PhishAlarm

PHISHALARM
AND ANALYZER
Administrator Guide
February 2021
PROOFPOINT | PHISHALARM AND ANALYZER
ADMINISTRATOR GUIDE 1
Table of Contents
PhishAlarm Configuration................................................................................................................. 2
How It Works ................................................................................................................................................ 2
PhishAlarm Email Clients Supported and Features Supported Per Client ............................................. 3
Email Clients Supported.......................................................................................................................... 3
Features Support Per Email Client ......................................................................................................... 4
Configuring PhishAlarm .............................................................................................................................. 5
Configuring the PhishAlarm Add-in Button for Outlook, Exchange, or Gmail .................................... 5
Configuring End-user Communication .................................................................................................. 9
Configuring Reported Email Forwarding Options............................................................................... 14
Configuring Safelist Emails ................................................................................................................... 17
PhishAlarm Safelisting Requirements .................................................................................................. 20
Installing Email Clients .............................................................................................................................. 20
PhishAlarm For Outlook Installation ..................................................................................................... 20
PhishAlarm For Exchange Installation ................................................................................................. 22
PhishAlarm For Gmail Installation ........................................................................................................ 25
Analyzer Configuration ................................................................................................................... 27
How It Works .............................................................................................................................................. 28
Configuring Analyzer ................................................................................................................................. 29
Analyzer Safelisting Requirements........................................................................................................... 33
Generating the Analyzer Results Report.................................................................................................. 33
Accessing Support and Helpful Resources ..................................................................................... 35
Contacting Customer Support.................................................................................................................. 35
Viewing Documentation and Knowledgebase Articles........................................................................... 35
Asking A Community Question................................................................................................................. 35
© 2021 Proofpoint, Inc. Private and confidential.

PHISHALARM CONFIGURATION
PhishAlarm® is an Add-in for Microsoft Outlook, Microsoft Exchange, and Google Gmail that allows users to
easily report suspicious email without being encumbered to remember an ever-changing abuse box address or
the correct format (headers and email bodies) to forward suspicious emails. PhishAlarm displays a button in the
supported email client which, when clicked, will forward the email to defined email addresses. Typically, these
email addresses are either an abuse box or members of your organization’s incident response and security
team.
Based on your email client, the PhishAlarm Add-in is provided as an .exe or .msi file for Microsoft Outlook, as a
manifest URL for Microsoft Exchange, or as an application in the G Suite Marketplace for Gmail.
PhishAlarm can be configured and customized to meet the needs and branding of your company. You can
decide how you want the PhishAlarm button to look and act, which notification messages display to the user
based on the type of email reported, what you want the messages to say, and what you want done with the
email after it’s reported.
To jump to a specific section, click its link below:
• How It Works
• PhishAlarm Email Clients Supported and Features Supported Per Client
• Configuring PhishAlarm
• Installing Email Clients
How It Works
Here’s how easy PhishAlarm is to use. Let’s say Dave, one of your employees, opens an email in Outlook that
looks suspicious. All he has to do is click PhishAlarm’s Report Phish button in the Outlook ribbon. Then, Dave
receives a customizable feedback message (either a pop-up window or email) thanking him for reporting a
potential phishing email.
Depending on how you configure PhishAlarm, the suspected email can be deleted or moved to a junk folder. It
can also be forwarded to a pre-defined list of email addresses for further analysis. PhishAlarm can be
configured to recognize and route different categories of emails to the appropriate team or individual. For
example, the system can recognize emails sent from Proofpoint’s Security Education Platform and route them
to the appropriate individuals within the organization. Similarly, if any simulated mock-phishing emails are
reported, they can be forwarded to the Security Awareness team, whereas other reported emails are sent to the
Threat Response team.

Here are four categories of emails that you will be able to configure in PhishAlarm:
• Simulated phish Emails sent from a Proofpoint ThreatSim® phishing campaign.
• Potential phish Emails that are not any of the other categories (Simulated
phish, Safelist email, or Proofpoint training email).
• Safelist Emails that are designated as safe and adhere to a set of rules
configured on the Safelist tab.
• Proofpoint training Email notifications sent from the Proofpoint Platform including
Training Assignment and Reminder notifications.
PhishAlarm Email Clients Supported and Features Supported Per Client

PhishAlarm integrates with Microsoft Outlook, Microsoft Exchange, and Google Gmail. Below are details about
each email client as well as a list of feature matrix per email client.
Email Clients Supported

Listed below are the email clients currently supported by PhishAlarm.
IMPORTANT: For Outlook desktop installations, Microsoft® .NET Framework version 4.5.2 or later must be
present on every user’s machine where PhishAlarm is installed.
PhishAlarm For Exchange PhishAlarm For

PhishAlarm For Outlook Gmail
Email Client Add-in deployed via XML
Installed plug-in downloaded via G Suite Marketplace
1
Platform manifest App
Outlook 2010 for Windows 

Outlook 2013 for Windows  
Outlook 2016 and 2019 for
Mac (Exchange 2013, 2016, and

2019; Office 365)
Outlook on the Web:

• Outlook Web App (Office

365)
• Outlook Web Access
(Exchange 2013, 2016, and
2019)
Outlook for iOS and Android2 

Gmail on the Web
3

1
Internet Explorer is required when installing the PhishAlarm For Exchange add-in on Windows-based workstations due to its
Enhanced Protected Mode setting.
2
Supported only in Office 365. Mobile add-ins are not supported on the U.S. Government Community Cloud (GCC) or on-premise
Microsoft Exchange Servers.
3
PhishAlarm For Gmail add-on is only accessible when an email account is opened either within a desktop web browser window
or within the Gmail mobile app. It is not available within mobile web browsers.

