View email security reports in the Microsoft 365 Defender portal

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

A variety of reports are available in the Microsoft 365 Defender portal at https://security.microsoft.com to help you see how email security features, such as anti-spam and anti-malware features in Microsoft 365 are protecting your organization. If you have the necessary permissions, you can view and download these reports as described in this article.

Note

Some of the reports on the Email & collaboration reports page require Microsoft Defender for Office 365. For information about these reports, see View Defender for Office 365 reports in the Microsoft 365 Defender portal.

Reports that are related to mail flow are now in the Exchange admin center. For more information about these reports, see Mail flow reports in the new Exchange admin center.

Watch this short video to learn how you can use reports to understand the effectiveness of Defender for Office 365 in your organization.

Email security report changes in the Microsoft 365 Defender portal

The Exchange Online Protection (EOP) and Microsoft Defender for Office 365 reports in the Microsoft 365 Defender portal that have been replaced, moved, or deprecated are described in the following table.

Deprecated report and cmdlets	New report and cmdlets	Message Center ID	Date
URL trace Get-URLTrace	URL protection report Get-SafeLinksAggregateReport Get-SafeLinksDetailReport	MC239999	June 2021
Sent and received email report Get-MailTrafficReport Get-MailDetailReport	Threat protection status report Mailflow status report Get-MailTrafficATPReport Get-MailDetailATPReport Get-MailFlowStatusReport	MC236025	June 2021
Forwarding report no cmdlets	Auto-forwarded messages report in the EAC no cmdlets	MC250533	June 2021
Safe Attachments file types report Get-AdvancedThreatProtectionTrafficReport Get-MailDetailMalwareReport	Threat protection status report: View data by Email > Malware Get-MailTrafficATPReport Get-MailDetailATPReport	MC250532	June 2021
Safe Attachments message disposition report Get-AdvancedThreatProtectionTrafficReport Get-MailDetailMalwareReport	Threat protection status report: View data by Email > Malware Get-MailTrafficATPReport Get-MailDetailATPReport	MC250531	June 2021
Malware detected in email report Get-MailTrafficReport Get-MailDetailMalwareReport	Threat protection status report: View data by Email > Malware Get-MailTrafficATPReport Get-MailDetailATPReport	MC250530	June 2021
Spam detection report Get-MailTrafficReport Get-MailDetailSpamReport	Threat protection status report: View data by Email > Spam Get-MailTrafficATPReport Get-MailDetailATPReport	MC250529	October 2021
Get-AdvancedThreatProtectionDocumentReport Get-AdvancedThreatProtectionDocumentDetail	Get-ContentMalwareMdoAggregateReport Get-ContentMalwareMdoDetailReport	MC343433	May 2022
Exchange transport rule report Get-MailTrafficPolicyReport Get-MailDetailTransportRuleReport	Exchange transport rule report in the EAC Get-MailTrafficPolicyReport Get-MailDetailTransportRuleReport	MC316157	April 2022
Get-MailTrafficTopReport	Top senders and recipient report Get-MailTrafficSummaryReport Note: There is no replacement for the encryption reporting capabilities in Get-MailTrafficTopReport.	MC315742	April 2022

Compromised users report

Note

This report is available in Microsoft 365 organizations with Exchange Online mailboxes. It's not available in standalone Exchange Online Protection (EOP) organizations.

The Compromised users report shows the number of user accounts that were marked as Suspicious or Restricted within the last 7 days. Accounts in either of these states are problematic or even compromised. With frequent use, you can use the report to spot spikes, and even trends, in suspicious or restricted accounts. For more information about compromised users, see Responding to a compromised email account.

The aggregate view shows data for the last 90 days and the detail view shows data for the last 30 days.

To view the report in the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Compromised users and then click View details. To go directly to the report, open https://security.microsoft.com/reports/CompromisedUsers.

On the Compromised users page, the chart shows the following information for the specified date range:

• Restricted: The user account has been restricted from sending email due to highly suspicious patterns.
• Suspicious: The user account has sent suspicious email and is at risk of being restricted from sending email.

The details table below the graph shows the following information:

• Creation time
• User ID
• Action
• Tags: For more information about user tags, see User tags.

