Phishing Report Plugins

Installation and Usage Guide

Purpose

With the help of extensions for e-mail client software provided by TUD-CERT, fraudulent and malicious E-Mails can be reported quickly and easily. This includes particularly so-called phishing e-mails, which are used by attackers to obtain critical information such as credentials and personal data. In addition, e-mails with potentially malicious attachments such as unknown executable files or malicious Office macros are also report-worthy. TUD-CERT analyzes incoming reports and takes countermeasures as necessary.

Phishing report plugins are currently available for the following E-Mail client software:

The plugins are NOT designed to report junk mail and other spam. E-mails that have already been correctly identified by the spam filter and automatically sorted into the spam/junk folder are also of no interest. As a rule of thumb for differentiation, E-Mails from unknown senders with questionable urgent requests for action (e.g. “click here to unlock your account”) or that contain suspicious links are worthy of reporting.

Microsoft Outlook

Plugin activation

The reporting plugin is activated by default for all mailboxes at TU Dresden and is automatically downloaded when using Outlook. No separate installation is required.

Reporting suspicious e-mails

To report suspicious e-mails to TUD-CERT using Microsoft Outlook, select the e-mail in question and then click on the Report E-Mail button that appears on the far right of the ribbon:

Screenshot of the report button in the Outlook ribbon

There are three options to choose from:

  • Report as phishing/fraud...: Select this option to report potentially malicious e-mails that you suspect to be fraudulent. You can also use this function if you are unsure about the legitimacy of an e-mail and would like feedback from TUD-CERT.
  • Report as spam: E-mails reported with this option are classified internally as advertising/spam and used to train the spam filter. No further inquiry is made and the e-mail is automatically moved to your junk folder.
  • Configure...: Allows you to adjust the behavior of the Add-In. In the current version, you can choose whether and to which folder e-mails reported as potentially malicious should be moved automatically after the report.

When using the Add-In for the first time, a prompt like the one shown below may appear:

Screenshot of the confirmation dialog for the permissions requested by the Add-In

This is a notification from Outlook that the Add-In can access contents of your mailbox, which is essential for reporting emails. To be able to use the Add-In, you must confirm the request by clicking OK. It should not appear again afterwards.

If you report an e-mail as potentially malicious via the first option, a report form will appear in the sidebar. Here you can add an optional comment to the report, which will be visible to TUD-CERT employees:

Screenshot of the phishing report form under Outlook

By clicking on Send report, an E-Mail is automatically sent to TUD-CERT in the background with your message, concluding the reporting process. If the report could not be sent successfully, first make sure that you have a working internet connection and then try again. If it is still not possible to send a message after several attempts, please send us an e-mail together with the error message to cert@tu-dresden.de.

By default, the reported E-Mail is also moved to your junk folder. If you want to change this behavior, open the Add-In menu again by clicking the Report E-Mail button and select Configure..., whereupon the following configuration dialog appears.

Screenshot of the Add-In configuration dialog

Reported e-mails can be moved to the junk folder, the recycle bin or not moved at all.

Disabling the plugin

To deactivate the Outlook plugin, follow the steps for deactivating the plugin in the webmail portal.

Webmail portal

Plugin activation

The reporting plugin is activated by default for all mailboxes at TU Dresden and is automatically downloaded when using the webmail portal. No separate installation is required.

Reporting suspicious e-mails

The reporting process in the TU Dresden webmail portal is similar to the reporting process via Outlook, the dialogs and forms are identical. Only the report button itself is in a different place. If you have opened an e-mail that you want to report, a small blue TUD-CERT logo will appear to the left of the Reply all button. If you click on it, the same menu as in Microsoft Outlook appears with the options already described above:

Screenshot of the Add-In button in the TU Dresden webmail portal

Disabling the plugin

The reporting plugin for Outlook and the webmail portal can only be deactivated (or reactivated) via the TU Dresden webmail portal. Log in and click on Manage add-ins in the settings menu in the top right-hand corner of the browser window:

Screenshot of the 'Manage Add-Ins' option in the webmail portal

A list of available Add-Ins appears. Use the checkbox in the Turned on column of the Phishing Report add-in from the provider TUD-CERT to enable or disable the reporting plugin:

Screenshot of the Add-In list in the webmail portal

It may be necessary to restart Outlook to apply these changes.

Mozilla Thunderbird ESR

Installation

The plugin for Mozilla Thunderbird requires at least Thunderbird version 115.0 and is compatible with newer versions.

Note: Mozilla Thunderbird is released in two channels - either monthly or as an annual ESR (Extended Support Release) version, which receives updates over a longer period of time. We keep our plugin compatible exclusively with the ESR versions, as the additional effort required to keep up with the monthly releases currently exceeds our resources.

