Review and unblock forms or users detected and blocked for potential phishing

Microsoft Forms enables automated machine reviews to proactively detect the malicious collection of sensitive data in forms and temporary block those forms from collecting responses. Learn more about Microsoft Forms and proactive phishing prevention.

Note

The steps in this document also apply to Dynamics 365 Customer Voice (formerly known as Forms Pro). Note that a Dynamics 365 Customer Voice license is required in order to unblock Dynamics 365 Customer Voice surveys. Learn more.

Review alerts in the Microsoft Defender portal

If you're a global or security administrator, you'll receive alerts in the Microsoft Defender XDR portal about potential phishing forms for which you can take action.

Note

If you've been assigned a 'Message Center Privacy Reader' role by a global admin, you'll receive data privacy messages for your organization, including daily notifications of any form created within your tenant that has been detected and blocked for potential phishing. You'll see these notifications in the Message center by looking for Microsoft Forms Phishing Notification. (If you don't see this notification in the All active messages tab/view, you may find it in the Dismissed messages tab/view.) For each notification, select the Forms admin review URL link or links to review blocked forms.

In order for security administrators to also receive notifications about potential phishing forms, global administrators need to assign the Message Center Privacy Reader role to them. To learn more about the Message center, see frequently asked questions. Also see how to set email preferences for data privacy messages.

  1. Sign in to the Microsoft Defender XDR portal.

  2. Select Incidents & alerts > Alerts. You may see one or all of the following alerts for Forms:

    • User restricted from sharing forms and collecting responses

    • Form flagged and confirmed as phishing

    • Form blocked due to potential phishing attempt

  3. Select an alert to review it. To review the form that has been flagged, tap or click the three dots in the bottom right corner next to the Manage alert button, and then select Review this form.

    Review this form option

    Tip

    Learn more about alert policies in Microsoft 365.

Unblock a form or confirm its phishing attempt

For each form you review, you can choose whether to unblock it or confirm phishing.

Unblock

Select Unblock if you don't believe a form has malicious intent.

Note

If someone in your tenant requests you to unblock their form, we suggest you ask for specific form information (e.g. date and time of block, title) in order to more efficiently identify the notification in the admin center. Since notifications are sent on a daily basis and include all detected forms in the last 24 hours, identifiable information for the form will be helpful.

Confirm phishing

Select Confirm phishing if you believe a form has malicious intent. The form will be blocked permanently and its owner will no longer be able to edit or delete it.

Once you've selected Confirm phishing, click or tap Delete form to permanently delete the form from your tenant. We strongly suggest immediate password reset for an account in your tenant that you believe has been compromised.

Tip

Your selection of Confirm phishing helps Microsoft Forms improve its detection accuracy. 

Commonly asked questions

When I go to review a blocked form, why don't I see options to unblock it or confirm phishing?

Upon review, you may see a block for a form has already been lifted. This means that in between the time a form was blocked and the time you reviewed it, the form owner removed keywords that were flagged for potential phishing. In this scenario, no further action from you is required.

If a form has been blocked for confirmed phishing, can I remove it?

If the form has already been blocked for confirmed phishing, select Delete form to remove it from your tenant.

What if I don't take any action on a blocked form?

If you choose to not take action (either unblock a form or confirm its phishing intent), the form will stay blocked. The form owner can still edit the form and remove keywords that were flagged for potential phishing.

What if I want to edit or delete the blocked content in the form?

If you prefer to edit and/or delete the blocked content, you can generate a co-authoring page and manage the form as a co-author. To do this, click on the open a co-authoring page link located in the messaging above the form you're reviewing.

Remove restrictions for blocked Microsoft Forms users

Microsoft Forms blocks users who have repeatedly attempted to collect personal or sensitive information from distributing forms and collecting responses. Message Center Privacy Readers will be notified of these blocked users through the Message center. If you believe a blocked user serves no malicious intent and their account is secure, you can take the following steps to unblock them.

Note

Security administrators can also receive notifications about potential phishing forms once a global administrator assigns the Message Center Privacy Reader role to them.

  1. Go to the Message center and look for the notification, Prevent/Fix: Microsoft Forms Detected Potential Phishing.

    Note

    If you don't see this notification in the All active messages tab/view, you may find it in the Dismissed messages tab/view.

    This notification contains a list of users in your tenant that are blocked from sharing forms and collecting responses.

  2. Click on the link provided in the notification to review blocked users.

  3. For each user you believe has no malicious intent, you can choose to click the Unblock link in the Actions column that is associated with that user.

    Note

    If you believe a user has malicious intent, no further action from you is required.

    Note

    It may take 30 minutes or more before restrictions are removed.