The Adaptive Phish Alert Button for Gmail is a Google Workspace Add-on designed to give employees a fast, secure way to report suspicious emails. Below is a breakdown of how it works, what permissions it requires, and what those permissions do—and don’t—allow.
🔍 Why Are Gmail Permissions Required?
The button is built using Google Apps Script, which powers Gmail add-ons. As part of the install process, it requests read and write access. While this may sound broad, it’s important to understand that these permissions are narrowly scoped and only apply to the specific message a user selects.
➕ “Read” Access
Lets Adaptive retrieve the specific email the user has selected to report
This allows us to:
Analyze the message metadata and content
Securely forward the email to your security team or identify it as an Adaptive phishing simulation
It cannot read inboxes or access other messages
➖ “Write” Access
“Write” permission lets us delete that single reported message from the user’s inbox
We never write, modify, or delete anything else
🔒 No Persistent Access or Data Collection
There are no backend services storing credentials, tokens, or accessing your Gmail environment behind the scenes
The app is fully client-side and only acts on user-initiated events
It cannot:
Monitor inboxes in the background
Trigger automatically
Exfiltrate data or scan for content
The add-on is functionally limited to helping users report one message at a time, based on their manual selection
Questions?
If you have further questions about permissions, deployment, or want to schedule a technical walkthrough, please reach out to [email protected].