What does Lavawall show users that KnowBe4 PhishAlert doesn't?

KnowBe4 PhishAlert collects the reported email and sends it to an admin queue. Its only user-facing feedback is whether the reported email was a phishing simulation; it never explains why a real email is suspicious, and admins must research every genuine submission by hand. Lavawall® shows every user — in plain English, in real time — the sender domain age, SPF/DKIM/DMARC authentication status, attachment risk analysis (PDF, Office, ZIP), link reputation, typosquat detection, and sending server IP intelligence, so users learn why an email is suspicious from every report.

Does Lavawall detect KnowBe4 phishing simulations?

Yes. Lavawall® automatically detects KnowBe4 simulation emails using the X-KnowBe4-PhishAlert header and known KnowBe4 sending domains. When a user reports a simulation, they receive positive feedback instead of a security alert. No ticket is created.

Does Lavawall replace KnowBe4 or work alongside it?

Lavawall® can work alongside KnowBe4. The Phishing Reporter detects and correctly handles KnowBe4 simulation emails, giving users positive reinforcement. Lavawall also includes its own phishing simulation capability for organizations that prefer a single platform.

Is the Lavawall Phishing Reporter free?

The Phishing Reporter is part of Lavawall® Security Awareness Training. It is included at no extra charge in the Complete tier. On the Grow and Professional tiers it is a per-user add-on at C$1.95 (US$1.50) per user per month, billed month-to-month with no multi-year contract — unlike KnowBe4, whose lowest per-seat rates require a multi-year term.

Lavawall® vs KnowBe4 PhishAlert & Microsoft Defender — Phishing Reporter Comparison for MSPs

KnowBe4 PhishAlert and Microsoft Report Phishing are both report-and-submit buttons. A user clicks, the email goes to an admin queue, and the user gets an acknowledgment. If the reported email was a phishing simulation, PhishAlert does tell the user that — useful positive reinforcement. But that is the only feedback a user ever receives: nothing explains why a real email is or isn’t suspicious, so no learning happens at the point of action. And every genuine report still lands in an admin queue that someone has to research by hand, because no analysis travels with the submission.

KnowBe4 PhishAlert also asks the user’s Microsoft 365 tenant to grant it broad OAuth permissions — including Mail.ReadWrite, Mail.ReadWrite.Shared, Mail.Send, and Mail.Send.Shared — before it can function. For an organization with a thorough security-review process, that grant alone is often the longest part of the deployment conversation.

Lavawall® works differently. When a user clicks Phish Report, the taskpane opens and shows them — in plain English, in under three seconds — the specific reasons this email should or should not be trusted: the domain age, whether the sending server was authorized, attachment risk, link destinations, and more. Users learn from every report. Admins get the same structured data they always did, plus richer analysis. And the Phishing Reporter add-in itself doesn’t request any OAuth scopes — it uses Outlook’s native add-in identity instead. (The wider Lavawall® security platform does connect to the tenant once during onboarding for breach detection, device, and GRC features, but the Reporter doesn’t add anything on top of that admin-consented baseline.)

For MSPs, Lavawall® adds multi-tenant reporting, integrated help desk ticket creation, and a domain reputation database — none of which KnowBe4 PhishAlert or Microsoft Report Phishing provide.

The core difference: reporting vs. explaining

KnowBe4 PhishAlert / Microsoft Report Phishing

User clicks the button → email is submitted to an admin queue → user sees an acknowledgment, plus a “that was a simulation” message if it was a training exercise.

For a real email, the user never learns whether it was genuinely dangerous or a legitimate newsletter — only that it was reported. Admins must research every real submission by hand. No analysis happens at the point of action.

Lavawall® Phishing Reporter

User clicks the button → taskpane shows a plain-English analysis: domain age, SPF/DKIM/DMARC, attachment risk, link destinations → user reports or marks safe with full context.

Every report is a micro-training moment. Users become more confident and accurate over time. Admins get richer data.

What the user actually sees

✅ or ⚠️ for each finding in plain language
Domain age: "registered 8 days ago"
Auth: "the sending server was not authorized"
PDF: "contains scripting only for printing" vs. "JavaScript that fetches a remote URL"
Links: "all links lead to established websites"
TOR / VPN / datacenter flags on the sending IP
A "more ▾" button for full technical detail

Mailbox permissions: what each tool asks for

Phishing reporting can be done with almost no permissions, or it can ask the user’s tenant to consent to a broad mailbox grant. The difference matters for security review, conditional access, and what happens to those permissions if the vendor is breached. Here is what each product actually asks for, sourced from each vendor’s own current documentation:

Lavawall® Phishing Reporter

The Phishing Reporter add-in itself asks for no OAuth scopes from individual users.