Features Support Per Email Client

The following feature matrix notes the capabilities supported when PhishAlarm is installed within specific email
clients.
● = supported by the email client ○ = not supported by the email client
Feature PhishAlarm For PhishAlarm For PhishAlarm For

Outlook Exchange Gmail
Forward to specified email recipients ● ● ●
Delete email after report ● ● ○
Move email to Junk folder after report ● ● ○
Attachment detection (for ThreatSim
● ○ ○
attachment campaigns)1
Capture header ● ● ●
Capture body ● ● ●
Capture attachments ● ● ●
2
Prompt Message ● ● ●
Email Confirmation notification2 ● ○ ○
Language support for notifications ● ● ●
3
Automatic software updates ○ ● ●
Analyzer support 4
● ● ●
Safelist Emails ● ● ●
Custom Icon and Text ● ● Text only
Closed-Loop Email Analysis &
● ● ●
Response (CLEAR)
Report from Shared Inbox ● ○ ○
Report Messages from Multiple
● ○ ○
Accounts
Deployed Centrally ○ ● ●
Offline Reporting Available ● ○ ○
Preserve Original Header and Body Attached Attached/Inline Inline
1
This option is only available in PhishAlarm version 3.2.22 or later.
2
When using PhishAlarm in Office 365, Outlook on the Web, Outlook for iOS/Android, and Gmail this notification is displayed in line within
the browser window, not in a separate pop-up window.
3
Updates to business logic are automatic, but an update of the XML manifest is still required for PhishAlarm For Exchange.
4
Analyzer is an optional add-on to PhishAlarm that provides prioritization and analysis of reported emails.

Configuring PhishAlarm
Before the PhishAlarm add-in can be used, you must configure four areas:
• Appearance – The look of the PhishAlarm button as it appears in the email client. Refer to Configuring
the PhishAlarm Add-in Button for Outlook, Exchange, or Gmail for more information.
• End-user notifications and email handling – The notification, or feedback, message the end user sees
after reporting a phish and what you want PhishAlarm to do with the email within the user’s email client
after it’s reported. Refer to Configuring End-user Communication for more information.
• Email forwarding – The forwarding options for each type of reported email, such as forwarding to a
security operation center (SOC). Refer to Configuring Reported Email Forwarding Options for more
information.
• Safelisted emails – The email addresses designated as safe by your organization. Refer to Configuring
Safelist Emails for more information.
Configuring the PhishAlarm Add-in Button for Outlook, Exchange, or Gmail

PhishAlarm can be configured for your organization’s environment and the email client version that you’re using
(Microsoft Outlook, Microsoft Exchange, or Google Gmail). You can choose from multiple button layouts and
customize various button label text and languages to create a look and feel that supports your corporate brand
and your global employee base.
Notes:
• For the PhishAlarm add-in button to work for a user, the individual’s email address must be uploaded
to the Security Education Platform through the User Management option. Only licensed users can
report emails using the PhishAlarm button.
• Internet Explorer is required when installing the PhishAlarm For Exchange add-in on Windows-based
workstations due to its Enhanced Protected Mode setting.
Use the steps below to configure how the PhishAlarm button will appear to your end users.
1. Sign into the Security Education Platform.
2. From the Products side menu, click PhishAlarm > Add-in Setup.
3. Click the Setup tab.
4. In the Viewing Translation section, select the language from the Translation set list for the
PhishAlarm add-in button that are going to configure. You can customize the information in multiple
languages to address the localization needs of your end users by repeating these steps below for
each language needed.
Note: If you need to add languages to the Translation set list, click +ADD TRANSLATION,
select the language from the list, and click ADD. If you want to remove a language from the list,
click +REMOVE TRANSLATION, click DELETE next to the language(s) to be removed, and click
CLOSE.

The Branding section applies to all three versions of the add-in: PhishAlarm For Outlook,
PhishAlarm For Exchange and PhishAlarm For Gmail. In this section, you will configure the text and
icon image on the PhishAlarm button itself.
Across the top of the section, you will see preview examples of how the PhishAlarm button will look
in PhishAlarm For Outlook, PhishAlarm For Exchange, and PhishAlarm For Gmail. These previews
automatically update when features and options are changed on the page so that you can see how
the buttons will look.
Note: Depending on the version, screen size, and operating system being used by each end
user, the preview examples may differ from how they actually display for each user.
5. Use the Button label field to customize the text that is displayed on the actual PhishAlarm button.
By default, this field will display the wording, “Report Phish,” in the language selected in the
previous step. You can customize the text to meet your needs or keep the default text. For
example, if you enter “It’s a Phish” in the field, the button will look like this:
IMPORTANT: If you are using PhishAlarm For Exchange, the manifest must be reloaded before
the button label change is visible in Exchange. Refer to Obtaining the Exchange Manifest URL Link
for more information.
6. Select the Icon that you want to appear on the PhishAlarm button. You can choose a standard
fishhook or bug icon, or you can upload a custom icon of your own.
Note: The PhishAlarm button icon for PhishAlarm For Gmail cannot be changed from the
fishhook icon.

Phish hook icon This option displays a fishhook hooking a closed envelope .
Bug icon This option displays a bug on an open envelope .
Fuse icon This option displays a blue fishhook hooking a blue closed
envelope . Use this icon if you want the button to remain
consistent with the Proofpoint For Outlook add-in.
Custom icon This option lets you upload an icon of your own. The graphic file
must be a .png format and 128 x 128 pixels. You can drag and
drop the file or click Browse to locate it and click Confirm to
save it. The icon displays below the option for review.
IMPORTANT: For PhishAlarm For Exchange, the manifest must
be reloaded after uploading a custom icon for the change to be
visible in Exchange. Refer to Obtaining the Exchange Manifest
URL Link for more information.
7. The PhishAlarm For Outlook section only applies if you are using PhishAlarm For Outlook so that
you can customize additional buttons and layout options for Outlook. If you are using PhishAlarm
For Exchange or PhishAlarm For Gmail, go to step 8.
a. If you are using ThreatSim for phishing emails with attachments, select the Allow ThreatSim
attachment detection option to enable PhishAlarm to detect when a user attempts to open
an attachment-based phishing campaign and to redirect the user to a web-based teachable
moment instead of opening the attachment. This option is only available in PhishAlarm
version 3.2.22 or later.
b. Toggle the Display report button to users option as follows:
• On : The PhishAlarm button will display on the Outlook ribbon for users. This setting
must be On for users to be able to use the PhishAlarm button to report phish.
• Off : The PhishAlarm button will not display on the Outlook ribbon for users.

c. For the Layout options, select how you want the PhishAlarm button to function:
1-click layout This option allows users to report a phish with a single
click of the PhishAlarm button.
2-click layout This option displays the button with a drop-down menu for
Report Phish, Help, and More Information. With this
setting, users must make two clicks to report a phish.
d. Select the Allow users to right click on an email to report option to enable users to right-
click on an email and select the PhishAlarm Report Phish option to report phish instead of
clicking the PhishAlarm button in the Outlook ribbon.
e. If you selected the 2-click layout above, the Help & tips URL option enables you to provide a
website link to resources about security awareness after the user clicks the Help option of
the PhishAlarm button, shown below. Select Default URL to direct the user to
http://www.proofpoint.com or select Custom help URL and enter your own URL address in
the text box that displays.
f. If you selected the 2-click layout above, click the Labels link to display a list of button labels
that you can customize and use the table below to enter the necessary information:
Help & Tips When clicked, the Help option redirects the user to
additional help or tips, as configured in the “Help & tips
URL” field above. Enter custom text for this label or
keep the default text displayed in the field.

