Wondering what to do with suspicious email messages, URLs, email attachments, or files? In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, users and admins have different ways to report suspicious email messages, URLs, and email attachments to Microsoft.
In addition, admins in Microsoft 365 organizations with Microsoft Defender for Endpoint also have several methods for reporting files.
Watch this video that shows more information about the unified submissions experience.
Report suspicious email messages to Microsoft
Important
When you make a submission to Microsoft, everything associated with the submission is copied and included in the continual algorithm reviews. This copy includes all data associated with submission, including: message content, headers, any attachments, related data about routing and all other data directly associated with the submission.
Microsoft treats your submission as your organization's permission to analyze all the information to fine tune the submission hygiene algorithms. Your submission is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for customer data in Microsoft 365. However, your submission is still treated as confidential between you and Microsoft, and your data isn't shared with any other party as part of the review process. Microsoft may also use AI to evaluate and create responses tailored to your submissions.
Admins can report good (false positives) and bad (false negative) messages, email attachments, and URLs (entities) from the available tabs on the Submissions page.
Admins can also submit user reported messages from the User reported tab on the Submissions page to Microsoft for analysis. The Submissions page is available only in organizations with Exchange Online mailboxes as part of a Microsoft 365 subscription (not available in standalone EOP).
If users are allowed to release their own messages from quarantine, and user reported settings is configured to allow users to report quarantined messages, users can select Report message as having no threats (false positive) when they release a quarantined message.
Related reporting settings for admins
User reported settings allow admins to configure whether user reported messages go to a specified reporting mailbox, to Microsoft, or both. After this feature is configured, user reported messages appear on the User reported tab on the Submissions page in the Defender portal.
User reported messages are also available to admins in the following locations in the Microsoft Defender portal:
In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit messages to Microsoft for analysis. The messages are analyzed for email authentication and policy checks only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary). If you report a message, URL, or email attachment to Microsoft from one of these organizations, you get the following message in the result details:
Further investigation needed. Your tenant doesn't allow data to leave the environment, so nothing was found during the initial scan. You'll need to contact Microsoft support to have this item reviewed.
Admins can configure where user reported messages go for analysis: to an internal reporting mailbox, to Microsoft, or both. Other settings complete the reporting experience for users when they report good messages, spam, or phishing messages from Outlook.
Learn how to transition from the Report Message or the Report Phishing add-ins for all version of Outlook to the build in Report button all versions of Outlook.
Admins can learn how to use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and email attachments to Microsoft for analysis. Reasons for submission include: legitimate messages that were blocked, suspicious messages that were allowed, suspected phishing email, spam, malware, and other potentially harmful messages.
Admins can learn how to use the advanced delivery policy in Exchange Online Protection (EOP) to identify messages that shouldn't be filtered in specific supported scenarios (third-party phishing simulations and messages delivered to security operations (SecOps) mailboxes.
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.