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC): Start date and End date.
• Activity: Restricted or Suspicious
• Tag: All or the specified user tag (including priority accounts).

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Compromised users page, the Create schedule, Request report, and Export buttons are available.

Exchange transport rule report

The Exchange transport rule report shows the effect of mail flow rules (also known as transport rules) on incoming and outgoing messages in your organization.

To view the report in the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Exchange transport rule and then click View details. To go directly to the report, open https://security.microsoft.com/reports/ETRRuleReport.

On the Exchange transport rule report page, the available charts and data are described in the following sections.

Note

The Exchange transport rule report is now available in the EAC. For more information, see Exchange transport rule report in the new EAC.

Chart breakdown by Direction

If you select Chart breakdown by Direction, the follow charts are available:

• View data by Exchange transport rules: The number of Inbound and Outbound messages that were affected by mail flow rules.
• View data by DLP Exchange transport rules: The number of Inbound and Outbound messages that were affected by data loss prevention (DLP) mail flow rules.

The following information is shown in the details table below the graph:

• Date
• DLP policy (View data by DLP Exchange transport rules only)
• Transport rule
• Subject
• Sender address
• Recipient address
• Severity
• Direction

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC) Start date and End date.
• Direction: Outbound and Inbound.
• Severity: High severity, Medium severity, and Low severity

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Exchange transport rule report page, the Create schedule, Request report, and Export buttons are available.

Chart breakdown by Severity

If you select Chart breakdown by Severity, the follow charts are available:

• View data by Exchange transport rules: The number of High severity, Medium severity, and Low severity messages. You set the severity level as an action in the rule (Audit this rule with severity level or SetAuditSeverity). For more information, see Mail flow rule actions in Exchange Online.

• View data by DLP Exchange transport rules: The number of High severity, Medium severity, and Low severity messages that were affected by DLP mail flow rules.

The following information is shown in the details table below the graph:

• Date
• DLP policy (View data by DLP Exchange transport rules only)
• Transport rule
• Subject
• Sender address
• Recipient address
• Severity
• Direction

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC) Start date and End date
• Direction: Outbound and Inbound
• Severity: High severity, Medium severity, and Low severity

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Exchange transport rule report page, the Create schedule, Request report, and Export buttons are available.

Forwarding report

Note

This report is now available in the EAC. For more information, see Auto forwarded messages report in the new EAC.

Mailflow status report

The Mailflow status report is a smart report that shows information about incoming and outgoing email, spam detections, malware, email identified as "good", and information about email allowed or blocked on the edge. This is the only report that contains edge protection information, and shows just how much email is blocked before being allowed into the service for evaluation by Exchange Online Protection (EOP). It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.

To view the report in the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Mailflow status summary and then click View details. To go directly to the report, open https://security.microsoft.com/reports/mailflowStatusReport.

Type view for the Mailflow status report

On the Mailflow status report page, the Type tab is selected by default. The chart shows the following information for the specified date range:

• Good mail: Email that's determined not to be spam or are allowed by user or organizational policies.
• Total
• Malware: Email that's blocked as malware by various filters.
• Phishing email: Email that's blocked as phishing by various filters.
• Spam: Email that's blocked as spam by various filters.
• Edge protection: Email that's rejected at the edge/perimeter before being evaluated by EOP or Defender for Office 365.
• Rule messages: Email messages that were acted upon by mail flow rules (also known as transport rules).

The details table below the graph shows the following information:

• Direction
• Type
• 24 hours
• 3 days
• 7 days
• 15 days
• 30 days

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC): Start date and End date.
• Mail direction: Inbound and Outbound.
• Type:
  • Good mail
  • Malware
  • Spam
  • Edge protection
  • Rule messages
  • Phishing email

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

Back on the Mailflow status report page, if you click Choose a category for more details, you can select from the following values:

• Phishing email: This selection takes you to the Threat protection status report.
• Malware in email: This selection takes you to the Threat protection status report.
• Spam detections: This selection takes you to the Spam Detections report.
• Edge blocked spam: This selection takes you to the Spam Detections report.

On the Mailflow status report page, the Create schedule and Export buttons are available.