The Reporter runs entirely inside Microsoft’s native Office.js add-in runtime. Outlook already knows which user has the mailbox open, and supplies only the message being viewed to the add-in — no separate sign-in, no per-user consent dialog, no token the add-in itself holds, no Graph scopes it can call against another mailbox.

Lavawall® is a full Microsoft 365, Entra ID, and Azure security platform, so the customer’s tenant does get connected to Lavawall once during onboarding — via the same admin consent the rest of the platform uses for breach detection, GRC, device discovery, snapshot/rollback, and so on. That connection is established by an admin, scoped to the platform’s overall consent grant (which is documented and reviewable), and is what lets the console correlate phishing reports with users, devices, sign-in risk, and tenant context. The Phishing Reporter add-in doesn’t introduce any additional permissions on top of what the customer already granted the platform.

What the add-in itself sees: the single open message at the moment the user clicks Phish Report. What the surrounding Lavawall platform sees is determined by the tenant’s admin during onboarding, and is fully disclosed in the consent flow.

KnowBe4 PhishAlert (Microsoft Ribbon PAB)

Requires an OAuth admin-consent grant of the following Microsoft Graph permissions across the tenant:

Mail.ReadWrite — read and write the user’s mailbox
Mail.ReadWrite.Shared — read and write shared mailboxes the user has access to
Mail.Send — send mail as the user
Mail.Send.Shared — send mail as / on behalf of shared mailboxes the user has access to
openid, profile — basic identity

Source: KnowBe4 Knowledge Base, “Update to Nested App Authentication Single Sign-On (NAA-SSO) for the Phish Alert Button.” The grant is admin-consented across the whole tenant; individual users can’t opt out.

If you ever need to justify a deployment decision to a security review board, the question to ask is: does a one-click reporting button really need write access to every user’s mailbox and the ability to send mail as them? Lavawall® demonstrates that the answer is no — the same job (and a great deal more analysis) can be done with no tenant-wide mail permissions at all.

For context, the reason behind KnowBe4’s permission list is the move from legacy Exchange Online tokens to Nested App Authentication Single Sign-On (NAA-SSO). The new model needs OAuth scopes for the Graph API calls the PAB makes when it forwards reported messages and deletes the original. Lavawall®'s architecture does not depend on Graph API calls in the first place, so the permissions simply aren’t needed.

Feature comparison

Capability	Lavawall®	KnowBe4 PhishAlert	Microsoft Report Phishing
Mailbox permissions / OAuth grants required from the user’s tenant	✓ None — uses native Outlook identity	✗ Mail.ReadWrite, Mail.ReadWrite.Shared, Mail.Send, Mail.Send.Shared	None — built into Outlook
Plain-language risk summary shown to the user	✓ On every email, instantly	✗ Not provided	✗ Not provided
Sender domain age & registration date	✓ Shown in taskpane	✗	✗
SPF / DKIM / DMARC in plain English	✓ Per-email, with "more ▾" technical detail	✗	Partial (admin view only)
DMARC alignment fix guidance with platform-specific DNS records (Mailchimp, SendGrid, etc.)	✓ Shown in the taskpane — an MSP prospect generator	✗	✗
DMARC policy shown (p=none / quarantine / reject)	✓	✗	✗
PDF contextual JS analysis (benign vs. dangerous)	✓ Distinguishes print dialogs from exploits	✗	✗
Office macro / embedded script analysis	✓	✗	✗
Attached .eml / .msg email analysis	✓	✗	✗
URL shortener expansion (server-side, user not exposed)	✓	✗	Safe Links wraps all
Recipient identifier in URL (credential pre-fill detection)	✓ Decodes base64, shows what is embedded	✗	✗
Typosquat detection	✓ e.g. paypa1.com → paypal.com	✗	Limited
Sending server IP, ISP, country, TOR / VPN flags	✓	✗	✗
Positive feedback for reporting simulations	✓ Detects 20+ platforms (KnowBe4, Defender, Huntress, etc.)	✓ KnowBe4 sims only	✓ Defender sims only
Multi-tenant MSP dashboard	✓ Native, all clients in one view	Add-on (KMSAT)	Requires MDE per tenant
Ticket creation on report	✓ Integrated with Lavawall help desk	✗	✗
Domain reputation database	✓ Persistent, per-tenant	Admin-facing	Microsoft threat intel
Raw headers in copy-paste format for analysts	✓ Collapsible header block in each report	Included in submitted email	Included in submitted email
Phishing simulation platform included	✓ Native phishing simulation + educational landing pages	✓ (separate KMSAT subscription)	✓ (Attack Simulator, E5 plan)
Included with base subscription	✓ Free in Complete; low-cost add-on on other tiers	PhishAlert free; KMSAT separate	Reporting free; Attack Sim requires P2
Built and audited by CISSP / CISA practitioners	✓ ThreeShield, Calgary	Vendor-managed	Vendor-managed

