Step 1: Create Google Workspace Add on project

  1. Navigate to and login as the domain super admin. Click New project.

  2. Click Untitled project, rename the project Report potential phishing, and then click Rename.

  3. Click the + sign next to Files and select Script.

  4. Type Config as the file name and press Enter. The file list looks like this:

  5. Click the Settings icon at the bottom of the navigation bar.

  6. Select the Show "appscript.json" manifest file in editor checkbox.

  7. Click the Code Editor icon in the navigation bar.


    The appscript.json file appears in the file list like the example below:

  8. Using the provided file, extract, copy, and paste the contents of each file into the corresponding files in the Apps Script editor.

    • Before

    • After

  9. After the files are copied into and saved in the Apps Script editor, click Deploy and select New deployment.

  10. Click the gear icon next to Select type and select Web app and Add-on.

  11. Type Report potential phishing as the New description, select the Anyone within… option under Who has access, and then click Deploy.

  12. After the deploy is complete, click Copy under the Deployment ID and paste the ID somewhere for use in a later step.


    Keep this tab open. You return to it in a later step


Step 2: Create Google Workspace Cloud project

  1. Open a new browser tab and go to, type Report potential phishing as the project name, and then click CREATE.

  2. Click the top left menu icon, select APIs & Services, and then click Enabled APIs & services.

  3. Search for Google Workspace Marketplace SDK.

  4. Select Google Workspace Marketplace SDK from the search results.

  5. Click ENABLE.

  6. Click the App Configuration tab.

  7. From the App Configuration tab, click The OAuth Consent Screen must be enabled for this project.

  8. On the OAuth consent screen, select Internal and then click CREATE.

  9. Complete the following fields, leaving the rest empty, and then click SAVE AND CONTINUE.

    • App name: Report potential phishing

    • User support email: type an email address for the security team/help desk where end users can direct general questions if they have any

    • Developer contact information:

  10. On the Edit app registration page, click ADD OR REMOVE SCOPES.

  11. In the Update selected scopes area that opens, copy the following scopes into the Manually add scopes field.




  12. Click ADD TO TABLE.

  13. Verify that the 3 scopes are added to the table and are selected and click UPDATE.

  14. The Edit app registration page appears, showing the 3 scopes. Scroll to the bottom of the page and click SAVE AND CONTINUE.


Step 3: Connect Google Workspace Cloud and Add on projects

  1. Go to the App configuration page: and copy the App ID.

  2. Go back to the Apps Script tab, or navigate to the Report potential phishing project at and navigate to Project Settings, then click Change project at the bottom of the page.

  3. Paste the copied App ID from Step 3.1 into the GCP Project Number field, and then click Set project.

  4. Go back to the API & Services cloud console tab, select the Google Workspace Add-on checkbox and Deploy using Apps Script deployment id, then type the Deployment ID copied from Step 1.

  5. Scroll to the OAuth Scopes section, click ADD SCOPE, and add the 3 scopes below. After complete, 5 scopes total should be listed, including the 2 defaults:

  6. Select Admin Only Install for Installation Settings, select Private for App Visibility, and then click SAVE.

  7. Scroll to Developer Links and type the following:

  8. Select the Store Listing tab in the middle of the page. Click the down arrow next to English - under App Details.

  9. Fill in the following App Details fields and then click DONE:

    • Application Name: Report potential phishing

    • Short Description: Report potential phishing emails

    • Detailed Description: Utility to help send potential phishing emails for triage

  10. Fill in the following remaining fields and then click PUBLISH:

    • Category: Administration and Management

    • Graphic Assets (click BROWSE and upload image from zip file):

      • Application Icon 32x32: 32x32.png

      • Application Icon 128x128: 128x128.png

      • Application Card Banner: 128x128.png

    • Screenshot (click BROWSE and upload image from zip file): 80x80.png

    • Support Links:

    • Distribution: click All Regions or select from the Regions list.


Step 4: Install add on to domain

  1. Navigate to, click the Report potential phishing app, and then click Domain Install.

  2. In the Domain wide install area, click CONTINUE.

  3. On the OAuth Consent Screen, click the I agree checkbox, and then click ALLOW.

  4. After complete, you see a success message. Click DONE.

  5. The add-on becomes available to end users shortly. It can take as long as 24 hours for the deployment to take effect.