Use mail flow rules to see what your users are reporting to Microsoft
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, there are multiple ways for users to report messages to Microsoft for analysis as described in Report messages and files to Microsoft.
You can create a mail flow rule (also known as a transport rule) that looks for messages that users report to Microsoft, and you can configure Bcc recipients to receive copies of these reported messages.
You can create the mail flow rule in the Exchange admin center (EAC) and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
What do you need to know before you begin?
You need to be assigned permissions in Exchange Online or Exchange Online Protection before you can do the procedures in this article. Specifically, you need the Transport Rules role, which is assigned to the Organization Management, Compliance Management (global admins), and Records Management role groups by default.
For more information, see the following topics:
For more information about mail flow rules in Exchange Online and standalone EOP, see the following topics:
Use the EAC to create a mail flow rule to receive copies of reported messages
In the EAC, go to Mail flow > Rules.
Click Add and then select Create a new rule.
In the New rule page that opens, configure the following settings:
Name: Enter a unique, descriptive name for the rule. For example, Bcc Messages Reported to Microsoft.
Click More Options.
Apply this rule if: Select The recipient > address includes any of these words: In the Specify words or phrases dialog that appears, enter one of the following values, click Add , and repeat until you've entered all the values.
To edit an entry, select it and click Edit . To remove an entry, select it and click Remove .
When you're finished, click OK.
Do the following: Select Add recipients > to the Bcc box. In the dialog that appears, find and select the recipients that you want to add. When you're finished, click OK.
You can make additional selections to audit the rule, test the rule, activate the rule during a specific time period, and other settings. We recommend testing the rule before you enforce it.
When you're finished, click Save.
Use PowerShell to create a mail flow rule to receive copies of reported messages
This example creates a new mail flow rule named Bcc Messages Reported to Microsoft that looks for email messages that are reported to Microsoft by using the methods described in this article, and adds the users email@example.com and firstname.lastname@example.org as Bcc recipients.
New-TransportRule -Name "Bcc Messages Reported to Microsoft" -RecipientAddressContainsWords "email@example.com","firstname.lastname@example.org","email@example.com","firstname.lastname@example.org" -BlindCopyTo "email@example.com","firstname.lastname@example.org".
For detailed syntax and parameter information, see New-TransportRule.
How do you know this worked?
To verify that you've configured a mail flow rules to receive copies of reported messages, do any of the following steps:
In the EAC, go to Mail flow > Rules > select the rule > click Edit , and verify the settings.
In PowerShell, run the following command to verify the settings:
Get-TransportRule -Identity "Bcc Messages Reported to Microsoft" | Format-List
Send a test messages to one of the reporting email addresses and verify the results.