified Senders and the ability to report on mobile devices using the Outlook application for iOS or Android.

If you are looking to continue having a report button in the ribbon, the Integrated Spam Button may be best for your organization; however, we still recommend including our standard button as well to give your employees the ability to use the mobile Outlook application and the ability to report should you have MAC users

The only noticeable impact when installing both will be to have two versions in the ribbon on Desktop (Old Outlook) or Web: