How do I use the Microsoft O365 Killphish Plug In?

KillPhish will provide helpful tips related to dealing with suspicious emails and provide a risk assessment of potentially harmful emails.

Using KillPhish, you can report suspicious emails to the email administrator(s) at the click of a button.

  1. KillPhish Widget
  2. Reporting with KillPhish
    1. Desktop
    2. Web App
    3. Mobile

KillPhish Widget

The KillPhish widget is pictured below:


  • Risk Level This is the risk level the email was classified as by the plugin. There are three risk levels: low risk (for scores >= 95), medium risk (for emails scored between 60 and 95), and high risk (for emails scored below 60). Several different factors influence an email's score: the headers (DKIM, DMARC, and SPF), if certain attachments are included in the email (HTML and EXE attachments, for example, decrease an email's score), and if certain words/phrases appear in the email. Also, any links in the email will be checked by Google Webrisk and if they are dangerous, the email will be marked as high risk.
  • Helpful Tips contains suggestions for dealing with potential harmful emails, including reviewing links before clicking, verifying file types of attachments, and considering the ramifications of following any instructions or actions requested in the email.
  • Details lists important properties of the email and their values, including the sender, subject, SPF record pass/fail (if SPF checks fail, the email will be labeled as high risk), attachments, and links contained in the email. Only shown if Advanced Threat Protection is on for the KillPhish plugin.
  • Links/Attachments lists all links and attachments in the email, and their associated URLs and file types. Only shown if Advanced Threat Protection is on for the KillPhish plugin.
  • Words/Phrases assesses certain keywords and phrases typically associated with risky emails, including but not limited to, 'password', 'irs', 'label', and 'invoice'. Only shown if Advanced Threat Protection is on for the KillPhish plugin.

* Disclaimer: Users should remain vigilant against email security threats, even if the Advanced Threat Protection feature is turned on in your plugin. ATP is not capable of detecting every social engineering/phishing threat in emails. You should use the other tools that Hook Security, Inc provides to educate your users about the various threats posed by phishing and social engineering, and how to detect these attacks.

Reporting with KillPhish

KillPhish is cross-platform compatible. Once deployed, KillPhish will be available in Outlook for desktop, mobile, and web. The method for opening the KillPhish widget varies from platform to platform.


If an email is brought into focus in the inbox, the Report Phishing button will appear in the Outlook ribbon, Pictured Below:

To report an email: 

  1. Click the button to display the KillPhish widget.
  2. Click Report Email & Sender

Web App

To display the KillPhish widget in the Outlook web app, bring an email into focus, then click the 'More Options' ellipsis located at the top-right corner of the email window:


Then select "KillPhish" In the drop-down menu:


Finally, click the "Report Email & Sender" button in the widget:


If you would like to pin KillPhish beside your reply icon, follow these steps:

  1. Click the settings gear icon and then select "View all Outlook settings":
  2. In the pop-up, navigate to Mail > Customize Actions > Message Surface and check the box beside KillPhish:
  3. Click "Save".


The KillPhish widget is only available for mobile devices from within the Outlook app. To access the options menu, select an email then tap the options ellipses in the top-right corner of the email window:


Once the options menu is displayed, tap the KillPhish icon to open the widget:

Finally, click the "Report Email & Sender" button: