Skip to content

User reported settings

Within the new Outlook client1 and webmail, Microsoft has added a button to allow users to report messages as phishing, junk, or not junk. For any older Outlook clients you can add these buttons in the admin center, Microsoft has instructions for that here.

Messages submitted by users can be evaluated by Microsoft where Automated Investigations and Response (AIR) can review the message and provide remediation options if necessary. You can also configure a third party service to evaluate user reported messages, depending on that service you can have Microsoft review those messages submitted to third-parties as well.

Outlook

Outlook is the most common area users will report messages, but it is also possible to submit Teams messages.

Monitor reported messages in Outlook

Disabling this will remove the built-in reporting button.

Select an Outlook report button configuration

You can choose to use Microsoft's built-in reported or a third party reporting button. See below tabs and flowcharts for different scenarios

This is the easiest configuration with no real drawbacks, it's pretty customizable and keeps all your reported emails within the Defender portal along with your other Defender products without requiring shipping logs off to a SIEM solution. 

flowchart LR

e(Email)
m(Microsoft)
d(Defender)

e-->|reported|m
m-->d

This is a good option if you are already using a third party solution, depending on your situation it would also be advisable to forward these submissions to Microsoft as well. 

flowchart LR

e(Email)
3(Third party)
d(Defender)

e-->|reported|3
3~~~d

Once enabled you will still have to configure the add-in and your solution should have good documentation on doing such.

If you are going to use a third party solution this is the best option in my opinion, the only downside with this is potentially having to check your third party and Microsoft solution only to see the same results. This is dependent on your third party solution but the extra visibility can be very useful. The flowchart below is based on how KnowBe4 handles this, other solutions may be different. 

flowchart LR

e(Email)
3(Third party)
m(Microsoft)
d(Defender)

e-->|reported|3
e-->|forwarded|m
m-->d

To use this soltuion you will select the radio button for Use a non-Microsoft add-in button, then specify a mailbox to Send reported message to on this page. Make sure the mailbox is also configured as a SecOps mailbox or the message could be blocked as phishing or spam.

Some documentation for various solutions are provided here.

  • KnowBe4
  • Could not easily find other documented solutions for this but will add as I come across them.

Microsoft Teams

You must have enabled reporting in the Teams admin center for this feature to have any impact, this allows the submissions to process correctly in the Defender portal.

Reported message destination

Send reported message to

Note, as of December 2024, only My reporting mailbox only is an available setting when using third party tooling. It does not appear this allows Microsoft to evaluate the messages despite Microsoft documentation making it sound like it should be covered. It looks like this feature may become available ~ February 2025.2

Reported message destinations section > Add an Exchange Online mailbox to send reported messages to: Click in the box to find and select an existing Exchange Online mailbox to use as the reporting mailbox that holds user-reported messages from third-party reporting tools. In organizations with Defender for Office 365 Plan 2, Automatic investigation and response to threats, is triggered which automatically carries out the analysis and clean up actions for you.3

  • Microsoft and my reporting mailbox
    • This is the recommended option if you have third party reporting enabled
  • My reporting mailbox only
    • Microsoft does not analyze the reported emails, as an admin you can submit the messages users reported if desired
  • Microsoft only
Construction

Verify third party options

Add an exchange online mailbox to send reported messages to

The mailbox you specify here should likely be in your SecOps, especially if using a third party reporting solution.

Email notifications

This option is apparently not available in every tenant but you can configure this to notify users of the results of the messages they reported. It is a nice way to give feedback to your users, especially if they complain about false positives or negatives.

The below flowchart shows how these notifications work, when the user submits the email, if it is determined to be phish or spam they will immediately receive this email notification upon completion of investigation. If It's determined to be phish and there is an action an admin must approve, the determination notification will not be sent to the end-user until the action is remediated.

flowchart LR
    e[Email]
    dc[Clean]
    dp[Phish]
    ds[Spam]
    sn[Send notification]
    aa[Admin approves action]
    sna[Send notification **after** admin response]

    subgraph Determination
        dc
        ds
        dp
    end
    e-->Determination
    e~~~dc
    e~~~dp
    dc-->sn
    ds-->sn
    dp-->aa
    aa-->sna

Reporting from quarantine

When a user is releasing a message from quarantine they can report the message as clean and Microsoft can run an analysis on the message.

  1. https://learn.microsoft.com/en-us/defender-office-365/submissions-outlook-report-messages#use-the-built-in-report-button-in-outlook 

  2. https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=Microsoft%20Defender%20for%20Office%20365%2CIn%20development&searchterms=406167 

  3. https://learn.microsoft.com/en-us/defender-office-365/submissions-user-reported-messages-custom-mailbox#options-for-third-party-reporting-tools