Submission result definitions in Exchange Online Protection and Defender for Office 365

• Applies to:

  ✅ Exchange Online Protection, ✅ Microsoft Defender for Office 365 Plan 1 and Plan 2, ✅ Microsoft Defender XDR

In Microsoft 365 organizations with mailboxes in Exchange Online, user reported settings determine whether user reported email messages are sent to Microsoft for analysis. Even if the messages aren't initially sent to Microsoft, admins can manually send or resend email messages (including user reported email messages) from the Submissions page in, email attachments, URLs, and (in Microsoft Defender for Office 365 Plan 2 only) Microsoft Teams messages. For more information, see How do I report a suspicious email or file to Microsoft?.

When admins or users submit items to Microsoft for analysis, we do the following checks:

• Email authentication check (email messages only): Whether the message passed or failed email authentication checks: SPF, DKIM, DMARC, and composite authentication.
• Policy hits: Information about any policies or overrides that might have allowed or blocked the incoming email into the organization, thus overriding our filtering verdicts.
• Payload reputation/detonation: Up-to-date examination of any URLs and attachments in the message.
• Grader analysis: Review done by human graders to confirm whether messages are malicious.

Learn more how submissions are processed behind-the-scenes to generate the result.

Note

In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit items to Microsoft for analysis, but the items are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).

The following table describes the results of submissions to Microsoft:

• Status indicates whether the previously described checks have been completed.
• Result indicates the details that were generated during the analysis using the previously described checks

Status	Result	Description
Being analyzed	Under investigation	The item is being analyzed as previously described. After the analysis is complete, the status is updated and the result shows details of the analysis.
Completed	Not submitted to Microsoft	The user reported settings are configured to deliver reported messages to the reporting mailbox only. Microsoft is unable to automatically receive the copy of the submitted item and act on it. You can update the user reported settings to deliver messages to the reporting mailbox and to Microsoft, or to Microsoft only.
Completed	Phishing simulation	The submitted item is part of your part of an internal anti-phishing education campaign. Check the Advanced delivery policy or (in Defender for Office 365 Plan 2) Attack simulation training.
Completed	Authentication failed	The message wasn't delivered because it failed email authentication. If you own this domain, review your domain authentication settings. Otherwise, contact the domain owner. For more information, see Email authentication in Microsoft 365.
Completed	Spoofed message	The submitted item was sent by someone who is spoofing the sender. For more information, see Spoof intelligence insight in EOP.
Completed	Domain Impersonation	In Defender for Office 365, the submitted item came from a domain that resembles a domain identified for domain impersonation protection. We recommend that you review the item and (if necessary) add the sender domain to the list of trusted senders in the anti-phishing policy that detected the message. For more information, see Domain impersonation protection.
Completed	Brand Impersonation	In Defender for Office 365, the submitted item came from someone who is associated with a brand. We recommend that you review the item and (if necessary) add the sender address as an allow entry in the Tenant Allow/Block List.
Completed	User Impersonation	In Defender for Office 365, the submitted item comes from a sender that resembles a user identified for user impersonation protection. We recommend that you review the item and (if necessary) add the sender to the list of trusted senders in the anti-phishing policy that detected the message. For more information, see User impersonation protection.
Completed	Allowed due to organizational overrides	An entity associated with the submitted item was allowed in one of the following settings: The Advanced delivery for a SecOps mailbox Enhanced Filtering for Connectors The connection filter policy The Tenant Allow/Block List An Exchange mail flow rule (transport rule) An action configured in your policy settings. Check the submission result for the exact cause and remove or fix the setting.
Completed	Allowed due to user overrides	The submitted item recipient has Outlook configurable allow settings in their mailbox (for example, a sender or domain in their Safe Senders List). Check the submission result for the exact cause and remove or fix the setting.
Completed	Blocked due to organizational overrides	An entity associated with the submitted item was blocked in one of the following settings: The connection filter policy The Tenant Allow/Block List An Exchange mail flow rule (transport rule) An action configured in your policy settings. Check the submission result for the exact cause and remove or fix the setting.
Completed	Blocked due to user overrides	The submitted item recipient has Outlook configurable block settings in their mailbox (for example, a sender or domain in the Blocked Senders list or Safe Lists only turned on). Check the submission result for the exact cause and remove or fix the setting.
Completed	Item was not found	The submitted item is unavailable because it was deleted or the submission is invalid. Only items from Exchange Online mailboxes can be submitted. Resubmit the .eml file or Network Message ID of a message from an Exchange Online mailbox.
Completed	The reason behind this verdict was lost in transit	The submitted item was routed via Hybrid mail flow between on-premises Exchange and Exchange Online, and the filtering verdict was lost. Check any similar messages that were delivered directly to your cloud mailbox and fix your routing.
Completed	We did not receive the submission, please fix the problem and resubmit	The submitted item did not reach the submission service. Verify that no policies or mail flow rules prevent items from reaching our service. For more information, see Microsoft 365 URLs and IP address ranges.
Completed	Further analysis needed	In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) receive this result when nothing is found within the allowed checks for Email authentication checks and Policy hits. We recommend opening a support ticket to get the submitted item analyzed.
Completed	Unknown - We checked but can't make a decision right now	Microsoft could not reach a decision regarding the submitted item. Explanations include different interpretations by different analysts or the item being inaccessible. Microsoft continuously invests in the analysis process so this result is less common.
Completed	Bulk	The submitted item sender was classified as a bulk sender. In the future, similar items are blocked if they meet or exceed the bulk compliant level (BCL) threshold in anti-spam policies. For more information, see Bulk complaint level (BCL) in EOP. To prevent similar items from being delivered, you can create block entries for domains or email addresses, files, or URLs in the Tenant Allow/Block List. For more information, see Block entries in the Tenant Allow/Block List.
Completed	Spam	The submitted item was classified as spam. In the future, similar items are blocked if they meet or exceed the spam confidence level (SCL) threshold in anti-spam policies. For more information, see Spam confidence level (SCL) in EOP. To prevent similar items from being delivered, you can create block entries for domains or email addresses, files, or URLs in the Tenant Allow/Block List. For more information, see Block entries in the Tenant Allow/Block List.
Completed	No threats found	The submitted item was found to be clean. After a period of evaluation, the filters might be updated using the information from the submission. Until the filters learn about the submission, you can create block entries or allow entries for the item in the Tenant Allow/Block List.
Completed	Threats found	The submitted item was found to be malicious. After a period of evaluation, the filters might be updated using the information from the submission. Until the filters learn about the submission, you can create block entries or allow entries for the item in the Tenant Allow/Block List.