More… When clicked, the More… option displays a drop-down

menu containing “Test Connection” and “Email
System” (see the corresponding rows below for
additional information on those options). Enter custom
text for this label or keep the default text displayed in
the field.
Close The Close button appears on notification pop-up
windows for the user to click to close the window. Enter
custom text for this label or keep the default text
displayed in the field.
Cancel The Cancel button appears on notification pop-up
windows for the user to click to cancel the action. Enter
custom text for this label or keep the default text
Test Connection The Test Connection option appears within the More…
menu (see the corresponding row above for additional
information). It is used to test the user’s connection to
the Proofpoint server. Enter the text for this label or
Email System The Email System option appears within the More…
menu (see the corresponding row above for additional
information). When clicked, it will email system
information and trace logs to Proofpoint Customer
Support. Enter the text for this label or keep the default
text displayed in the field.
8. Click SAVE CHANGES to keep the settings entered on the page.
9. Repeat these steps for each language that you need to configure for the PhishAlarm button.
Configuring End-user Communication

End-user communications are the feedback messages that display for users after they report an email using the
PhishAlarm button. There are multiple end-user messages that may display, all of which are customizable. You
can define:
• Which message displays depending on the type of email the user reported.
• How the notification message is delivered to the user, such as by pop-up message or an email.
• What will happen to the email after it is reported, such as deleting it from the user’s Inbox or moving it to
a junk folder.
Use the steps below to configure each type of end-user communication.
3. Click the End-user Communication tab.
4. In the Viewing Translation section, select the language from the Translation set list for the
PhishAlarm add-in button that are going to configure. You can customize the information in multiple

languages to address the localization needs of your end users by repeating these steps below for
each language needed.
Note: If you need to add languages to the Translation set list, click +ADD TRANSLATION,
select the language from the list, and click ADD. If you want to remove a language from the list,
click +REMOVE TRANSLATION, click DELETE next to the language(s) to be removed, and click
CLOSE.
5. In the Report Actions section, define the content of and way the confirmation message displays to
the end user after the person clicks the PhishAlarm button.
Prompt the user • Select the checkbox to display a “Yes or No” type
before reporting confirmation message to the end user after clicking
an email the PhishAlarm button. Then, enter customized text
in the text box or keep the default text.
• Clear the checkbox to not display a confirmation
message at all to the end user.
Notification type Select how you want the confirmation message to
display to the end user.
Note: Microsoft Exchange, Office 365, and Gmail add-in
can only use the pop up option.
• Pop up: A pop up message is displayed
immediately after the end user reports an email as a
phish. This is the most frequently used setting since
it provides the most obvious and immediate
feedback to the user.
• Email: An email is sent to the end user after a
phish email is reported. This email will have a To
and From address that is the same since

PhishAlarm is issuing the email from the user’s

mailbox.
• None: No notification message is sent or displayed
after the user reports a phish email. (This option is
rarely used.)
6. In the Simulated Phish Notification Settings section, define the message text that displays when a
user successfully reports a simulated phish sent from a ThreatSim phishing campaign and how to
handle the email after it is reported.
Notification Enter the text that will appear in the notification pop up
message message to the end user who successfully reports a
simulated phish sent from a ThreatSim phishing
campaign or keep the default text displayed in the field.
“More Information” (These options are only for PhishAlarm For Outlook users
label and URL and are not supported by PhishAlarm For Exchange or
PhishAlarm For Gmail.)
The notification message contains a button the end user
can click to access a website to learn more about the
simulated phish. Configure the button as follows:
• “More Information” label: Enter the text for this
button or keep the default text displayed in the field.
• “More Information” URL: Enter the custom URL
(often to a phishing security awareness page) when
the “More Information” button is clicked or keep the
default text displayed in the field.
Email Handling Select the Delete email after report checkbox if you
After Report want the reported email automatically moved to the end
user’s Delete folder after it is reported for deleting in
accordance with the company policies. (This option is
not supported by PhishAlarm For Gmail.)

7. In the Potential Phish Notification Settings section, define the confirmation message text that
displays when a user reports a potential malicious phishing email campaign and how to handle the
email after it is reported. These are emails that do not fall into any of these other categories:
simulated phish, Safelist email, or Proofpoint training email.
Notification Enter the text that will appear in the notification pop up
message message to the end user who reports a potential
malicious phishing email or keep the default text
label and URL and are not supported by PhishAlarm For Exchange or
PhishAlarm For Gmail).
phish. Configure the button as follows:
button or keep the default text displayed in the field.
default text displayed in the field.
Email Handling Select one of the following:
After Report • No action: The email will remain in the end user’s
Inbox.
• Delete email: The email will automatically move to
the end user’s Delete folder after reporting for
deleting in accordance with the company policies.
(This option is not supported by PhishAlarm For
Gmail.)
• Move email to junk: The email will automatically
move to the end user’s junk folder. (This option is

8. In the Safelisted Email Notification Settings section, define the confirmation message text that
displays when an end user reports an email that has been safelisted in PhishAlarm and how to
handle the email after it is reported. Refer to Configuring Safelist Emails for more information about
configuring safelisting via the PhishAlarm > Settings > Safelist tab.
Report prompt Enter the text that will appear in the pop up message or
keep the default text displayed in the field. This
message will appear when the end user attempts to
report an email that is actually a safe message from an
address/domain that was safelisted by your
organization.
Notification Enter the text that will appear in the notification to the
message end user who proceeds with reporting a safelisted email
or keep the default text.
button label and and are not supported by PhishAlarm For Exchange or
URL PhishAlarm For Gmail.)
phish. Configure the button as follows:
button or keep the default text.
default text.
Email Handling Select the Delete email after report checkbox if you want
After Report the reported email automatically moved to the end
user’s Delete folder after it is reported for deleting in
accordance with the company policies. (This option is

