Report phishing and suspicious emails in Outlook for admins

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with mailboxes in Exchange Online, users can report phishing and suspicious email in Outlook. Users can report false positives (good email that was blocked or sent to their Junk Email folder) and false negatives (unwanted email or phishing that was delivered to their Inbox) from Outlook on all platforms using free tools from Microsoft.

Microsoft provides the following tools for users to report good and bad messages:

  • Built-in reporting in Outlook on the web (formerly known as Outlook Web App or OWA).
  • The Microsoft Report Message or Report Phishing add-ins. The add-ins work on virtually all Outlook platforms, including Outlook on the web. For more information, see Enable the Microsoft Report Message or Report Phishing add-ins.

For more information about reporting messages to Microsoft, see Report messages and files to Microsoft.

Admins configure user reported messages to go to a specified reporting mailbox, to Microsoft, or both. These user reported messages are available on the User reported tab on the Submissions page in the Microsoft Defender portal. For more information, see User reported settings.

Tip

As a companion to this article, see our Microsoft Defender for Office 365 setup guide to review best practices and to protect against email, link, and collaboration threats. Features include Safe Links, Safe Attachments, and more. For a customized experience based on your environment, you can access the Microsoft Defender for Office 365 automated setup guide in the Microsoft 365 admin center.

Use the built-in Report button in Outlook

  • The built-in Report button is available in the following versions of Outlook:

    • Outlook for Microsoft 365 and Outlook 2021 Version 2407 (Build 17830.20138) or later (available in the Current Channel and coming soon to the Monthly Enterprise Channel).
    • Outlook for Mac version 16.89 (24090815) or later.
    • The new Outlook for Windows.
    • Outlook on the web.

    The Report button is available in supported versions of Outlook if both of the following conditions are true:

    If user reporting is turned off and a non-Microsoft add-in button is selected, the Report button isn't available in supported versions of Outlook.

  • The built-in Report button in Outlook on the web and the new Outlook for Windows supports reporting messages from shared mailboxes or other mailboxes by a delegate.

    • Shared mailboxes require Send As or Send On Behalf permission for the user.
    • Other mailboxes require Send As or Send On Behalf permission and Read and Manage permissions for the delegate.

Use the built-in Report button in Outlook to report junk and phishing messages

  • Users can report a message as junk from the Inbox or any email folder other than Junk Email folder.
  • Users can report a message as phishing from any email folder.

In a supported version of Outlook, select one or more messages, select Report, and then select Report phishing or Report junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

  • Reported as junk: The messages are moved to the Junk Email folder.
  • Reported as phishing: The messages are deleted.

Use the built-in Report button in Outlook to report messages that aren't junk

In a supported version of Outlook, select one or more messages in the Junk Email folder, select Report, and then select Not junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

Use the Report Message and Report Phishing add-ins in Outlook

Use the Report Message add-in to report junk and phishing messages

  • Users can report a message as junk from the Inbox or any email folder other than the Junk Email folder.
  • Users can report a message as phishing from any email folder.
  1. In Outlook, do one of the following steps:

    • Select an email message from the list.
    • Open a message.
  2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

    • Classic Ribbon: Select Report Message, and then select Junk or Phishing in the dropdown list.

    • Simplified Ribbon: Select More commands > Protection section > Report Message > select Junk or Phishing.

Based on the user reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

  • Reported as junk: The messages are moved to the Junk Email folder.
  • Reported as phishing: The messages are deleted.

Use the Report Message add-in to report messages that aren't junk

  1. In Outlook, open a message in the Junk Email folder.

  2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

    • Classic Ribbon: Select Report Message, and then select Not Junk in the dropdown list.

    • Simplified Ribbon: Select More commands > Protection section > Report Message > select Not Junk.

Based on the user reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

Use the Report Phishing add-in to report phishing messages in Outlook

Users can report phishing messages from any email folder.

  1. In Outlook, do one of the following steps:

    • Select an email message from the list.
    • Open a message.
  2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

    • Classic Ribbon: Select Report Phishing.

    • Simplified Ribbon: Select More commands > Protection section > Phishing

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also deleted.

Review reported messages

To review messages that users have reported to Microsoft, admins can use the User reported tab on the Submissions page in the Microsoft Defender portal at https://security.microsoft.com/reportsubmission. For more information, see View user reported messages to Microsoft.

Note

If the User reported settings in the organization send user reported messages (email and Microsoft Teams) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the Submissions page. So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

More information

Admins can watch this short video to learn how to use Microsoft Defender for Office 365 to easily investigate user reported messages. Admins can determine the contents of a message and how to respond by applying the appropriate remediation action.