Report phishing and suspicious emails in Outlook for admins

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

In Microsoft 365 organizations with mailboxes in Exchange Online, users can report phishing and suspicious email in Outlook. Users can report false positives (good email that was blocked or sent to their Junk Email folder) and false negatives (unwanted email or phishing that was delivered to their Inbox) from Outlook on all platforms using free tools from Microsoft.

Microsoft provides the following tools for users to report good and bad messages:

  • Built-in reporting in Outlook on the web (formerly known as Outlook Web App or OWA).
  • The Microsoft Report Message or Report Phishing add-ins. The add-ins work on virtually all Outlook platforms, including Outlook on the web. For more information, see Enable the Microsoft Report Message or Report Phishing add-ins.

For more information about reporting messages to Microsoft, see Report messages and files to Microsoft.

Admins configure user reported messages to go to a specified reporting mailbox, to Microsoft, or both. These user reported messages are available on the User reported tab on the Submissions page in the Microsoft Defender portal. For more information, see User reported settings.

Use the built-in Report button in Outlook on the web

  • The built-in Report button is available in Outlook on the web only if user reporting is turned on and the built-in Report button in Outlook (not a non-Microsoft add-in button) are configured in the user reported settings at https://security.microsoft.com/securitysettings/userSubmission:

    If user reporting is turned off and a non-Microsoft add-in button is selected, the Report button isn't available in Outlook on the web.

  • Currently, the Report button in Outlook on the web doesn't honor the before and after notification pop-up options in the user reported settings.

  • Built-in reporting in Outlook on the web supports reporting messages from shared mailboxes or other mailboxes by a delegate.

    • Shared mailboxes require Send As or Send On Behalf permission for the user.
    • Other mailboxes require Send As or Send On Behalf permission and Read and Manage permissions for the delegate.

Use the built-in Report button in Outlook on the web to report junk and phishing messages

  • Users can report a message as junk from the Inbox or any email folder other than Junk Email folder.
  • Users can report a message as phishing from any email folder.

In Outlook on the web, select one or more messages, select Report, and then select Report phishing or Report junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

  • Reported as junk: The messages are moved to the Junk Email folder.
  • Reported as phishing: The messages are deleted.

Use the built-in Report button in Outlook on the web to report messages that aren't junk

In Outlook on the web, select one or more messages in the Junk Email folder, select Report, and then select Not junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

Use the Report Message and Report Phishing add-ins in Outlook

Use the Report Message add-in to report junk and phishing messages in Outlook

  • Users can report a message as junk from the Inbox or any email folder other than the Junk Email folder.
  • Users can report a message as phishing from any email folder.
  1. In Outlook, do one of the following steps:

    • Select an email message from the list.
    • Open a message.
  2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

    • Classic Ribbon: Select Report Message, and then select Junk or Phishing in the dropdown list.

    • Simplified Ribbon: Select More commands > Protection section > Report Message > select Junk or Phishing.

Based on the user reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

  • Reported as junk: The messages are moved to the Junk Email folder.
  • Reported as phishing: The messages are deleted.

Use the Report Message add-in to report messages that aren't junk in Outlook

  1. In Outlook, open a message in the Junk Email folder.

  2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

    • Classic Ribbon: Select Report Message, and then select Not Junk in the dropdown list.

    • Simplified Ribbon: Select More commands > Protection section > Report Message > select Not Junk.

Based on the user reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

Use the Report Phishing add-in to report phishing messages in Outlook

Users can report phishing messages from any email folder.

  1. In Outlook, do one of the following steps:

    • Select an email message from the list.
    • Open a message.
  2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

    • Classic Ribbon: Select Report Phishing.

    • Simplified Ribbon: Select More commands > Protection section > Phishing

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also deleted.

Review reported messages

To review messages that users have reported to Microsoft, admins can use the User reported tab on the Submissions page in the Microsoft Defender portal at https://security.microsoft.com/reportsubmission. For more information, see View user reported messages to Microsoft.

Note

If the User reported settings in the organization send user reported messages (email and Microsoft Teams) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the Submissions page. So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

More information

Admins can watch this short video to learn how to use Microsoft Defender for Office 365 to easily investigate user reported messages. Admins can determine the contents of a message and how to respond by applying the appropriate remediation action.