Incentives for Malicious Site Reporters (phishing) @msftsecurity
I have two suggestions, both related to phishing attacks against Microsoft.
▶Make phishing reports traceable!
The phishing reports sent to hXXps://www[.]microsoft[.]com/en-us/wdsi/support/report-unsafe-site-guest
result in a generic "thank you" message, and thus give me impression that go into a black hole.
No ticket, no OLA, no trace that the report has ever been sent nor received.
This severely discourages independent security analysts like myself from using your reporting system,
even if it is related to Microsoft products like Outlook or OneDrive.
Create and API for reporting, not only the clunky web form.
▶Create a report-gift system.
Count legit reports sent out by security investigators and award them accordingly.
Once a security analyst participant has reached a given threshold, lets say 5000, grant them gift packages like:
-Swag, Plush toys (i want that windows XP ugly sweater)
-Ergonomic Microsoft keyboards, mice, surface tablet-laptop
-Lump sum (people who report phishing are helping Microsoft for free)
Feedback Hub hXXps://aka[.]ms/AA8mb21