Use mail flow rules to see what your users are reporting to Microsoft in Exchange Online
In Exchange Online organizations or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, there are multiple ways for users to report messages to Microsoft for analysis. For more information, see Report messages and files to Microsoft.
You can create a mail flow rule (also known as a transport rule) that looks for messages that users report to Microsoft, and you can configure Bcc recipients to receive copies of these reported messages.
You can create the mail flow rule in the Exchange admin center (EAC) and PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
What do you need to know before you begin?
You need to be assigned permissions in Exchange Online or Exchange Online Protection before you can do the procedures in this article. Specifically, you need the Transport Rules role, which is assigned to the Organization Management, Compliance Management (global admins), and Records Management role groups by default.
For more information, see the following topics:
To open the EAC in Exchange Online, see Exchange admin center in Exchange Online. To open the EAC in standalone EOP, see Exchange admin center in standalone EOP.
To connect to Exchange Online PowerShell, see Connect to Exchange Online PowerShell. To connect to standalone EOP PowerShell, see Connect to Exchange Online Protection PowerShell.
For more information about mail flow rules in Exchange Online and standalone EOP, see the following topics:
Use the EAC to create a mail flow rule to receive copies of reported messages
In the EAC, go to Mail flow > Rules.
Click Add
and then select Create a new rule.
In the New rule page that opens, configure the following settings:
Name: Enter a unique, descriptive name for the rule. For example, Bcc Messages Reported to Microsoft.
Click More Options.
Apply this rule if: Select The recipient > address includes any of these words: In the Specify words or phrases dialog that appears, enter one of the following values, click Add
, and repeat until you've entered all the values.
junk@office365.microsoft.com
abuse@messaging.microsoft.com
phish@office365.microsoft.com
not_junk@office365.microsoft.com
To edit an entry, select it and click Edit
. To remove an entry, select it and click Remove
.
When you're finished, click OK.
Do the following: Select Add recipients > to the Bcc box. In the dialog that appears, find and select the recipients that you want to add. When you're finished, click OK.
You can make additional selections to audit the rule, test the rule, activate the rule during a specific time period, and other settings. We recommend testing the rule before you enforce it.
When you're finished, click Save.
Use PowerShell to create a mail flow rule to receive copies of reported messages
This example creates a new mail flow rule named Bcc Messages Reported to Microsoft that looks for email messages that are reported to Microsoft by using the methods described in this article, and adds the users laura@contoso.com and julia@contoso.com as Bcc recipients.
New-TransportRule -Name "Bcc Messages Reported to Microsoft" -RecipientAddressContainsWords "junk@office365.microsoft.com","abuse@messaging.microsoft.com","phish@office365.microsoft.com","false_positive@messaging.microsoft.com" -BlindCopyTo "laura@contoso.com","julia@contoso.com".
For detailed syntax and parameter information, see New-TransportRule.
How do you know this worked?
To verify that you've configured a mail flow rule to receive copies of reported messages, do any of the following steps:
In the EAC, go to Mail flow > Rules > select the rule > click Edit
, and verify the settings.
In PowerShell, run the following command to verify the settings:
Get-TransportRule -Identity "Bcc Messages Reported to Microsoft" | Format-List
Send a test message to one of the reporting email addresses and verify the results.