Use mail flow rules to see what your users are reporting to Microsoft

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, there are multiple ways for users to report messages to Microsoft for analysis as described in Report messages and files to Microsoft.

You can create a mail flow rule (also known as a transport rule) that looks for messages that users report to Microsoft, and you can configure Bcc recipients to receive copies of these reported messages.

You can create the mail flow rule in the Exchange admin center (EAC) and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).

What do you need to know before you begin?

Use the EAC to create a mail flow rule to receive copies of reported messages

  1. In the EAC, go to Mail flow > Rules.

  2. Click Add Add icon and then select Create a new rule.

  3. In the New rule page that opens, configure the following settings:

    • Name: Enter a unique, descriptive name for the rule. For example, Bcc Messages Reported to Microsoft.

    • Click More Options.

    • Apply this rule if: Select The recipient > address includes any of these words: In the Specify words or phrases dialog that appears, enter one of the following values, click Add Add Icon, and repeat until you've entered all the values.

      • junk@office365.microsoft.com
      • abuse@messaging.microsoft.com
      • phish@office365.microsoft.com
      • not_junk@office365.microsoft.com

      To edit an entry, select it and click Edit Edit icon. To remove an entry, select it and click Remove Remove icon.

      When you're finished, click OK.

    • Do the following: Select Add recipients > to the Bcc box. In the dialog that appears, find and select the recipients that you want to add. When you're finished, click OK.

  4. You can make additional selections to audit the rule, test the rule, activate the rule during a specific time period, and other settings. We recommend testing the rule before you enforce it.

  5. When you're finished, click Save.

Use PowerShell to create a mail flow rule to receive copies of reported messages

This example creates a new mail flow rule named Bcc Messages Reported to Microsoft that looks for email messages that are reported to Microsoft by using the methods described in this article, and adds the users laura@contoso.com and julia@contoso.com as Bcc recipients.

New-TransportRule -Name "Bcc Messages Reported to Microsoft" -RecipientAddressContainsWords "junk@office365.microsoft.com","abuse@messaging.microsoft.com","phish@office365.microsoft.com","false_positive@messaging.microsoft.com" -BlindCopyTo "laura@contoso.com","julia@contoso.com".

For detailed syntax and parameter information, see New-TransportRule.

How do you know this worked?

To verify that you've configured a mail flow rules to receive copies of reported messages, do any of the following steps:

  • In the EAC, go to Mail flow > Rules > select the rule > click Edit Edit icon, and verify the settings.

  • In PowerShell, run the following command to verify the settings:

    Get-TransportRule -Identity "Bcc Messages Reported to Microsoft" | Format-List
    
  • Send a test messages to one of the reporting email addresses and verify the results.