View email security reports in the Security & Compliance Center

A variety of email security reports are available in the Security & Compliance Center to help you see how anti-spam and anti-malware features in Office 365 are protecting your organization. If you have the necessary permissions, you can view these reports in the Security & Compliance Center by going to Reports > Dashboard.

The Security & Compliance Center dashboard can help you see where Advanced Threat Protection is working

Your email security reports include the following:

Threat Protection Status report (new!)

The new Threat Protection Status report is a smart report that shows malicious email that was detected and blocked by Exchange Online Protection. This report shows information about email identified as malware or a phishing attempt.

Note

A Threat Protection Status report is available to customers who have either Office 365 ATP or Exchange Online Protection (EOP); however, the information that is displayed in the Threat Protection Status report for ATP customers will likely contain different data than what EOP customers might see. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected in SharePoint Online, OneDrive, or Microsoft Teams, an ATP-specific capability. (Learn more about ATP reports.)

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Threat Protection Status.

Threat Protection Status report

When you first open the Threat Protection Status report, the report shows data for the past seven days by default; however, you can click Filters and change the date range for up to 90 days of detail. This report is useful for viewing the effectiveness and impact of your organization's Exchange Online Protection features, and for longer-term trending.

Threat Protection Status report filters

You can also choose whether to view data for email identified as malicious, email identified as a phishing attempts, or email identified as containing malware.

Threat Protection Status report view options

Malware Detections report

The Malware Detections report shows how many incoming and outgoing messages were detected as containing malware for your organization.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Malware Detections.

Malware Detections Report example

Similar to other reports, like the Threat Protection Status report, the report displays data for the past seven days by default. However, you can choose Filters to change the date range.

Top Malware report

The Top Malware report shows the various kinds of malware that was detected by Exchange Online.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Top Malware.

SCC - EOP Top Malware

When you hover over a wedge in the pie chart, you can see the name of a kind of malware and how many messages were detected as having that malware.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

This report shows the top malware detected for your organization

Below the chart, you'll see a list of detected malware and how many messages were detected as having that malware.

Top Senders and Recipients report

The Top Senders and Recipients report is a pie chart showing your top email senders.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Top Senders and Recipients.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Top Senders and Recipients

When you hover over a wedge in the pie chart, you can see a count of messages sent or received.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

Use the Show data for list to choose whether to view data for top senders, receivers, spam recipients, and malware recipients. You can also see who received malware that was detected by Advanced Threat Protection.

Use the Show Data For list to view specific information

Below the chart, you'll see who the top email senders or recipients were, along with a count of messages sent or received for the given time period.

Spoof Mail report

The Spoof Mail report shows how many spoof mail messages were detected, and of those, which ones were considered "good" (spoof mail done for legitimate business reasons).

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Spoof Mail.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Spoof Mail

When you hover over a day in the chart, you can see how many spoof mail messages came through.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

Spam Detections report

The Spam Detections report shows all the spam content blocked by Exchange Online.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Spam Detections.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > EOP Spam Detections

When you hover over a day in the chart, you can see how many items were blocked that day, as well as how those items are categorized. For example, you can see how many spam messages were filtered, and how many items came from a blocked Internet Protocol (IP) address.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

The Spam Detections report tells you how many spam messages were blocked or filtered out

Below the chart, you'll see a list of spam items that were detected. Select an item to view additional information, such as whether the spam item was inbound or outbound, its message ID, and its recipient.

Sent and received email report

The Sent and received email report is a smart report that shows information about incoming and outgoing email, including spam detections, malware, and email identified as "good."

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Sent and received email.

To view this report, in the Security & Compliance Center, go to Reports > Dashboard > Sent and received email

When you hover over a day in the chart, you can see how many messages came in, and how those messages are categorized. For example, you can see how many messages were detected as containing malware, and how many were identified as spam.

Click (or tap) the report to open it in a new browser window, where you can get a more detailed view of the report.

You can use the Break down by list to view information by type or by direction (incoming and outgoing).

Use the Break Down By list to view information by type or direction

Below the chart, you'll see a list of email categories, such as GoodMail, SpamContentFiltered, and so on. Select a category to view additional information, such as actions that were taken for malware, and whether email was incoming or outgoing.

This report tells you about anti-malware, anti-spam, and other message detections

User-reported messages report (new!)

The User-reported messages report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the Report Message add-in.

Details are available for each message, including the delivery reason, such a spam policy exception or mail flow rule configured for your organization. To view details, select an item in the user-reports list, and then view the information on the Summary and Details tabs.

The User-Reported Messages report shows messages users labeled as junk, not junk, or phishing attempts.

To view this report, in the Security & Compliance Center, do one of the following:

  • Go to Threat management > Dashboard > User-reported messages.

  • Go to Threat management > Review > User-reported messages.

In the Security & Compliance Center, choose Threat management > Review > User reported messages

Important

In order for the User-reported messages report to work correctly, audit logging must be turned on for your Office 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see Turn Office 365 audit log search on or off.

What permissions are needed to view these reports?

In order to view and use the email security reports described in this article, you must have an appropriate role assigned in the Security & Compliance Center and in the Exchange Admin Center.

Role group Where assigned Learn more
One of the following:

--Organization Management
--Security Administrator
--Security Reader
Security & Compliance Center
Permissions in the Office 365 Security & Compliance Center
One of the following:

--Organization Management
--View-only Organization Management
--View-Only Recipients role
--Compliance Management
Exchange Admin Center
Feature permissions in Exchange Online

What if the reports aren't showing data?

If you are not seeing data in your reports, double-check that your policies are set up correctly. To learn more, see Anti-spam and anti-malware protection in Office 365.

Office 365 Email Anti-Spam Protection

Reports and insights in the Office 365 Security & Compliance Center

Create a schedule for a report in the Security & Compliance Center

Set up and download a custom report in the Security & Compliance Center