Simulation recognition — positive feedback that matters

Security awareness programs depend on positive reinforcement. When a user correctly reports a simulation, they should know immediately that they did the right thing — not wonder whether they just triggered a real incident.

Lavawall® automatically detects simulation emails from all major platforms and shows the user a positive message instead of a security alert. No ticket is created. No admin is paged. The following platforms are detected out of the box:

✓ KnowBe4

✓ Microsoft Defender Attack Simulator

✓ Proofpoint Security Awareness

✓ Cofense PhishMe

✓ IRONSCALES

✓ Hoxhunt

✓ Barracuda PhishLine

✓ Mimecast Awareness Training

✓ Infosec IQ

✓ Sophos Phish Threat

✓ Huntress Security Awareness

✓ Abnormal Security

✓ GoPhish

✓ Lucy Security

✓ Wombat / Proofpoint

✓ Terranova Security

✓ Ninjio

✓ Curricula

✓ Phished.io

✓ LMS365 Awareness

Detection uses a combination of custom headers (e.g. X-KnowBe4-PhishAlert, X-PhishMe-Id, X-Gophish-Signature), known sending domains, and subject-line patterns. Custom simulation headers can be added per tenant in settings.

Pricing — month-to-month, no three-year lock-in

KnowBe4's lowest per-seat rates require a multi-year commitment. Lavawall is billed month-to-month, and the Phishing Reporter ships as part of Security Awareness Training — bundled free into the Complete tier, or a per-user add-on on the Grow and Professional tiers.

	Lavawall®	KnowBe4
Per user / month	C$1.95 / US$1.50	~C$2.20 list (before a 20% MSP discount)
Term for the best price	None — month-to-month	3-year term
Free in a platform tier	✓ Complete tier	Separate product
Training + Phishing Reporter together	✓ One per-user line	KMSAT + PhishAlert priced separately

Lavawall add-on price is per user per month in CAD/USD. KnowBe4 figure is a publicly-referenced list rate for its lower training tier; actual pricing is quote-based and term-dependent.

Who should pick which?

Pick Lavawall® if…

You want users to understand why an email is suspicious — not just submit it blindly
You are an MSP managing multiple tenants from one dashboard
You want phishing reporting, ticket creation, and domain reputation in one platform
You use KnowBe4 or another simulation platform and want the reporter to correctly handle simulation emails with positive feedback
You want PDF, Office, and ZIP attachment analysis shown to users directly
You want a built-in DMARC fix-guidance generator that turns “why is this email flagged?” conversations between your customer and their vendors into warm MSP leads
You want training and phishing reporting on one per-user line, month-to-month, instead of a multi-year KnowBe4 term

Pick KnowBe4 PhishAlert if…

You are already deeply invested in the KnowBe4 KMSAT ecosystem and want to keep everything in one vendor relationship
Your admin team handles all triage and you do not need users to see any analysis

Pick Microsoft Report Phishing if…

You are a Microsoft E5 shop and want a zero-additional-cost option for submission only
You do not need per-user real-time analysis or multi-tenant MSP features

