How do I report a suspicious email or file to Microsoft?

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

Wondering what to do with suspicious emails or files? In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, users and admins have different ways to report a suspicious email message, URL, or email attachment to Microsoft.

In addition, admins in Microsoft 365 organizations with Microsoft Defender for Endpoint also have several methods for reporting files.

Watch this video that shows more information about the unified submissions experience.

Report suspicious email messages to Microsoft

Method Submission type Comments
The built-in Report button User Currently, this method is available only in Outlook on the web (formerly known as Outlook Web App or OWA).
The Microsoft Report Message and Report Phishing add-ins User These free add-ins work in Outlook on all available platforms. For installation instructions, see Enable the Report Message or the Report Phishing add-ins.
The Submissions page in the Microsoft 365 Defender portal Admin Admins use this method to submit good (false positive) and bad (false negative) entities including user-reported messages to Microsoft for further analysis. Tabs include Email, Email attachments, URLs, and Files. Note that Files is only available to users with Microsoft Defender for Endpoint P2 license, Microsoft Defender for Office P2 license, and Microsoft 365 Defender E5 license.. The Submissions page is available to organizations who have Exchange Online mailboxes as part of a Microsoft 365 subscription (not available in standalone EOP).

User reported message settings allow admins to configure whether user reported messages go to a specified reporting mailbox, to Microsoft, or both. Depending on your subscription, user reported messages are available in the following locations in the Microsoft 365 Defender portal:

Admins can use mail flow rules (also known as transport rules) to notify specified email address when users report messages to Microsoft for analysis. For more information, see Use mail flow rules to see what users are reporting to Microsoft.

Admins can also submit email attachments and other suspected files to Microsoft for analysis using the sample submission portal at https://www.microsoft.com/wdsi/filesubmission. For more information, see Submit files for analysis.

Tip

Information is blocked from going outside the organization when data isn't supposed to leave the tenant boundary for compliance purposes (for example, in U.S. Government organizations: Microsoft 365 GCC, GCC High, and DoD). Reporting a message or file to Microsoft from one of these organizations will have the following message in the result details:

Further investigation needed. Your tenant doesn't allow data to leave the environment, so nothing was found during the initial scan. You'll need to contact Microsoft support to have this item reviewed.

Note

When you report an email entity to Microsoft, everything associated with the email is copied to include it in the continual algorithm reviews. This copy includes the email content, email headers, and related data about email routing. Any message attachments are also included.

Microsoft treats your feedback as your organization's permission to analyze all the information to fine tune the message hygiene algorithms. Your message is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for email in Microsoft 365. However, your email is still treated as confidential between you and Microsoft, and your email or attachments isn't shared with any other party as part of the review process.