The plugin is available for download from the official Mozilla Thunderbird Add-On website and can thus be installed directly from within Thunderbird on Windows, macOS and Linux. The following instructions show the installation process under Windows, but the steps under other operating systems are quite similar.

Start Mozilla Thunderbird, select the E-Mail tab and click the menu icon on the right edge of the window. In the menu, select the entry Add-ons and Themes:

Screenshot of navigating to Add-on management

The tab Add-ons Manager will be shown. In the “Find more add-ons” field search for TUD-CERT and confirm the search request with the Enter key:

Screenshot of searching for the Add-on

In the list of results, look for the plugin named TUD-CERT Phishing Report and click the button Add to Thunderbird.

Screenshot of adding the Add-on to Thunderbird

The next dialog requires your final confirmation to install the plugin.

Note: According to the text in the dialog box, the plugin requires “full access to your computer”. For technical reasons, a restriction of these permissions is currently not possible due to limitations in Thunderbird. The plugin sends reports in the background as e-mails, for which Thunderbird requires such overarching permissions. Mozilla describes the underlying cause on their support pages. To ensure that the permissions are not abused, our reporting plugin goes through Mozilla’s manual review process before each release. Additionally, we have published the source code under a free license.

Confirm the installation with a click on Add.

Screenshot of the Add-on installation process

After that the plugin is active and can be used immediately.

Optional: Some aspects of the plugin’s behaviour can be adjusted to your needs. To do so, click the wrench icon next to the TUD-CERT Phishing Report plugin in the Add-ons management view, which will reveal the plugin settings. Specifically, you can choose whether a reported E-Mail should automatically be moved to the junk folder, the trash or - alternatively - be kept in its current folder. If you made changes to these settings, confirm those with a click on the Save button.

Screenshot of the Add-on settings

Reporting suspicious E-Mails

To report suspicious E-Mails to TUD-CERT, view the E-Mail in question, then click the button labeled Report in the preview window of the E-Mail, as show in the following screenshot:

Screenshot of the report dropdown for an E-Mail in Thunderbird

The following actions are available:

  • Report as phishing/fraud...: Select this option to report potentially malicious e-mails that you suspect to be fraudulent. You can also use this function if you are unsure about the legitimacy of an e-mail and would like feedback from TUD-CERT.
  • Report as spam: E-mails reported with this option are classified internally as advertising/spam and used to train the spam filter. No further inquiry is made and the e-mail is automatically moved to your junk folder.

If you report an e-mail as potentially malicious via the first option, a report popup appears. Here you can add an optional comment to the report, which will be visible to TUD-CERT employees:

Screenshot of the report popup for a phishing E-Mail in Thunderbird

With a final click on the button Send report the selected E-Mail will be reported to the TUD-CERT, which may take a few seconds. If the message could not be sent successfully (an error message appears in the popup), first make sure that there is a working Internet connection and then try again. If reports fail even after multiple attempts, please notify us by sending an E-Mail to cert@tu-dresden.de.

FAQ

Why does the report Add-In button not appear even though the Add-In is activated?

Microsoft Outlook periodically asks the server for a list of activated Add-Ins, which is why it may take some time after the Add-In has been activated until it actually appears in the ribbon. Sometimes restarting Outlook helps, otherwise just be patient. Please also note that, for technical reasons, digitally signed or encrypted emails cannot be reported at all via the webmail portal and can only be reported with newer Outlook versions (see also the following entry).

Can digitally signed or encrypted e-mails be reported?

This depends on the used e-mail client. For technical reasons, it is not possible to report digitally signed or encrypted emails in the webmail portal or under Outlook 2016. Outlook 2021 and 2024, however, support the reporting of digitally signed emails.

I’m still using the legacy phishing reporting plugin for Outlook. Should I switch?

Our legacy phishing reporting plugin, which was only available for Office on Windows, is no longer being developed by its manufacturer. It will remain functional for the time being, but we recommend uninstalling it and using the plugin described on this website, which also works in the webmail portal as well as on macOS and works without installation.

Screenshot of the legacy reporting plugin for Outlook

To uninstall the legacy Windows plugin, open the Apps and Features section in System Settings. The product is called Lucy Report Addon. Alternatively, contact your administrators.

Screenshot of the legacy reporting plugins' uninstall routine

Why are reported e-mails sometimes not moved immediately when using the webmail portal?

If you report e-mails with the Add-In from the webmail portal shortly after logging in (typically within the first 30 seconds), they do not appear to be moved correctly to the junk folder or the trash (depending on your configuration). This is an error in the webmail portal where the e-mail has actually already been moved server-side, but this state is shown incorrectly in the webmail portal. In this case, it helps to refresh the page once, e.g. by pressing the F5 key.

Where can I turn with feedback or problems?

Please send any questions, problems or suggestions for improvement via e-mail to cert@tu-dresden.de.