9. In the Training Email Notification Settings section, define the confirmation message text that
displays when a user reports an email that was sent from the Security Education Platform, such as
Training Assignment and Reminder notifications.
Notification Enter the text that will appear in the notification to the end
message user who reports a safe email that has been sent from the
Security Education Platform or keep the default text
“More Information” (These options are only for PhishAlarm For Outlook users and
label and URL are not supported by PhishAlarm For Exchange or PhishAlarm
For Gmail.)
The notification message contains a button the end user can
click to access a website to learn more about the phish.
Configure the button as follows:
• “More Information” label: Enter the text for this button or
• “More Information” URL: Enter the custom URL (often to
a phishing security awareness page) when the “More
Information” button is clicked or keep the default text
Configuring Reported Email Forwarding Options

When end users report emails using the PhishAlarm button, you can decide whether PhishAlarm should send
emails through Analyzer or Threat Response Auto-Pull (TRAP). Or, you can choose to forward those emails to a
specified email address(es) for further analysis, such as a security operation center (SOC) or computer security
incident response team (CSIRT) or choose not to forward them at all. You can configure forwarding options for
each type of email, such as simulated phish, potential phish, safelisted, or training.
Use the steps below to configure the email forwarding options for PhishAlarm.
2. From the Products side menu, click PhishAlarm > Settings.
3. Click the Admin Communications tab.

Note: The “Company Information” section at the top of the page is read-only and contains the
Access Domains for your company. Contact Customer Support if you need to change this
information.
4. In the Potentially Malicious Email Handling section, to use Analyzer with PhishAlarm, the Send
potential phish emails through Analyzer checkbox must be selected (enabled). Once enabled,
potential phish reported from PhishAlarm will be sent to Analyzer. If you disable this option,
reported phish will no longer be analyzed.
Note: The other email handling options on this page do not rely on whether or not you enabled
Analyzer. They operate independently of Analyzer.
5. For the Potential phishing email forwarding option, select how you want PhishAlarm to handle the
emails reported by end users that are possibly malicious.
Do not forward emails Select this option if you do not want to forward
potentially malicious phishing emails to anyone.
Forward to the following Select this option to forward potentially malicious
email addresses phishing emails to the email address(es) that you
specify in the available text box. Use a comma to
separate multiple emails addresses in the text box.
There is no limit to the number of email addresses
that can be added.
6. If you are using the Closed-Loop Email Analysis and Response (CLEAR) solution, which combines
PhishAlarm, Analyzer, and Threat Response Auto-Pull (TRAP), select the desired option for TRAP
Integration.
Note: Integration with TRAP requires that Analyzer be enabled so be sure that the Send potential
phish emails through Analyzer checkbox above is selected.

Do not send emails Select this option if you do not want Analyzer to
forward potential malicious phishing emails to TRAP.
Send to the following TRAP Select this option and enter an email address in the
email address text box if you want Analyzer to send the potential
malicious phishing emails to the specified email
address of the abuse inbox monitored by TRAP.
7. In the Potentially Harmless Email Handling section, use the table below to select how you want
PhishAlarm to handle the emails reported by end users that are possibly harmless for these email
types:
• Simulated phishing emails (from ThreatSim)

• Proofpoint Security Awareness training emails
• Safelisted emails
Do not forward emails Select this option if you do not want to forward the
emails to anyone.
Forward to the following Select this option to forward the emails to the email
email addresses address(es) that you specify in the available text box.
Use a comma to separate multiple emails addresses.
There is no limit to the number of email addresses
that can be added.

8. In the File Delivery Settings section, configure how to forward reported emails with attachments
from PhishAlarm For Outlook and PhishAlarm For Exchange in the Analyzer Threat Report Overview
emails. You can select more than one option or none at all. (This option does not apply to
PhishAlarm For Gmail.)
Note: PhishAlarm For Outlook and PhishAlarm For Exchange environments include a
headers.txt attachment that contains only the headers of the reported email. In addition to the
headers being in an attachment text file (.txt), PhishAlarm For Exchange and PhishAlarm For
Gmail also include the headers in the body of the email.
Forward the included Select this option to include the email attachments
attachments in the reported when forwarding to the designated mailbox.
Phish
Attach HTML body as (.html) Select this option to forward any HTML content in an
file email as an HTML attachment.
Attach HTML body as plain Select this option to forward any HTML content in an
text (.txt) file email as a plain text attachment, which may remove
formatting of original email.
Attach text body as plain text Select this option to forward plain text email as a plain
(.txt) file text attachment.
Configuring Safelist Emails

You can create rules to safelist designated email addresses. Safelisting involves specifying IP addresses, email
addresses, or domain names that are considered trustworthy. When a user reports an email from a safelisted
address, a prompt can display with a custom message to confirm the submission.
Note: The message text for the prompt is configured on the End-user Communications tab under the
Safelisted Email Notification Settings section.
Use the steps below to configure the safelist emails.
2. From the Products side menu, click PhishAlarm > Settings.
3. Click the Safelist tab.

4. Enter a title for the safelist in the Name field.
5. Select the Condition for the safelist and its corresponding Criteria and Value as follows.
Subject Line This condition allows safelisting based on the email’s Subject line text.
If this condition is selected, enter the following fields:
• Criteria*: Select an option from the drop-down list. (See * below table
for Criteria definitions.)
• Value: Enter the text in the Subject line to be used for matching. The
query is case sensitive.
For example: If the Criteria is "Starts with" and the Value is "[INTERNAL],"
the system would match the Subject line of an email, "[INTERNAL]
Please submit your timesheet," but would not match against one with
"Submit your timesheet to your manager" in the Subject line.
Header This condition allows safelisting based on a general query against all the
information in the email header. It is the most complex of the queries.
This option is for querying against any of the header information sent
along with the body of the email. Header information is provided in
Name: Key pairs. The PhishAlarm configuration has separate fields for
each.
If this condition is selected, enter the following fields:
• Criteria* and Value for name (See * below table for Criteria
definitions.)
• Criteria* and Value for key (See * below table for Criteria
definitions.)
For example: If Value for name is DKIM and Criteria is Contains, and
Value for key is d=xyzcompany.com and Criteria is Contains, then the
header below would not match because the key is
d=email.microsoftoneline.com and not d=xyzcompany.com:
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
s=200608; d=email.microsoftonline.com;
h=From:To:Subject:Date:MIME-Version:Reply-To:List-
ID:Cc:Message-ID:Content-Type:Content-
Transfer-Encoding;
* The three Criteria options for the safelist:

• Starts with: The query is matched if the Value is at the start of the Condition
being queried against. For example, if the Value is “abc,” then it
will match against “abc123” but not “123abc”.

