Plugin Settings
Navigate to Settings -> Submitted Email Settings -> Plugin Settings
Introduction
LUCY includes a "Phish Alert" plugin for various mail clients and browsers, enabling users to safely report suspicious emails with one click. The reported emails are analyzed by LUCY’s Threat Analyzer, enhancing the organization’s security by involving employees in proactive threat reporting.
The plugin has two main purposes:
Forwarding Suspicious Emails:
Users can forward emails to a predefined address (e.g., security team).
A custom message appears to the user post-reporting.
Reporting to LUCY:
Suspicious emails can be sent back to LUCY for analysis.
LUCY-generated emails are processed in campaign statistics.
Technical Details
The plugin is an unsigned MSI file programmed as a C++/COM object and bundled with Microsoft Visual C++ 2015 Redistributable. Loading time is around 10ms.
The Office 365 version always uses the system's built-in web browser to send data to LUCY.
Both the XML (Office 365) and MSI (Outlook) versions can utilize system proxy settings (if present) without additional setup.
Supported clients
Office 365 (Desktop, Web, Mobile)
Outlook 2016, 2019
Outlook for Mac (2016, 2019)
Gmail
Features
UI
Default Language
Set the plugin's default language.
This setting defines the email address where suspected phishing emails are forwarded. Multiple email addresses can be used, separated by a semicolon symbol (;).
Inline Message Forwarding
If enabled, the plugin will clear the body of the email before forwarding.
Deeper Analysis Request
If enabled, the plugin will ask the reporter if they'd like the security team to analyze the email.
Deeper Analysis Comment
If enabled, the plugin will add a comment field to the report UI.
Attachment Format
Reported message will be forwarded in .eml format (instead of .msg).
Disable Autoresponder
If enabled, LUCY will not send any automatic response to reporters.
HTTP
Send Reports Over HTTP
If enabled, the plugin will send incident reports to LUCY over HTTP(s).
Never report simulations
If enabled, the plugin will not forward simulation emails over HTTP(s).
Enable O365/MSI Plugin authentication
You can optionally enable user authentication in your reporting workflow. See here for more details.
SMTP
Send reports over SMTP
If enabled, the plugin will send incident reports via SMTP.
Use SMTP for receiving
Never report simulations
If enabled, the plugin will not forward simulation emails over SMTP.
Send simulations over HTTP
If enabled, the plugin will forward simulation emails over HTTP(s). Use this option if you want to ignore simulation emails in your incidents dashboard, but still want the report to be included in campaign stats.
Use X-Headers
If enabled, the plugin will add a header to the forwarded email:
X-CI-Report: True
It will also add this HTML to the body of the message:
<p>X-CI-Report: True</p>
Actions
Delete reported email
Select this action and the plugin will delete the original message after reporting.
Move reported email to folder
Select this action and the plugin will move the original message to the configured location after reporting.
Move reported email to junk
Select this action and the plugin will move the original message to the user's junk folder after reporting.
Notify of expired incidents
Enable this to receive email notifications about reports more than 30 days old that have not been categorized.
Using "Send reports over SMTP" and "Use SMTP for receiving incident reports" will cause LUCY to intercept all emails to the reporter domain. In other words, recipients on the same domain as the reporter email will no longer receive any emails from LUCY.
Last updated