Submit malware and non-malware to Microsoft for analysis

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what's new.

Applies to

Note

If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions page in the Microsoft 365 Defender portal. For more information, see Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft.

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP includes anti-malware protection that's automatically enabled. For more information, see Anti-malware protection in EOP.

You've probably heard the following best practices for years:

  • Avoid opening messages that look suspicious.
  • Never open an attachment from someone you don't know.
  • Avoid opening attachments in messages that urge you to open or click them.

But what can you do if you receive a message with a suspicious attachment? Or what if you suspect that your computer or device was infected by an email attachment that made it past our filters? In these cases, you should submit the malware attachment to Microsoft. Conversely, if an attachment in an email message was incorrectly identified as malware, you can submit that, too.

What do you need to know before you begin?

  • Messages with attachments that contain scripts or other malicious executables are considered malware, and you can use the procedures in this article to report them.

  • Messages with links to malicious sites are considered spam. For more information about reporting spam and non-spam, see Report messages and files to Microsoft.

Submit malware files to Microsoft

Go to the Microsoft Security Intelligence website at https://www.microsoft.com/wdsi/filesubmission to submit the file. To receive analysis updates, sign into the website, or enter a valid email address. We recommend that you use your Microsoft work or school account.

After you've uploaded the file or files, note the Submission ID that's created for your sample submission (for example, 7c6c214b-17d4-4703-860b-7f1e9da03f7f).

Submission details in the Windows Defender Security Intelligence website.

After we receive the sample, we'll investigate. If we determine that the sample file is malicious, we'll take corrective action to prevent the malware from going undetected.

If you continue receiving infected messages or attachments, then you should copy the message headers from the email message, and contact Microsoft Customer Service and Support for further assistance. Be sure to have your Submission ID ready as well.

Submit non-malware files to Microsoft

You can also submit a file that you believe was incorrectly identified as malware to the website (just select No for the question, Do you believe this file contains malware?).

After we receive the sample, we'll investigate. If we determine that the sample file is clean, we'll take corrective action to prevent the file from being detected as malware.