Frequently asked

What does Lavawall show users that KnowBe4 PhishAlert doesn’t?: KnowBe4 PhishAlert collects the reported email and sends it to an admin queue. Its only user-facing feedback is whether the reported email was a phishing simulation — it never explains why a real email is suspicious, and admins must research every genuine submission by hand. Lavawall® shows every user, in plain English and in real time, the sender domain age, SPF/DKIM/DMARC status, attachment risk, link reputation, typosquat detection, and sending-server intelligence, so users learn from every report.
What Microsoft 365 / Graph permissions does the Phishing Reporter add-in need?: The Phishing Reporter add-in itself doesn’t request any Graph scopes. It runs inside Microsoft’s native Office.js add-in runtime — the same architecture Microsoft’s own Report Phishing button uses — so there is no per-user OAuth consent screen, no Mail.ReadWrite grant from individual users, no token the add-in holds. Lavawall® is also a full Microsoft 365, Entra ID, and Azure security platform, so the customer’s tenant does get connected once during onboarding through a regular admin-consent flow that covers the wider platform (breach detection, device discovery, GRC, snapshot/rollback, and so on) — but the Phishing Reporter doesn’t add anything to that baseline. By contrast, KnowBe4 PhishAlert itself requires an admin-consented grant of Mail.ReadWrite, Mail.ReadWrite.Shared, Mail.Send, and Mail.Send.Shared across the entire tenant, just to deliver the reporting button.
Does Lavawall detect KnowBe4 phishing simulations?: Yes. Lavawall® automatically detects KnowBe4 simulation emails using the X-KnowBe4-PhishAlert header and known KnowBe4 sending domains. When a user reports a simulation, they receive positive feedback. No ticket is created.
Does Lavawall replace KnowBe4 or work alongside it?: Both. Lavawall® can work alongside KnowBe4, correctly handling simulation emails with positive reinforcement. Lavawall also includes its own native phishing simulation capability with educational landing pages for organizations that prefer a single platform.
Is the Lavawall Phishing Reporter free?: It is included at no extra charge in the Complete tier. On the Grow and Professional tiers it is a per-user add-on at C$1.95 / US$1.50 per user/mo, billed month-to-month — with no multi-year term, unlike KnowBe4's lowest per-seat rates.
Does Lavawall work for shared mailboxes?: Yes. Deploy the add-in directly to the shared mailbox in M365 Admin Center → Integrated Apps, or add the shared mailbox as a full account in Outlook desktop. Both methods load the add-in correctly for shared mailbox messages.

Phishing Reporter vs. KnowBe4 training: two different problems

The Phishing Reporter and KnowBe4 PhishAlert solve different problems. KnowBe4's broader value proposition is its security awareness training platform (KMSAT) — a large library of short-form training videos, gamified modules, and phishing simulations. PhishAlert is the email reporting button that sits alongside it.

Lavawall® addresses both sides. The Phishing Reporter provides better per-email analysis than PhishAlert. The training platform provides jurisdiction-specific courses for Canada, the US, the UK, Australia, and the EU — something KnowBe4's library does not cover by default, particularly for Canadian law (PIPEDA, Quebec Law 25, PHIPA, YCJA/CYFSA), Australian law (Privacy Act 1988, Essential Eight, the Notifiable Data Breaches scheme), and EU-specific law (NIS2, DORA, the Cyber Resilience Act).

Training coverage	Lavawall®	KnowBe4 KMSAT
Canadian law (PIPEDA, Law 25, PHIPA, YCJA)	✓ Included — 25 vertical industries	Partial / extra cost
US law (HIPAA, FERPA, COPPA, CCPA)	✓ Included — 25 vertical industries	✓ Included
UK law (UK GDPR, DPA 2018, RIPA, safeguarding)	✓ Included — 25 vertical industries	Partial
Australian law (Privacy Act, Essential Eight, NDB)	✓ Included — 25 vertical industries	Not included
EU law (GDPR, NIS2, DORA, CRA)	✓ Included — EU GDPR for CA/US too	Partial
Compliance framework courses (33)	✓ Essential Eight, CMMC, CPCSC, FINTRAC, and more	Some
General content library (breadth)	Jurisdiction-focused; not thousands of videos	✓ Thousands of modules
Policy acknowledgement with GRC document sign-off	✓ Included	Separate tool
Pricing	Included with subscription	Per user / year (KMSAT)

If you are an MSP with Canadian, UK, Australian, or EU clients and you need jurisdiction-specific content without a separate per-seat training subscription, Lavawall® is the clear fit. If you need a very large library of generic short-form modules and are primarily serving US clients, KnowBe4 KMSAT's content breadth is an advantage. The two can also coexist — the Lavawall® Phishing Reporter detects and correctly handles KnowBe4 simulation emails.

Browse Lavawall training catalog Full training platform comparison Best security awareness training for MSPs