Direction view for the Mailflow status report

If you click the Direction tab, the chart shows the following information for the specified date range:

• Inbound
• Outbound

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC): Start date and End date.
• Mail direction: Inbound and Outbound.
• Type:
  • Good mail
  • Malware
  • Spam
  • Edge protection
  • Rule messages
  • Phishing email

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

Back on the Mailflow status report page, if you click Choose a category for more details, you can select from the following values:

• Phishing email: This selection takes you to the Threat protection status report.
• Malware in email: This selection takes you to the Threat protection status report.
• Spam detections: This selection takes you to the Spam Detections report.
• Edge blocked spam: This selection takes you to the Spam Detections report.

On the Mailflow status report page, the Create schedule and Export buttons are available.

Mailflow view for the Mailflow status report

The Mailflow view shows you how Microsoft's email threat protection features filter incoming and outgoing email in your organization. This view uses a horizontal flow diagram (known as a Sankey diagram) to provide details on the total email count, and how the configured threat protection features, including edge protection, anti-malware, anti-phishing, anti-spam, and anti-spoofing affect this count.

The aggregate view and details table view allow for 90 days of filtering.

The information in the diagram is color-coded by EOP or Defender for Office 365 technologies.

The diagram is organized into the following horizontal bands:

• Total email band: This value is always shown first.
• Edge block and Processed band:
  • Edge block: Messages that are filtered at the edge and identified as Edge Protection.
  • Processed: Messages that are handled by the filtering stack.
• Outcomes band:
  • Rule Block: Messages that are processed by Exchange mail flow rules (transport rules).
  • Malware block: Messages that are identified as malware by various filters.^*
  • Phish block: Messages identified as phish during processing by various filters.^*
  • Spam block: Messages identified as spam during processing by various filters.^*
  • Impersonation block: Messages detected as user impersonation or domain impersonation in Defender for Office 365.^*
  • Detonation block: Messages detected during file or URL detonation by Safe Attachments policies or Safe Links policies in Defender for Office 365.^*
  • ZAP removed: Messages that are removed by zero-hour auto purge (ZAP).^*
  • Delivered: Messages delivered to users due to an allow.^*

If you hover over a horizontal band in the diagram, you'll see the number of related messages.

^* If you click on this element, the diagram is expanded to show further details. For a description of each element in the expanded nodes, see Detection technologies.

The details table below the diagram shows the following information:

• Date
• Total email
• Edge filtered
• Rule messages
• Anti-malware engine, Safe Attachments, rule filtered
• DMARC impersonation, spoof, phish filtered
• Detonation detection
• Anti-spam filtered
• ZAP removed
• Messages where not threats were detected

If you select a row in the details table, a further breakdown of the email counts is shown in the details flyout that appears.

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC) Start date and End date.
• Direction: Outbound and Inbound.

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

Back on the Mailflow status report page, you can click Show trends to see trend graphs in the Mailflow trends flyout that appears.

On the Mailflow status report page, the Export button is available.

Malware detections report

Note

This report has been deprecated. The same information is available in the Threat protection status report.

Mail latency report

The Mail latency report in Defender for Office 365 contains information on the mail delivery and detonation latency experienced within your organization. For more information, see Mail latency report.

Post-delivery activities report

Note

This report is in the process of being rolled out. Worldwide availability is expected by the end of March 2023.

The Post-delivery activities report shows information about email messages that removed from user mailboxes after delivery by zero-hour auto purge (ZAP). For more information about ZAP, see Zero-hour auto purge (ZAP) in Exchange Online.

The report shows real-time information, with updated threat information.

To view the report in the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find ZAP report and then click View details. To go directly to the report, open https://security.microsoft.com/reports/ZapReport.

On the Post-delivery activities page, the chart shows the following information for the specified date range:

• No threat: The number of unique delivered messages that were found to be not spam by ZAP.
• Spam: The number of unique messages that were removed from mailboxes by ZAP for spam.
• Phishing: The number of unique messages that were removed from mailboxes by ZAP for phishing.
• Malware: The number of unique messages that were removed from mailboxes by ZAP for phishing.

