Phishing Report Plugins

Installation and Usage Guide

Purpose

With the help of the plugins for E-Mail client software provided by TUD-CERT, fraudulent and malicious E-Mails can be reported quickly and easily. This includes particularly so-called phishing e-mails, with are used by attackers to obtain critical information such as access data and personal data. E-Mails with potentially malicious attachments such as unknown executable files or malicious Office macros can also be reported using the plugin. TUD-CERT analyzes these reports and takes countermeasures if necessary.

Phishing report plugins are currently available for the following E-Mail client software:

Microsoft Outlook 2016, 2019 and 2021 (Windows)
Mozilla Thunderbird 78 and newer (Windows, macOS, Linux)

The plugins are NOT designed to report junk mail and other spam. As a rule of thumb for differentiation, E-Mails from unknown senders with questionable urgent requests for action (e.g. “click here to unlock your account”) are worthy of reporting.

Microsoft Outlook

Installation

If your computer is a member of an AD domain, the plugin can be installed by a centralized software distribution system. In that case, you do not need to perform the following steps. Instead, contact your responsible administrator.

The plugin is offered on our website as a 64bit installation package in two variants:

TUD-CERT-Melde-Plugin_VERSION_user.zip: This variant installs the Outlook plugin only for the local user, no administrator rights are required.
TUD-CERT-Melde-Plugin_VERSION_system.zip: This package installs the plugin system-wide and makes it available to all local users. Administrator privileges are required for installation. If you maintain an AD domain, this package should be used for distribution to users.

Download the desired installation package and navigate to the folder it has been downloaded to in Windows Explorer.

Screenshot of the installer package in Windows Explorer

Open the installation package with a double click, whereupon the actual installation program becomes visible:

Screenshot of the plugin installer in Windows Explorer

Now close any open Outlook instance that may still be running and then double-click to start the installation program. Windows may display a security warning for executable files downloaded from the Internet. Since in this specific case there is no danger from the plugin installer, this warning can be ignored by clicking “Run “.

Screenshot of Windows warning about the dowloaded executable

After clicking “Next “ the installer suggests an installation directory. The default value can usually be kept and the dialog confirmed with another click on “Next”.

Screenshot of installation directory selection

After finishing the installation routine Outlook can be restarted, the plugin is then automatically activated.

Reporting suspicious E-Mails

To report suspicious E-Mails to TUD-CERT, select the E-Mail in question with one click and then click on the report button at the top of the window.

Screenshot showing how to select a suspicious E-Mail in Outlook

Answer the dialog box asking whether the E-Mail should really be forwarded to the security team. The questionable E-Mail will then be forwarded to TUD-CERT and moved to your spam directory.

Screenshot of Outlook asking for confirmation

If you would like to provide us with additional information about the E-Mail, you can answer the following dialog with “Yes” and enter your message in the free text field below. Otherwise, simply click on “No” here.

Screenshot of Outlook asking for an optional report comment

If the report was successful, another confirmation dialog will appear which you can close by clicking “OK “.

Screenshot of the successful report confirmation

Mozilla Thunderbird

Installation

The plugin for Mozilla Thunderbird requires at least Thunderbird version 78.0 and is compatible with newer versions. It is available for download from the official Mozilla Thunderbird Add-On website and can thus be installed directly from within Thunderbird on Windows, macOS and Linux. The following instructions show the installation process under Windows, but the steps under other operating systems are quite similar.

Start Mozilla Thunderbird, select the E-Mail tab and click the menu icon on the right edge of the window. Then click the “Add-ons and Themes “ entry in the appearing menu:

Screenshot of navigating to Add-on management

The tab “Add-ons management “ will be shown. In the “Find more add-ons “ field search for ‘TUD-CERT’ and confirm the search request with the Enter key:

In the list of results, look for the plugin named “TUD-CERT Phishing Report “ and click the button “Add to Thunderbird “.

Screenshot of adding the Add-on to Thunderbird

The next dialog requires your final confirmation to install the plugin.

Note: According to the text in the dialog box, the plugin requires “full access to your computer”. For technical reasons, a restriction of these permissions is currently not possible due to limitations in Thunderbird. The plugin sends reports in the background as e-mails, for which Thunderbird requires such overarching permissions. Mozilla describes the underlying cause on their support pages. To ensure that the permissions are not abused, our reporting plugin goes through Mozilla’s manual review process before each release. Additionally, we have published the source code under a free license.

Confirm the installation with a click on “Add “.

Screenshot of the Add-on installation process

After that the plugin is active and can be used immediately.

Optional: Some aspects of the plugin’s behaviour can be adjusted to your needs. To do so, click the wrench icon next to “TUD-CERT Phishing Report “ in the “Add-ons management” view, which will reveal a some plugin settings. Specifically, you can choose whether a reported E-Mail should automatically be moved to the junk folder, the trash or - alternatively - be kept in the inbox. If you made changes to these settings, confirm those with a click on the “Save “ button.

Reporting suspicious E-Mails

To report suspicious E-Mails to TUD-CERT, view the E-Mail in question, then click the button labeled “Report” in the preview window of the E-Mail (next to the buttons “Reply “, “Reply to all “, etc.)

Screenshot of reporting E-Mails in Thunderbird

In the appearing dialog box, you can add an optional comment to help the TUD-CERT when analysing it later. With a final click on the button “Submit report” the selected E-Mail will be reported to the TUD-CERT, which may take a few seconds. If the message could not be sent successfully (the text “Reporting failed, please try again later” appears in the dialog box), first make sure that there is a working Internet connection and then try again. If report fails after multiple attempts, please notify us by sending an E-Mail to cert@tu-dresden.de.