KnowBe4 PhishAlert and Microsoft Report Phishing are both report-and-submit buttons. A user clicks them, the email goes to an admin queue, and the user gets a generic confirmation. That is the entire user-facing experience. The analysis — if any — happens behind the scenes, visible only to administrators.
Lavawall® works differently. When a user clicks Phish Report, the taskpane opens and shows them — in plain English, in under three seconds — the specific reasons this email should or should not be trusted: the domain age, whether the sending server was authorized, attachment risk, link destinations, and more. Users learn from every report. Admins get the same structured data they always did, plus richer analysis.
For MSPs, Lavawall® adds multi-tenant reporting, integrated help desk ticket creation, and a domain reputation database — none of which KnowBe4 PhishAlert or Microsoft Report Phishing provide.
The core difference: reporting vs. explaining
User clicks the button → email is submitted to admin queue → user sees a generic confirmation message.
The user still does not know whether the email was genuinely suspicious, a training exercise, or a legitimate newsletter. No learning happens at the point of action.
User clicks the button → taskpane shows a plain-English analysis: domain age, SPF/DKIM/DMARC, attachment risk, link destinations → user reports or marks safe with full context.
Every report is a micro-training moment. Users become more confident and accurate over time. Admins get richer data.
- ✅ or ⚠️ for each finding in plain language
- Domain age: "registered 8 days ago"
- Auth: "the sending server was not authorized"
- PDF: "contains scripting only for printing" vs. "JavaScript that fetches a remote URL"
- Links: "all links lead to established websites"
- TOR / VPN / datacenter flags on the sending IP
- A "more ▾" button for full technical detail
Feature comparison
| Capability | Lavawall® | KnowBe4 PhishAlert | Microsoft Report Phishing |
|---|---|---|---|
| Plain-language risk summary shown to the user | ✓ On every email, instantly | ✗ Not provided | ✗ Not provided |
| Sender domain age & registration date | ✓ Shown in taskpane | ✗ | ✗ |
| SPF / DKIM / DMARC in plain English | ✓ Per-email, with "more ▾" technical detail | ✗ | Partial (admin view only) |
| DMARC policy shown (p=none / quarantine / reject) | ✓ | ✗ | ✗ |
| PDF contextual JS analysis (benign vs. dangerous) | ✓ Distinguishes print dialogs from exploits | ✗ | ✗ |
| Office macro / embedded script analysis | ✓ | ✗ | ✗ |
| Attached .eml / .msg email analysis | ✓ | ✗ | ✗ |
| URL shortener expansion (server-side, user not exposed) | ✓ | ✗ | Safe Links wraps all |
| Recipient identifier in URL (credential pre-fill detection) | ✓ Decodes base64, shows what is embedded | ✗ | ✗ |
| Typosquat detection | ✓ e.g. paypa1.com → paypal.com | ✗ | Limited |
| Sending server IP, ISP, country, TOR / VPN flags | ✓ | ✗ | ✗ |
| Positive feedback for reporting simulations | ✓ Detects 20+ platforms (KnowBe4, Defender, Huntress, etc.) | ✓ KnowBe4 sims only | ✓ Defender sims only |
| Multi-tenant MSP dashboard | ✓ Native, all clients in one view | Add-on (KMSAT) | Requires MDE per tenant |
| Ticket creation on report | ✓ Integrated with Lavawall help desk | ✗ | ✗ |
| Domain reputation database | ✓ Persistent, per-tenant | Admin-facing | Microsoft threat intel |
| Raw headers in copy-paste format for analysts | ✓ Collapsible header block in each report | Included in submitted email | Included in submitted email |
| Phishing simulation platform included | ✓ Native phishing simulation + educational landing pages | ✓ (separate KMSAT subscription) | ✓ (Attack Simulator, E5 plan) |
| Included with base subscription | ✓ No per-seat PhishAlert fee | PhishAlert free; KMSAT separate | Reporting free; Attack Sim requires P2 |
| Built and audited by CISSP / CISA practitioners | ✓ ThreeShield, Calgary | Vendor-managed | Vendor-managed |
Simulation recognition — positive feedback that matters
Security awareness programs depend on positive reinforcement. When a user correctly reports a simulation, they should know immediately that they did the right thing — not wonder whether they just triggered a real incident.
Lavawall® automatically detects simulation emails from all major platforms and shows the user a positive message instead of a security alert. No ticket is created. No admin is paged. The following platforms are detected out of the box:
Detection uses a combination of custom headers (e.g. X-KnowBe4-PhishAlert, X-PhishMe-Id, X-Gophish-Signature), known sending domains, and subject-line patterns. Custom simulation headers can be added per tenant in settings.
Who should pick which?
Pick Lavawall® if…
- You want users to understand why an email is suspicious — not just submit it blindly
- You are an MSP managing multiple tenants from one dashboard
- You want phishing reporting, ticket creation, and domain reputation in one platform
- You use KnowBe4 or another simulation platform and want the reporter to correctly handle simulation emails with positive feedback
- You want PDF, Office, and ZIP attachment analysis shown to users directly
- You are on any Lavawall® plan and want this at no additional cost
Pick KnowBe4 PhishAlert if…
- You are already deeply invested in the KnowBe4 KMSAT ecosystem and want to keep everything in one vendor relationship
- Your admin team handles all triage and you do not need users to see any analysis
Pick Microsoft Report Phishing if…
- You are a Microsoft E5 shop and want a zero-additional-cost option for submission only
- You do not need per-user real-time analysis or multi-tenant MSP features
Frequently asked
- What does Lavawall show users that KnowBe4 PhishAlert doesn’t?
- KnowBe4 PhishAlert collects the reported email and sends it to administrators. Lavawall® shows every user — in plain English, in real time — the sender domain age, SPF/DKIM/DMARC authentication status, attachment risk analysis, link reputation, typosquat detection, and sending server intelligence. Users learn from every report.
- Does Lavawall detect KnowBe4 phishing simulations?
- Yes. Lavawall® automatically detects KnowBe4 simulation emails using the
X-KnowBe4-PhishAlertheader and known KnowBe4 sending domains. When a user reports a simulation, they receive positive feedback. No ticket is created. - Does Lavawall replace KnowBe4 or work alongside it?
- Both. Lavawall® can work alongside KnowBe4, correctly handling simulation emails with positive reinforcement. Lavawall also includes its own native phishing simulation capability with educational landing pages for organizations that prefer a single platform.
- Is the Lavawall Phishing Reporter free?
- The Phishing Reporter is included with all Lavawall® subscriptions at no additional per-seat cost. There is no separate PhishAlert-style add-on fee.
- Does Lavawall work for shared mailboxes?
- Yes. Deploy the add-in directly to the shared mailbox in M365 Admin Center → Integrated Apps, or add the shared mailbox as a full account in Outlook desktop. Both methods load the add-in correctly for shared mailbox messages.