User submissions policy
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
In Microsoft 365 organizations with Exchange Online mailboxes, you can specify a mailbox to receive messages that users report as malicious or not malicious. When users submit messages using the various reporting options, you can use this mailbox to intercept messages (send to the custom mailbox only) or receive copies of messages (send to the custom mailbox and Microsoft). This feature works with the following message reporting options:
Delivering user reported messages to a custom mailbox instead of directly to Microsoft allows your admins to selectively and manually report messages to Microsoft using Admin submission.
If reporting has been disabled in Outlook on the web, enabling user submissions here will override that setting and enable users to report messages in Outlook on the web again.
Custom mailbox prerequisites
Use the following articles to configure the prerequisites required so user reported messages go to your custom mailbox:
Skip spam filtering on the custom mailbox by creating an exchange mail flow rule to set the spam confidence level. See Use the EAC to create a mail flow rule that sets the SCL of a message to set the SCL to Bypass spam filtering.
Create a Safe Attachments policy that includes the custom mailbox where Safe Attachments scanning is turned off (Safe Attachments unknown malware response section > Off).
Create a Safe Links policy that includes the custom mailbox where Safe Links scanning is turned off (Select the action for unknown potentially malicious URLs in messages section > Off).
Create an anti-malware policy that includes the custom mailbox where zero-hour auto purge (ZAP) for malware is turned off (Protection settings section > Enable zero-hour auto purge for malware is not selected).
Create an anti-spam policy that includes the custom mailbox where ZAP for spam and ZAP for phishing are turned off (Zero-hour auto purge section > Enabled zero-hour auto purge (ZAP) is not selected).
Disable the junk email rule in the custom mailbox. Use Configure junk email settings on Exchange Online mailboxes to disable the junk email rule. After it's disabled, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action Move message to Junk Email folder or the safelist collection on the mailbox.
After you've verified that your mailbox meets all applicable prerequisites, you can use the procedures in this article to configure the user submissions mailbox.
What do you need to know before you begin?
To modify the configuration for User submissions, you need to be a member of one of the following role groups:
You need access to Exchange Online PowerShell. If the account that you're trying to use doesn't have access to Exchange Online PowerShell, you'll receive an error that looks like this when specify the submissions mailbox:
Specify an email address in your domain
For more information about enabling or disabling access to Exchange Online PowerShell, see the following topics:
Use the Microsoft 365 Defender portal to configure the user submissions mailbox
In the Microsoft 365 Defender portal, go to Policies & rules > Threat policies > Others section > User reported message settings > User submissions.
On the User submissions page, what you see is determined by whether the Microsoft Outlook Report Message button setting is Off or On:
Microsoft Outlook Report Message button > On : Select this option if you use the Report Message add-in, the Report Phishing add-in or the built-in reporting in Outlook on the web, and then configure the following settings:
Send the reported messages to: Select one of the following options:
Microsoft: The user submissions mailbox isn't used (all reported messages go to Microsoft).
Microsoft and my organization's mailbox: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.
My organization's mailbox: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.
U.S. Government organizations (GCC, GCC High, and DoD) can only configure My organization's mailbox. The other two options are disabled.
If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.
Regardless of the value you selected for Send the reported messages to, the following settings are available:
Let users choose if they want to report their message to Microsoft
Select reporting options that are available to users section: Select at least one among the following options:
- Ask me before sending the message
- Always report the message
- Never report the message
If you have disabled junk email reporting in Outlook on the web using Outlook on the web mailbox policies, but you configured any of the previous settings to report messages to Microsoft, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.
User reporting experience section
- Before reporting tab: In the Title and Message body boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.).
- After reporting tab: In the Title and Confirmation message boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type.
As shown on the page, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:
Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.
Microsoft Outlook Report Message button > Off : Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in, or the built-in reporting in Outlook on the web, and then configure the following settings:
- Select Use this custom mailbox to receive user reported submissions. In the box that appears, enter the email address of an existing Exchange Online mailbox that can receive email.
When you're finished, click Confirm. To clear these values, click Restore
Third-party reporting tools
You can configure third-party message reporting tools to send reported messages to the custom mailbox. The only requirement is that the original message is included as an attachment in the message that's sent to the custom mailbox (don't just forward the original message to the custom mailbox).
The message formatting requirements are described in the next section. The formatting is optional, but if it does not follow the prescribed format, the reports will always be submitted as phish.
Message submission format
To correctly identify the original attached messages, messages that are sent to the custom mailbox require specific formatting. If the messages don't use this format, the original attached messages are always identified as phishing submissions.
For correct identification of the original attached messages, messages that are sent to the custom mailbox need to use the following syntax for the Subject (Envelope Title):
where SafetyAPIAction is one of the following integer values:
- 1: Junk
- 2: Not junk
- 3: Phishing
This example uses the following values:
- The message is being reported as phishing.
- The Network Message ID is 49871234-6dc6-43e8-abcd-08d797f20abe.
- The Sender IP is 188.8.131.52.
- The From address is email@example.com.
- The message's subject line is "test phishing submission"
firstname.lastname@example.org|(test phishing submission)
Messages that don't follow this format will not display properly in the Submissions portal.