• Contains The query is matched if the Value is contained somewhere in the

string being queried against. For example, if the Value is “abc,”
then it will match against “abc123,” “1abc23”, and “123abc”, but it
will not match against “a123bc.
• Advanced The query is matched using standard regex rules (not
(Regex) recommended)
6. To provide multiple query options, you can add more conditions for this safelist entry by clicking
the Add another condition link. All conditions and criteria must match for the email to pass.
Note: In all cases of matching for Criteria, the query is case sensitive. Safelist changes will take
effect when the user reopens their email client. This functionality is only available in PhishAlarm
version 3.1.15 or later.
7. Click CREATE SAFELIST.
8. Once created, the new entry displays in the Safelists table at the bottom of the page.
9. If needed, entries can be edited or deleted by clicking the corresponding EDIT or DELETE link.

PhishAlarm Safelisting Requirements

PhishAlarm connects to the Training Platform with a secured web connection on port 443 (TLS 1.2 or higher).
Ensure that the appropriate URL for your hosted location is safelisted in your organization's firewall and proxy
server to allow PhishAlarm to communicate securely with the Training Platform.
Note: For the most current safelisting information, access Community and search for “Safelisting Guide.”
For United States https://phishalarm-us-east-1-v2.securityeducation.com/api/v1/

For European Union https://phishalarm-eu-west-1.securityeducation.com/api/v1/
For Asia Pacific https://phishalarm-ap-southeast-2.securityeducation.com/api/v1/
PhishAlarm products will also make calls to the following URLs:

• https://d2wy8f7a9ursnm.cloudfront.net/
• https://notify.bugsnag.com/
• https://code.jquery.com/
• https://appsforoffice.microsoft.com/
• https://outlook.office365.com/EWS/Exchange.asmx
• https://outlook.office.com/api/
• https://polyfill.io
Installing Email Clients

PhishAlarm can be installed for the desktop Microsoft Outlook 2010, 2013, 2016, and 2019 (32-bit and 64-bit)
clients, for Outlook 365, and for G Suite for Gmail.
IMPORTANT: Before the PhishAlarm button can be used by anyone to report suspicious emails, you must first
configure the PhishAlarm button and functionality prior to installing email clients. Refer to Configuring
PhishAlarm for the necessary steps.
PhishAlarm For Outlook Installation

To use PhishAlarm For Microsoft Outlook 2010, 2013, 2016, or 2019 (32-bit and 64-bit) clients, download the
PhishAlarm installer plug-in files before installing on individual desktops or for the entire organization. The
downloaded ZIP file contains:
• PhishAlarm Outlook Add-In.msi
• PhishAlarm.exe
• setup.json
IMPORTANT: For PhishAlarm For Microsoft Outlook desktop installations, the Microsoft® .NET Framework
version 4.5.2 or later must be present on every user’s machine where PhishAlarm is installed.
Note: When using PhishAlarm For Outlook in virtual desktop environments, follow the guidance and best
practices from your IT department on successfully supporting add-ins with Microsoft Outlook in such
environments.

Use the steps below to download and install the files needed for PhishAlarm For Outlook.
1. Sign in the Security Education Platform.
3. Click the Install tab.
4. In the PhishAlarm For Outlook section, click Download. The .zip file will automatically download.
The .zip filename will append the version number after “PhishAlarm,” such as PhishAlarm-
v#.#.#.zip.
5. You will need to extract (unzip) the contents of the .zip file to use them. Refer to the sections below
as needed to install on individual machines or to deploy it across your organization.
Individual Desktop Installation

Use the steps below to install PhishAlarm on a user’s desktop.
1. Close the user’s Outlook application.
2. If you haven’t done so already, copy and extract (unzip) the contents of the previously downloaded
PhishAlarm-v#.#.#.zip file to the user’s hard drive.
3. Open the folder containing the extracted .zip files (.msi, .exe, and .json files).
Note: Keep the setup.json file in the same directory as the PhishAlarm.exe file during the
installation process.
4. Right-click on the PhishAlarm.exe file and select Run as administrator.
5. Follow the installation instructions in the wizard.
6. Once the installation is complete, open the user’s Outlook application and confirm that the
PhishAlarm button displays in the Outlook ribbon.
Silent Installation for Deployment Across an Organization

To rollout PhishAlarm Add-in for Microsoft Outlook 2010, 2013, 2016, or 2019 to your entire organization, create
a package for distribution that includes the PhishAlarm.exe and setup.json files from the unzipped PhishAlarm-
v#.#.#.zip file. Use the following command to install the PhishAlarm Outlook add-in without user interaction:
PhishAlarm.exe /silent
The command should be run with elevated privileges. This command also uninstalls all previous PhishAlarm
installations before installing the new package.
The following flags can be passed with the PhishAlarm.exe command:
• /silent: Run silently in the background. This suppresses all notifications, including errors.
• /quiet: Run quietly in the background. This suppresses all notifications, except errors.
• /install: Install PhishAlarm (this is on by default).
• /uninstall: Only uninstall PhishAlarm and do not subsequently install it.
• /log “filename”: This will create an install log under the name “filename” in the directory from which
the command is being run. There might also be an “install-###.txt” file logged as well. These files
are useful for diagnostics and troubleshooting, if necessary.
• /norestart: Suppresses the system from forcing a restart on Outlook.

PhishAlarm For Exchange Installation

When deployed, PhishAlarm For Exchange (Exchange 2013, 2016 and 2019; Office 365) will be automatically
available through the web application as well as the following clients:
• Outlook 2013 for Windows • Outlook on the Web

• Outlook 2016 for Windows  Outlook Web App (Office 365)
• Outlook 2019 for Windows  Outlook Web Access (Exchange 2013,
• Outlook 2016 and 2019 for Mac 2016, and 2019)
(Exchange 2013, 2016, and 2019;  Outlook.com
Office 365)
• Outlook on iOS (Office 365 only)
• Outlook on Android (Office 365 only)
Notes:
• Mobile add-ins are not supported on the U.S. Government Community Cloud (GCC) or on-premise
Microsoft Exchange Servers.
• Internet Explorer is required when installing the PhishAlarm For Exchange add-in on Windows-based
workstations due to its Enhanced Protected Mode setting.
• When deploying PhishAlarm For Exchange in an Exchange 2013 environment, Exchange Web Services
(EWS) must be enabled as Exchange 2013 does not have enough support for the REST API for
PhishAlarm to function.
• When using PhishAlarm For Exchange in virtual application environments, follow the guidance and best
practices from your IT department on successfully supporting add-ins in such environments.
While it’s possible to deploy to a single account, it's not possible to install the add-in on any single client
outside of deploying to one or more accounts.
Obtaining the Exchange Manifest URL Link

Use the steps below to obtain your Exchange Manifest URL link to use in the sections that follow.

