Report phishing and suspicious emails in Outlook for admins

In Microsoft 365 organizations with mailboxes in Exchange Online, users can report phishing and suspicious email in Outlook. Users can report false positives (good email that was blocked or sent to their Junk Email folder) and false negatives (unwanted email or phishing that was delivered to their Inbox) from Outlook on all platforms using free tools from Microsoft.

Microsoft provides the following tools for users to report good and bad messages:

• The built-in Report button in supported versions of Outlook on virtually all Outlook platforms, including shared and delegate mailboxes.

For more information about reporting messages to Microsoft, see Report messages and files to Microsoft.

Admins configure user reported messages to go to a specified reporting mailbox, to Microsoft, or both. These user reported messages are available on the User reported tab on the Submissions page in the Microsoft Defender portal. For more information, see User reported settings.

• The built-in Report button is available in the following versions of Outlook:

  • Outlook for Microsoft 365:
    • Current channel: Version 16.0.17827.15010 or later.
    • Monthly Enterprise Channel: Version 16.0.18025.20000 or later.
    • Semi-Annual Channel (Preview): Release 2502, build 16.0.18526.20024 or later.
    • Semi-Annual Channel: Release 2502, build 16.0.18526.20024 or later.
  • Outlook for Mac version 16.89 (24090815) or later.
  • Outlook for iOS version 4.2511 or later.
  • Outlook for Android version 4.2446 or later.
  • The new Outlook for Windows.
  • Outlook on the web.

  The Report button is available in supported versions of Outlook if both of the following conditions are true:

  • User reporting is turned on.
  • The built-in Report button is configured in the user reported settings at https://security.microsoft.com/securitysettings/userSubmission.

  If user reporting is turned off and a non-Microsoft add-in button is selected, the Report button isn't available in supported versions of Outlook.

• The built-in Report button in Outlook on the web, Outlook for Mac, Outlook for iOS, Outlook for Android, and the new Outlook for Windows supports reporting messages from shared mailboxes or other mailboxes by a delegate.

  • Shared mailboxes require Send As or Send On Behalf permission for the user.
  • Other mailboxes require Send As or Send On Behalf permission and Read and Manage permissions for the delegate.

• Users can report a message as junk from the Inbox or any email folder other than Junk Email folder.
• Users can report a message as phishing from any email folder.

In a supported version of Outlook, select one or more messages, select Report, and then select Report phishing or Report junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

• Reported as junk: The messages are moved to the Junk Email folder.
• Reported as phishing: The messages are deleted.

In a supported version of Outlook, select one or more messages in the Junk Email folder, select Report, and then select Not junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

To review messages that users have reported to Microsoft, admins can use the User reported tab on the Submissions page in the Microsoft Defender portal at https://security.microsoft.com/reportsubmission. For more information, see View user reported messages to Microsoft.

Admins can watch this short video to learn how to use Microsoft Defender for Office 365 to easily investigate user reported messages. Admins can determine the contents of a message and how to respond by applying the appropriate remediation action.