Report messages and files to Microsoft
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, both users and admins have several different methods for reporting email messages and files to Microsoft.
|Use the Submissions portal to submit suspected spam, phish, URLs, and files to Microsoft||The recommended reporting method for admins in organizations with Exchange Online mailboxes (not available in standalone EOP).|
|Enable the Report Message or the Report Phishing add-ins||Works with Outlook and Outlook on the web (formerly known as Outlook Web App).
Depending on your subscription, messages that users reported with the add-ins are available in the Admin Submissions portal, Automated investigation and response (AIR) results, the User-reported messages report, and Explorer.
You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see User submissions policies.
|Report false positives and false negatives in Outlook||Submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) to Exchange Online Protection (EOP) using the Report Message feature.|
|Manually submit messages to Microsoft for analysis||Manually send attached messages to specific Microsoft email addresses for spam, not spam, and phishing.|
|Use mail flow rules to see what users are reporting to Microsoft||Learn how to create a mail flow rule (also known as a transport rule) that notifies you when users report messages to Microsoft for analysis.|
|Submit malware and non-malware to Microsoft for analysis||Use the Microsoft Security Intelligence site to submit attachments and other files.|
Data from submissions to Microsoft resides in the Office 365 compliance boundary in North American data centers. The data is reviewed by analysts on the engineering team to help improve the effectiveness of the filters. The submission is considered feedback to help improve the filters and is kept for a period of 30 days. After which, it is deleted.