4. Scroll down to the PhishAlarm For Exchange section and click the Copy link next to the Manifest
Link.
5. Depending on how you are installing the PhishAlarm add-in, proceed to either Installing the
PhishAlarm Add-In for a Single User or Installing the PhishAlarm Add-In for Your Entire Organization
where the manifest URL will be needed.
Installing the PhishAlarm Add-In for a Single User

Use the steps below to install PhishAlarm For a single user.
1. Log into your account at https://outlook.office.com/owa/.
2. Select the Settings gear, and then select Manage add-ins.
3. Select My add-ins from the left menu, and then select + Add a custom add-in at the bottom.
4. Select Add from URL from the drop-down menu.
5. Paste the URL for the manifest file and click OK. Refer to Obtaining the Exchange Manifest URL Link
to get a copy of the URL to paste here.

6. Once the add-in is installed, you will see it added to your list of Custom add-ins.
Installing the PhishAlarm Add-In for Your Entire Organization

Use the steps below to install PhishAlarm For your entire organization.
1. Log into the office portal at https://portal.office.com/ or into your local Exchange 2013, 2016 or
2019 server.
2. On the left menu, expand Admin centers and select Exchange.
3. Select add-ins from the dashboard.
4. Click the Services and Add-ins link.
5. Click the Deploy Add-in button.

6. If you have not deployed an Add-In with Centralized Deployment, click Next.
7. Paste the URL for the manifest file and click Next. Refer to Obtaining the Exchange Manifest URL
Link to get a copy of the URL to paste here.
8. Specify who has access to the PhishAlarm Add-In (Everyone, Specific users/groups, or Just me)
and click Deploy now.
9. Click Next to finalize the deployment.
PhishAlarm For Gmail Installation

PhishAlarm For Gmail is installed from the G Suites Marketplace by a domain administrator. The marketplace
app, a Google contextual gadget, can be installed for an entire organization or for a Google sub-organization.
Note: When using PhishAlarm For Gmail in virtual application environments, follow the guidance and best
practices from your IT department on successfully supporting Gmail add-ons in such environments.
Authorizing a Service User (optional but recommended)

If you do not wish your users to authorize their own application, the solution is to authorize a service user to
retrieve this data. The PhishAlarm For Gmail add-in has a default service user which can perform this operation.
Completing the following steps will prevent users from seeing an authorization pop-up the first time they use
PhishAlarm For Gmail. This mitigates the risk that it is blocked by a pop-up blocker or a user accidentally
revoked access.

Use the following steps to authorize a service user.
1. Log into Google Admin (https://admin.google.com).
2. Navigate to Security (display More Controls if needed) Dropdown Show more > Advanced
settings.
3. Click on Advanced settings.
4. Select Manage API client access.
5. Under Client Name, enter one of the following numbers:
For U.S. 102081803474226333632
For European Union 100175315055344366109
For Asia Pacific 113147822389174193516
6. Under One or More API Scopes, copy and paste all URLs below (separate each with a comma).
Note: These are the same scopes authorized by PhishAlarm For Gmail.
• https://mail.google.com/
• https://www.googleapis.com/auth/gmail.readonly
• https://www.googleapis.com/auth/gmail.compose
• https://www.googleapis.com/auth/gmail.send
• https://www.googleapis.com/auth/userinfo.email
• https://www.googleapis.com/auth/userinfo.profile
7. Click Authorize.
Creating a Sub-organization to Use as a Test Group (optional)

If you do not wish to enable PhishAlarm For Gmail for your entire organization at this time, you can create a
sub-organization instead.
Use the steps below to create a sub-organization.
1. Log into Google Admin (https://admin.google.com).
2. Navigate to the Main Menu, which is in the upper left of the screen and is 3 horizontal bars.
3. Under Directory, click on Organizational units.
4. Click the + (Plus) symbol to add another Organizational Unit.
5. Enter a Name for the sub-organization and click Create.
6. You can now add new users to the sub-organization or move existing users to add them to the sub-
organization.

Installing PhishAlarm For Gmail

Use the steps below to install PhishAlarm For Gmail.
4. Scroll down to the PhishAlarm For Gmail section and click the G Suite Marketplace link.
5. Click Domain Install.
6. Click Continue to grant permission to the application.
7. From the Turn ON for drop-down list, choose the organization or sub-organization. This can be
changed at any time from the Google Admin console.
8. Select the I agree checkbox to grant PhishAlarm For Gmail access to the domain data listed and
click Accept.
9. Click Done. PhishAlarm For Gmail is now installed.
10. After the installation is complete, verify that data access is granted by navigating to Apps >
Marketplace Apps > PhishAlarm.
11. Click EDIT SERVICE to list the Organizational units.
12. Select the Organizational unit that you would like to deploy PhishAlarm.
13. Click the On for everyone radio button.
ANALYZER CONFIGURATION
Analyzer is an email analysis tool that employs Proofpoint Threat Intelligence to prioritize reported emails and
automate the collection of e-mail security data. This enables InfoSec officers and security response teams to
quickly identify, isolate, and remediate suspected phishing messages, including zero-hour attacks. It is an
excellent complement to existing email security defenses as it adds an additional layer of protection against
phishing and spear phishing.
Real-time ranking of threat potential
As a companion to the PhishAlarm® email reporting button, Analyzer provides security teams with a real-time
ranking of suspicious emails that have been reported via the PhishAlarm button — alerts that may indicate that
a phishing email slipped through existing email gateways. By ranking emails in order of threat potential,
Analyzer enables your response team to effectively allocate their time and attention to the most imminent and
dangerous attacks to your network. Automating the assembly of email-based threat information saves InfoSec
teams valuable time and enables them to focus on remediation, rather than data collection. Analyzer leverages
the industry leading Proofpoint Threat Intelligence stack to perform live scanning and detonation of URLs and
attachments, as well as file hash comparison and Proofpoint TAP (Targeted Attack Protection) campaign
correlation.
To jump to a specific section, click its link below:
• How It Works

