Report messages and files to Microsoft

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, both users and admins have several different methods for reporting email messages and files to Microsoft.

Method Description
Use the Submissions portal to submit suspected spam, phish, URLs, and files to Microsoft The recommended reporting method for admins in organizations with Exchange Online mailboxes (not available in standalone EOP).
Enable the Report Message or the Report Phishing add-ins Works with Outlook and Outlook on the web (formerly known as Outlook Web App).

Depending on your subscription, messages that users reported with the add-ins are available in the Admin Submissions portal, Automated investigation and response (AIR) results, the User-reported messages report, and Explorer.

You can configure reported messages to be copied or redirected to a mailbox that you specify. For more information, see User submissions policies.
Report false positives and false negatives in Outlook Submit false positives (good email that was blocked or sent to junk folder) and false negatives (unwanted email or phish that was delivered to the inbox) to Exchange Online Protection (EOP) using the Report Message feature.
Use mail flow rules to see what users are reporting to Microsoft Learn how to create a mail flow rule (also known as a transport rule) that notifies you when users report messages to Microsoft for analysis.
Submit malware and non-malware to Microsoft for analysis Use the Microsoft Security Intelligence site to submit attachments and other files.

Note

When you report an email entity to Microsoft, we make a copy of everything associated with the email to include it in our continual algorithm reviews. This copy includes the email content, the email headers, and related data about the email routing. Attachments in the message are also included.

Microsoft treats your feedback as your organization's permission for us to analyze all of the previously described information and to work to fine tune the message hygiene algorithms. We hold your message in our secure audited datacenters in the USA until we delete your submission no later than 30 days after you provided it to us. Personnel at Microsoft may read your submitted message and attachments, which is normally not permitted for email in Office 365. However, your email is still treated as confidential between you and Microsoft, and we will not provide your submission to any other party to read the email or its attachments for this review process.