HowTo: Configure CyberHoot's Report Phish Integration for Google Workspace
Google Workspace "Report Phish" Integration
🔹 Overview
Gmail's built-in "Report Phishing" button sends reports only to Google's internal Alert Center — it does not forward to a custom mailbox. To route user-reported phishing emails to CyberHoot, a Gmail add-on from the Google Workspace Marketplace is required.
Required add-on: Demisto Phishing Add-on
| Feature | Details |
|---|---|
| One-click reporting | Users click a single button to report suspicious email |
| Forwarding method | Forwards the original email as an attachment to your configured address |
| Admin-configurable | Destination email is set once by the admin and applies to all domain users |
| Marketplace listing | workspace.google.com/marketplace |
1️⃣ Install the Add-on (Admin Only)
- Go to the Demisto Phishing Add-on page in the Google Workspace Marketplace:
👉 https://workspace.google.com/marketplace/app/demisto_phishing_addon/98372960675 - Click Admin Install
- Select Everyone at your organization
- Check the box to agree to the Terms of Service, Privacy Policy, and Google Workspace Marketplace Terms of Service
- Click Finish
2️⃣ Configure the Add-on (Admin Only)
Once installed, the admin must configure the destination email from within Gmail. This is a one-time setup and the settings apply to all users in the domain.
- Open Gmail while signed in as a Google Workspace admin
- In the right sidebar, click the Demisto add-on icon to open the panel
- The panel will display an Admin Setup section with the following fields:
| Field | What to enter |
|---|---|
| Forwarding email address | Enter reportphish@cyberhoot.com to send reports directly to CyberHoot, or enter your internal security team's mailbox if you prefer to review reports before they are forwarded |
| Add-on display name | Enter a name your users will recognise, e.g. Report Phishing |
| Add-on logo URL | Optionally enter your own logo URL, or use CyberHoot's logo:https://cyberhoot.com/wp-content/themes/cyberhoot-theme/images/logo.png |
- Click Update to save. Settings are applied domain-wide immediately.
📌 If you choose to use an internal mailbox as the forwarding address, make sure to configure that mailbox to forward a copy of all received reports to
reportphish@cyberhoot.com so CyberHoot can process them. See Step 3 below.3️⃣ Forward Reports to CyberHoot (If Using an Internal Mailbox)
Skip this step if you entered reportphish@cyberhoot.com directly in Step 2. If you are routing reports through an internal security mailbox first, follow these steps to forward a copy to CyberHoot.
Google Workspace blocks automatic external forwarding by default, so you must first enable it for the reporting mailbox.
3️⃣.1️⃣ Allow External Forwarding for the Reporting Mailbox
- Sign in to the reporting mailbox in Gmail
- Go to Settings → See all settings → Forwarding and POP/IMAP
- Click Add a forwarding address and enter
reportphish@cyberhoot.com - Confirm the forwarding address when prompted by Google
- Select Forward a copy to retain the original in the internal mailbox
- Click Save Changes
4️⃣ Validate the Full Flow
- Send a test phishing email to a user
- User opens the email in Gmail and clicks the Report Phishing button in the sidebar
- Confirm:
- The reported email is forwarded to the configured address
- If using an internal mailbox, confirm it relays a copy to CyberHoot
- The original email is preserved as an
.emlattachment
📌 Result:
User-reported messages are automatically forwarded to CyberHoot with a single click, with no further action required from the user.
User-reported messages are automatically forwarded to CyberHoot with a single click, with no further action required from the user.
Related Articles
HowTo: Configure CyberHoot's Report Phish Integration for M365
Microsoft 365 Built-in “Report Phish” Integration ?Overview Microsoft 365 supports a native Report button in Outlook that users click to report suspicious email. Admins can configure these reports to be delivered to a designated reporting mailbox. ...HowTo: Allow-List CyberHoot’s Domain Name and IP Addresses – Google Workspace
New CyberHoot businesses need to allow our training and phishing emails to reach their user’s inboxes directly. This article describes the two steps needed to make this happen. Note: If you wish to create an allow-list just for yourself personally ...HowTo: Allow-List CyberHoot’s AttackPhish Simulation Servers in M365
Detailed Instructions From Microsoft: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/skip-filtering-phishing-simulations-sec-ops-mailboxes?view=o365-worldwide Once you click the link above, follow the instructions under ...HowTo: Avanan Allow-Listing in Google Workspace
This HowTo article explains how to configure Avanan’s Allow Listing to allow Attack Phishing tests to reach end users. Warning: CyberHoot supports fake email Attack-Phishing for customers. Please keep in mind this approach uses negative reinforcement ...HowTo: How to Add Users via Google Workspace Sync on the Autopilot Platform
Adding users to CyberHoot’s Autopilot Platforms via Google Workspace Sync If your company uses Google Workspace, you can use it as a simple and effective way to manage users within CyberHoot. Follow the steps below: Instructions for Autopilot ...