• Configuring Analyzer
• Analyzer Safelisting Requirements
• Generating the Analyzer Results Report
How It Works
The PhishAlarm email reporting button is configured to report and forward suspicious email from PhishAlarm to
Analyzer. Figure 1 illustrates the flow of potential phish when reported using PhishAlarm configured with
Analyzer.
Figure 1- The flow of potential phish
1. An employee receives a suspicious looking email and reports it via the PhishAlarm Report Phish
button.
2. If this email is categorized by PhishAlarm as a “Potential Phish,” the email and, optionally, any
attachments or URLs it may contain are packaged in a specially formatted email and sent to the
corporate email server from the PhishAlarm For Outlook and the PhishAlarm For Gmail to be
forwarded to the Analyzer.
3. Analyzer receives the email and engages with Proofpoint’s Threat Intelligence to score and assess
whether the potential phish should be considered “Malicious,” “Suspicious,” “Unlikely a Threat,” “Low
Risk,” “Bulk,” or “Spam.” It will deliver a Threat Report Overview (TRO) of its analysis.
4. The potential phish email, its attachments, and TRO report are sent to the email address(es)
configured as recipients for each kind of analysis result.
Note: The Analyzer email server will use Transport Layer Security (TLS) encryption for receiving and
sending the email if the corporate email server is using TLS encryption. TLS is a cryptographic protocol
designed to provide email security over a corporate computer network.

The Analyzer classifies the emails as:
Malicious Recommended to be sent to the Incident Response email address.
Suspicious Recommended to be sent to the Security Team email address for further
analysis and potential remediation.
Unlikely a Threat
Recommended to be sent to an Abuse Box email address for further
Low Risk
review or correlation with other potential phishing email.
Bulk
Spam
In Analyzer, you have the option to suppress reporting on similar potential phish that have been submitted
multiple times. Under the Analyzer Settings, there are configuration options pertaining to duplicate emails
where you can set the thresholds for their similarity, how long to keep duplicate information, and the email
address(es) to forward them (see the Configuring Analyzer section for the options under “Advanced Settings”).
Configuring Analyzer
When Analyzer is enabled, PhishAlarm will automatically send reported potential phish emails to Analyzer for
analysis. Use the steps below to configure Analyzer, such as adding the forwarding email address for
potentially malicious and harmless emails, such as Spam and Low Risk emails. You are also able to configure
duplicate email thresholds, how long to keep duplicate information, and the email address(es) for forwarding.
Notes:
• If you are using the Closed-Loop Email Analysis and Response (CLEAR) solution, which combines
PhishAlarm, Analyzer, and Threat Response Auto-Pull (TRAP), you can skip the process of configuring
Analyzer because the TRAP email address is entered in the TRAP Integration field on the Admin
Communications tab of PhishAlarm > Settings. Refer to Configuring Reported Email Forwarding
Options for more information.
• For information on enabling or disabling Analyzer, refer to Configuring Reported Email Forwarding
Options for the Analyzer Configuration option (Send potential phish emails through Analyzer) under
the Potentially Malicious Email Handling section.
Use the steps below to configure Analyzer.
2. From the Products side menu, click PhishAlarm > Analyzer.
3. Click the Settings tab.
4. In the Administrator Communication for Potentially Malicious Email section, enter the corresponding
email addresses where you want analyzed Malicious and Suspicious emails to be sent.

Note: Multiple email addresses may be added by separating each one with a comma.
Forward emails scored Proofpoint recommends Malicious phish be sent

as Malicious to: to the Incident Response email address(es).
Forward emails scored Proofpoint recommends Suspicious phish be
as Suspicious to: sent to Security Team email address(es) for
further analysis and potential remediation.
5. For the Administrator Communication for Potentially Harmless Malicious Email section, enter the
corresponding email addresses where you want analyzed Threat, Low Risk, Bulk, and Spam emails
to be sent

Forward emails scored

as Unlikely a Threat to:
Proofpoint recommends Unlikely a Threat, Low
Forward emails scored Risk, Bulk, and Spam phish emails be sent to an
as Low Risk to: Abuse Box email address(es) for further review or
Forward emails scored correlation with other potential phishing email.
as Bulk to: Or, you can choose the option to not forward
these types of emails at all.
Forward emails scored
as Spam to:
6. In the Advanced Settings section, use the table below to set the parameters for how to handle
possible duplicate emails that are reported by your users, such as the duplicate threshold limit,
cutoff limit, and other information.
Duplicate email threshold Enter the percentage for how closely at or above
limit the percentage the duplicate emails should match
for the email to be considered a duplicate email.
Note: Analyzer uses a Similarity Hash of the
address, subject line, and body text to help
determine which reported emails are duplicates.
The Similarity Hash is a one-way encrypted hash
that cannot be decrypted to its original data. It is
used for comparing emails to one another to see
how similar they are. If the similarity percentage is
at or above the percentage listed, then the emails
are categorized as duplicates.
Duplicate email cutoff limit For Between # and # fields, enter numeric values
for the low and high end of the duplicate threshold
limit. If the email is considered a duplicate, the
system checks this threshold limit against how
many times this email has been repeated.

If the resulting value is between the threshold limit

values indicated (inclusively on both ends), then the
email will be sent to the address specified in the
Duplicate email forwarding text box.
If it is above the upper limit, then the email will be
classified as “Malicious” and will be sent to the
email address previously entered above in the
Forward emails scored as Malicious to: field.
Keep duplicate information Enter the number of days the similarity hash for this
for email will be retained in the system for comparison
to other emails.
Note: Analyzer uses a Similarity Hash of the
address, subject line, and body text to help
determine which reported emails are duplicates. The
Similarity Hash is a one-way encrypted hash that
cannot be decrypted to its original data. It is used for
comparing emails to one another to see how similar
they are. If the similarity percentage is at or above the
percentage listed, then the emails are categorized as
duplicates.
Duplicate email forwarding Select one of the following:

• Do not forward these emails to not forward
duplicate emails at all.
• Forward to the following email address and
enter the email address where the duplicated
email will be sent if it is within the Duplicate
email cutoff limit range configured above.
Multiple email addresses can be added by
separating each one with a comma.
Forward using original end- The Do Not Forward as the original end-user
user email address option is disabled by default. When this option is
disabled, the forwarding address will be from
Analyzer.
Enable this option if you want to receive reported
phish email details from the original end user’s
email address. When this option is enabled, all
reported emails will be forwarded to Analyzer as if
they were coming from the original end user’s email
address. Although the email address of the end
user submitting the potential phish is always
available and is included at the top of the analysis,
enabling this option will allow Analyzer to see
exactly who reported the phish via the PhishAlarm
button.

Analyzer Safelisting Requirements

Some email servers will conclude that Analyzer is an unreliable source of email and block it due to the high
percentage of spam and malicious emails coming from the Analyzer. To ensure that you can receive email from
Analyzer, be sure to safelist the following IP addresses in your organization's mail filter or firewall.
Select the information below for your specific hosted location. Refer to Configuring Safelist Emails for
instructions on configuring safelisting.
Note: For the most current safelisting information, please access Community and search for “Safelisting
Guide.”
United States Mail Sender Name: outgoing.analyzer.securityeducation.com

Mail Sender IP: 34.192.109.34; 52.207.139.168
Sender Email Address*: analyzer@analyzer.securityeducation.com
European Union Mail Sender Name: outgoing.analyzer.eu.securityeducation.com
Mail Sender IP: 34.252.12.130; 52.30.8.165
Sender Email Address*: analyzer@analyzer.eu.securityeducation.com
Asia Pacific Mail Sender Name: outgoing.analyzer.ap.securityeducation.com
Mail Sender IP: 13.210.197.63; 13.55.113.235
Sender Email Address*: analyzer@analyzer.ap.securityeducation.com
*When the Analyzer Setting for “Forward using original end-user email address” is disabled, then the TRO reports are
sent with these Sender Email Addresses. If the option is enabled, then the Sender Email Address will be that of the end-
user who reported the email with the PhishAlarm button.
Generating the Analyzer Results Report

The Analyzer Results Report shows how many emails for each abuse disposition (Malicious, Suspicious,
Unlikely a Threat, Low Risk, Bulk and Spam) have been processed by Analyzer for a specific day or date range.
Use the steps below to enter the criteria for the Analyzer Results Report.
2. From the Products side menu, click PhishAlarm > Analyzer.
3. Click the Results tab.

4. Click in the Select a Data Range field to display the calendar and, then, select the date range by
clicking the start and end dates.
5. The Total Potential Phish chart displays at the top for the date or range selected and the summary
of emails for each abuse disposition (Malicious, Suspicious, Unlikely a Threat, Low Risk, Bulk and
Spam) displays at the bottom. Click the Download button in each section to download the data to a
.CSV file.

ACCESSING SUPPORT AND HELPFUL RESOURCES

You can contact Customer Support for assistance from within the Wisdom Community, by telephone, or by
email. Within the Wisdom Community, you can live chat with a Support Representative, create a new support
case, ask a question of the entire user community forum, and view support documentation and Knowledgebase
articles for immediate answers to your questions.
Contacting Customer Support

Through Wisdom Community
From within the Wisdom Community, you can live chat with a Support Representative or create a new
support case.
2. Click the Community link in the upper right corner of the platform.
3. From the Wisdom Community home page, click the Chat and Support link, or click your username
in the upper right corner of the page and select Contact Support from the drop-down menu. Use
any of the following options on the Help Finder page.
Chat Now Connect with our support team on Live Chat from 2 a.m. to
9 p.m. ET Monday through Friday. Click the Chat Now button, fill out
the form, and click the Request a Chat button.
Create A New Fill out the fields under Create A New Support Case, add an
Support Case attachment (optional), and click Submit.
By Telephone or Email
You can contact Customer Support by telephone and email as follows:
Phone United States: 1-866-714-4042

EMEA: +44 (0) 20 3478 5602
Email wst-support@proofpoint.com
Viewing Documentation and Knowledgebase Articles

Before contacting Customer Support, you can access the Wisdom Community to view support documentation
and Knowledgebase articles, which may be a more immediate resource for the answer to your question.
3. Click on any of the tabs or links or enter criteria into the Search textbox to locate helpful
information.
Asking A Community Question

You can post a question for others in the Community to answer.
3. Scroll down to the bottom of the Home page and click the Ask A Community Question button.
4. Fill out the online form and click Ask.

PhishAlarm - PhishAlarm Analyzer Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PhishAlarm - PhishAlarm Analyzer Guide

Uploaded by

Copyright:

Available Formats

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

PhishAlarm Email Clients Supported and Features Supported Per Client

Email Clients Supported

PhishAlarm For Exchange PhishAlarm For

Outlook 2010 for Windows 

Outlook on the Web:

Outlook for iOS and Android2 

© 2021 Proofpoint, Inc. Private and confidential.

Features Support Per Email Client

Feature PhishAlarm For PhishAlarm For PhishAlarm For

© 2021 Proofpoint, Inc. Private and confidential.

Configuring the PhishAlarm Add-in Button for Outlook, Exchange, or Gmail

1. Sign into the Security Education Platform.

3. Click the Setup tab.

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

More… When clicked, the More… option displays a drop-down

8. Click SAVE CHANGES to keep the settings entered on the page.

Configuring End-user Communication

1. Sign into the Security Education Platform.

3. Click the End-user Communication tab.

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

PhishAlarm is issuing the email from the user’s

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

Configuring Reported Email Forwarding Options

1. Sign into the Security Education Platform.

2. From the Products side menu, click PhishAlarm > Settings.

3. Click the Admin Communications tab.

© 2021 Proofpoint, Inc. Private and confidential.

© 2021 Proofpoint, Inc. Private and confidential.

• Simulated phishing emails (from ThreatSim)

© 2021 Proofpoint, Inc. Private and confidential.

9. Click SAVE CHANGES to keep the settings entered on the page.

Configuring Safelist Emails

Use the steps below to configure the safelist emails.

1. Sign into the Security Education Platform.

2. From the Products side menu, click PhishAlarm > Settings.

3. Click the Safelist tab.

© 2021 Proofpoint, Inc. Private and confidential.

4. Enter a title for the safelist in the Name field.

* The three Criteria options for the safelist:

© 2021 Proofpoint, Inc. Private and confidential.

• Contains The query is matched if the Value is contained somewhere in the

7. Click CREATE SAFELIST.

© 2021 Proofpoint, Inc. Private and confidential.

PhishAlarm Safelisting Requirements

For United States https://phishalarm-us-east-1-v2.securityeducation.com/api/v1/

PhishAlarm products will also make calls to the following URLs:

Installing Email Clients

PhishAlarm For Outlook Installation

© 2021 Proofpoint, Inc. Private and confidential.

1. Sign in the Security Education Platform.

3. Click the Install tab.

Individual Desktop Installation

1. Close the user’s Outlook application.

4. Right-click on the PhishAlarm.exe file and select Run as administrator.