The 2LRN4 Phishing Reporter adds a "Report Phishing" button to the Outlook toolbar. Employees can use it to report suspicious emails with a single click. The add-in automatically detects whether the email is a 2LRN4 phishing simulation or a real phishing attempt.
Download: manifest.xml — upload this file in the M365 Admin Center to install the add-in.
Table of contents
- What does the add-in do?
- Installation via the M365 Admin Center
- Configuration per customer
- End-user guide
- How does detection work?
- What is sent?
- Viewing reports
- Troubleshooting
1. What does the add-in do?
The add-in routes the report to the correct destination based on the email being reported:
- 2LRN4 simulation → report sent to the 2LRN4 training platform (visible in the dashboard)
- Real phishing → report sent to the customer's SOC/CERT (via email or API endpoint)
What the add-in does NOT do:
- Store or forward the content (text or attachments) of the email
- Collect personal data outside the configured destinations
- Automatically delete emails (optionally configurable)
2. Installation via the M365 Admin Center
Required role: Global administrator or Exchange administrator
Step 1 — Sign in to the Admin Center
- Go to admin.microsoft.com
- Sign in with an administrator account
Step 2 — Go to Integrated apps
- Click Settings in the left menu
- Click Integrated apps
Step 3 — Upload the add-in
- Click Upload custom apps in the top right
- Choose Office Add-in
- Choose Upload manifest file (.xml)
- Select the file
manifest.xml(received from 2LRN4) - Click Next
Step 4 — Assign users
| Option | When to use |
|---|---|
| Just me | Testing before rolling out |
| Entire organization | Final rollout for all employees |
| Specific users/groups | Phased rollout per department |
Step 5 — Wait for activation
After deployment it can take up to 24 hours for the button to appear for all users. On average this takes 1–3 hours.
Tip for faster testing: Fully close Outlook and reopen it.
Step 6 — Verify
Open an email in Outlook. The "Report Phishing" button appears in the toolbar at the top (under the Home tab or More actions).
3. Configuration per customer
Each customer can configure the add-in without involving 2LRN4.
Method A — Via the settings panel in Outlook (easiest)
- Open an email in Outlook
- Click Report Phishing
- Click the ⚙ gear icon at the bottom right of the side panel
- Fill in the fields (see table below) and click Save
| Field | Description | Example |
|---|---|---|
| Organisation name | Displayed at the top of the panel | Acme Ltd |
| Reporting email | Phishing reports are forwarded to this address | phishing@acmeltd.com |
| API Endpoint | Alternative to email: HTTPS address that receives reports | https://soc.acmeltd.com/api/report |
| API Key | Optional, sent as Authorization: Bearer header | |
| Logo URL | Link to your organisation logo (PNG, max 120×40 px) | |
| Delete email after report | Check to move the reported email to Deleted Items |
Settings are stored in your Exchange account and apply across all devices.
Method B — Request a custom manifest
Want a manifest with your organisation name, reporting email address and logo pre-configured? Contact support@2lrn4.com. Support will create a personal link so you can download a ready-to-use manifest.xml yourself — no technical knowledge required.
4. End-user guide
This section can be copied to your internal knowledge base or sent to employees as instructions.
How do I report a phishing email?
- Step 1 — Open the suspicious email in Outlook
- Step 2 — Click the "Report Phishing" button in the toolbar (Home tab → Security group; on mobile via More actions ⋯)
- Step 3 — Review the analysis in the side panel: yellow frame = 2LRN4 exercise, red frame = real phishing attempt
- Step 4 — Click Report Email to confirm, or Cancel to abort
- Step 5 — You receive a confirmation: for a simulation your response is recorded in the training dashboard; for real phishing your security team has been notified
When should I report an email?
Report an email whenever you are unsure about its legitimacy. Look out for:
- An unexpected request to log in or enter personal data
- A sender you don't recognise or that looks suspicious
- Links that lead to an unknown address
- Unexpected attachments
- Urgent language ("immediate action required", "your account will be suspended")
Frequently asked questions
Will my email be automatically deleted?
No, unless your organisation has configured this. The email stays in your inbox.
What happens if I accidentally click "Report Phishing"?
Click Cancel before confirming. If you already clicked "Report Email", that is fine — your security team will ignore false reports.
I can't see the button in Outlook. What now?
Fully close Outlook and reopen it. Make sure you are using Microsoft 365 (not standalone Outlook 2016/2019). Otherwise contact your IT department.
Can I also report emails in the mobile app?
Yes. Tap More actions (⋯) in the email and choose Report Phishing.
5. How does detection work?
The add-in automatically assesses whether an email is a 2LRN4 simulation using a scoring system:
| Signal | Points | Explanation |
|---|---|---|
Simulation header present (X-2LRN4-SimID) | +3 | Added by GoPhish to every simulation email |
| Sender domain is on the simulation list | +3 | E.g. @2lrn4.com or @2learn4.nl |
GoPhish tracking ID (?rid=) found | +2 | Unique ID in the link inside the email |
| Subject matches a pattern | +1 | Optionally configurable per customer |
Result: Score ≥ 2 = simulation. Lower = real phishing. The detection level is shown as high, medium, or low confidence.
6. What is sent?
The add-in sends metadata only — never the full content of the email. Never included: email body text, attachments, images or replies.
Headers included: Message-ID, From, To, Date, Authentication-Results (SPF/DKIM/DMARC), DKIM-Signature, Received-SPF, X-Originating-IP, X-Mailer, X-2LRN4-SimID.
7. Viewing reports
Simulation reports — in the 2LRN4 dashboard
Go to your 2LRN4 campaign dashboard. Users who clicked the button appear with the status "Reported" in the campaign results.
Real phishing reports — in your email or SIEM
If you have configured a reporting email address, you receive an email with the subject:
[Phishing Report] If you have configured an API endpoint, you receive a POST request with a JSON payload.
8. Troubleshooting
The "Report Phishing" button is not visible
| Cause | Solution |
|---|---|
| Rollout not yet completed | Wait up to 24 hours after installation; restart Outlook |
| Outlook version not supported | Requires Microsoft 365 (not standalone Outlook 2016/2019) |
| Add-in not assigned to the user | Check in M365 Admin Center → Integrated apps |
| Outlook cache is stale | Fully close Outlook → reopen |
"No reporting destination configured"
Click Report Phishing → ⚙ gear icon → enter a Reporting email → click Save.
Report fails with a network error
If you are using an API endpoint, check that:
- The endpoint is reachable via HTTPS
- The endpoint returns the correct CORS header:
Access-Control-Allow-Origin: https://mailcheck.2lrn4.com - The API key is entered correctly
Alternative: Use a reporting email address. Email sends via Exchange and has no CORS restrictions.
Simulation not recognised
Check: was the email sent from a 2LRN4 domain? Does the email contain a link with ?rid=? Is the X-2LRN4-SimID header present? If in doubt, contact 2LRN4 at support@2lrn4.com.
Updating the add-in after a new release
- Download the latest release from 2LRN4
- Generate a new manifest:
node scripts/generate-manifest.js - Go to M365 Admin Center → Integrated apps → select 2LRN4 Phishing Reporter → Update
- Upload the new
manifest.xml
Technical details
| Detail | Value |
|---|---|
| Add-in host | https://mailcheck.2lrn4.com/addin/ |
| Report API | https://mailcheck.2lrn4.com/addin/api/report |
| Required Outlook version | Microsoft 365 (Mailbox API 1.5+) |
| Required M365 role for installation | Global administrator or Exchange administrator |
| Required permission | ReadWriteMailbox |
| Data storage | None — only forwarded to configured destination |