User submissions policy

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

In Microsoft 365 organizations with Exchange Online mailboxes, you can specify a mailbox to receive messages that users report as malicious or not malicious. When users submit messages using the various reporting options, you can use this mailbox to intercept messages (send to the custom mailbox only) or receive copies of messages (send to the custom mailbox and Microsoft). This feature works with the following message reporting options:

Delivering user reported messages to a custom mailbox instead of directly to Microsoft allows your admins to selectively and manually report messages to Microsoft using Admin submission.

Note

If reporting has been disabled in Outlook on the web, enabling user submissions here will override that setting and enable users to report messages in Outlook on the web again.

Custom mailbox prerequisites

Use the following articles to configure the prerequisites required so user reported messages go to your custom mailbox:

  • Skip spam filtering on the custom mailbox by creating an exchange mail flow rule to set the spam confidence level. See Use the EAC to create a mail flow rule that sets the SCL of a message to set the SCL to Bypass spam filtering.

  • Create a Safe Attachments policy that includes the custom mailbox where Safe Attachments scanning is turned off (Safe Attachments unknown malware response section > Off).

  • Create a Safe Links policy that includes the custom mailbox where Safe Links scanning is turned off (Select the action for unknown potentially malicious URLs in messages section > Off).

  • Create an anti-malware policy that includes the custom mailbox where zero-hour auto purge (ZAP) for malware is turned off (Protection settings section > Enable zero-hour auto purge for malware is not selected).

  • Create an anti-spam policy that includes the custom mailbox where ZAP for spam and ZAP for phishing are turned off (Zero-hour auto purge section > Enabled zero-hour auto purge (ZAP) is not selected).

  • Disable the junk email rule in the custom mailbox. Use Configure junk email settings on Exchange Online mailboxes to disable the junk email rule. After it's disabled, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action Move message to Junk Email folder or the safelist collection on the mailbox.

After you've verified that your mailbox meets all applicable prerequisites, you can use the procedures in this article to configure the user submissions mailbox.

What do you need to know before you begin?

Use the Microsoft 365 Defender portal to configure the user submissions mailbox

  1. In the Microsoft 365 Defender portal, go to Policies & rules > Threat policies > Others section > User reported message settings > User submissions.

  2. On the User submissions page, what you see is determined by whether the Microsoft Outlook Report Message button setting is Off or On:

    • Microsoft Outlook Report Message button > On Toggle on: Select this option if you use the Report Message add-in, the Report Phishing add-in or the built-in reporting in Outlook on the web, and then configure the following settings:

      • Send the reported messages to: Select one of the following options:

        • Microsoft: The user submissions mailbox isn't used (all reported messages go to Microsoft).

        • Microsoft and my organization's mailbox: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions will go to both Microsoft for analysis and to the custom mailbox for your admin or security operations team to analyze.

        • My organization's mailbox: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. Use this option if you want the message to only go to an admin or the security operations team for analysis first. Messages will not go to Microsoft unless the admin forwards it themselves.

          Important

          U.S. Government organizations (GCC, GCC High, and DoD) can only configure My organization's mailbox. The other two options are disabled.

          If organizations are configured to send to custom mailbox only, reported messages will not be sent for rescan and results in the User reported messages portal will always be empty.

        Regardless of the value you selected for Send the reported messages to, the following settings are available:

        • Let users choose if they want to report their message to Microsoft

        • Select reporting options that are available to users section: Select at least one among the following options:

          • Ask me before sending the message
          • Always report the message
          • Never report the message

          Caution

          If you have disabled junk email reporting in Outlook on the web using Outlook on the web mailbox policies, but you configured any of the previous settings to report messages to Microsoft, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.

      • User reporting experience section

        • Before reporting tab: In the Title and Message body boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type (junk, not junk, phish, etc.).
        • After reporting tab: In the Title and Confirmation message boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable %type% to include the submission type.

        As shown on the page, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:

        Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.

    • Microsoft Outlook Report Message button > Off Toggle off: Select this option if you use third-party reporting tools instead of the Report Message add-in, the Report Phishing add-in, or the built-in reporting in Outlook on the web, and then configure the following settings:

      • Select Use this custom mailbox to receive user reported submissions. In the box that appears, enter the email address of an existing Exchange Online mailbox that can receive email.

    When you're finished, click Confirm. To clear these values, click Restore

Third-party reporting tools

You can configure third-party message reporting tools to send reported messages to the custom mailbox. The only requirement is that the original message is included as an attachment in the message that's sent to the custom mailbox (don't just forward the original message to the custom mailbox).

The message formatting requirements are described in the next section. The formatting is optional, but if it does not follow the prescribed format, the reports will always be submitted as phish.

Message submission format

To correctly identify the original attached messages, messages that are sent to the custom mailbox require specific formatting. If the messages don't use this format, the original attached messages are always identified as phishing submissions.

For correct identification of the original attached messages, messages that are sent to the custom mailbox need to use the following syntax for the Subject (Envelope Title):

SafetyAPIAction|NetworkMessageId|SenderIp|FromAddress|(Message Subject)

where SafetyAPIAction is one of the following integer values:

  • 1: Junk
  • 2: Not junk
  • 3: Phishing

This example uses the following values:

  • The message is being reported as phishing.
  • The Network Message ID is 49871234-6dc6-43e8-abcd-08d797f20abe.
  • The Sender IP is 167.220.232.101.
  • The From address is test@contoso.com.
  • The message's subject line is "test phishing submission"

3|49871234-6dc6-43e8-abcd-08d797f20abe|167.220.232.101|test@contoso.com|(test phishing submission)

Messages that don't follow this format will not display properly in the Submissions portal.