The details table below the graph shows the following information:

• Subject
• Received time
• Sender
• Recipient
• ZAP time
• Original threat
• Original location
• Updated threat
• Updated delivery location
• Detection technology

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC): Start date and End date.
• Verdict:
  • No threat
  • Spam
  • Phishing
  • Malware

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Post delivery activities page, the Create schedule and Export buttons are available.

Spam detections report

Note

This report has been deprecated. The same information is available in the Threat protection status report.

Spoof detections report

The Spoof detections report shows information about messages that were blocked or allowed due to spoofing. For more information about spoofing, see Anti-spoofing protection in EOP.

The aggregate and detail views of the report allows for 90 days of filtering.

To view the report in the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Spoof detections and then click View details. To go directly to the report, open https://security.microsoft.com/reports/SpoofMailReport.

The chart shows the following information:

• Pass
• Fail
• SoftPass
• None
• Other

When you hover over a day (data point) in the chart, you can see how many spoofed messages were detected and why.

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date (UTC) Start date and End date
• Result:
  • Pass
  • Fail
  • SoftPass
  • None
  • Other
• Spoof type: Internal and External

The details table below the graph shows the following information:

• Date
• Spoofed user
• Sending infrastructure
• Spoof type
• Result
• Result code
• SPF
• DKIM
• DMARC
• Message count

For more information about composite authentication result codes, see Anti-spam message headers in Microsoft 365.

On the Spoof detections page, the Create schedule, Request report, and Export buttons are available.

Submissions report

The Submissions report shows information about items that admins have reported to Microsoft for analysis. For more information, see Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft.

To view the report in the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Submissions and then click View details. To go directly to the report, open https://security.microsoft.com/adminSubmissionReport. To go to admin submissions in the Microsoft 365 Defender portal, click Go to Submissions. Admins will be able to view the report for last 30 days.

The chart shows the following information:

• Pending
• Completed

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date reported: Start time and End time
• Submission type:
  • Email
  • URL
  • File
• Submission ID
• Network Message ID
• Sender
• Name
• Submitted by
• Reason for submitting:
  • Not junk
  • Phish
  • Malware
  • Spam
• Rescan status:
  • Pending
  • Completed

The details table below the graph shows the same information and has the same Group or Customize columns options as on the Submitted for analysis tab at Email & collaboration > Submissions. For more information, see View email admin submissions to Microsoft.

On the Submissions page, the Export button is available.

Threat protection status report

The Threat protection status report is available in both EOP and Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about malware detected in email, but not information about malicious files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.

The report provides the count of email messages with malicious content, such as files or website addresses (URLs) that were blocked by the anti-malware engine, zero-hour auto purge (ZAP), and Defender for Office 365 features like Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies. You can use this information to identify trends or determine whether organization policies need adjustment.

Note: It's important to understand that if a message is sent to five recipients we count it as five different messages and not one message.

To view the report in the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Threat protection status and then click View details. To go directly to the report, open one of the following URLs:

• Defender for Office 365: https://security.microsoft.com/reports/TPSAggregateReportATP
• EOP: https://security.microsoft.com/reports/TPSAggregateReport

By default, the chart shows data for the past 7 days. If you click Filter on the Threat protection status report page, you can select a 90 day date range (trial subscriptions might be limited to 30 days). The details table allows filtering for 30 days.

The available views are described in the following sections.

View data by Overview

In the View data by Overview view, the following detection information is shown in the chart:

• Email malware
• Email phish
• Email spam
• Content malware

No details table is available below the chart.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date.
• Detection: The same values as in the chart.
• Protected by: MDO (Defender for Office 365) and EOP.
• Tag: All or the specified user tag (including priority accounts). For more information about user tags, see User tags.
• Direction:
  • All
  • Inbound
  • Outbound
• Domain: All or an accepted domain.
• Policy type:
  • All
  • Anti-malware
  • Safe Attachments
  • Anti-phish
  • Anti-spam
  • Mail flow rule (transport rule)
  • Others

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

View data by Email > Phish and Chart breakdown by Detection Technology

Note

Starting in May 2021, phishing detections in email were updated to include message attachments that contain phishing URLs. This change might shift some of the detection volume out of the View data by Email > Malware view and into the View data by Email > Phish view. In other words, message attachments with phishing URLs that were traditionally identified as malware now might be identified as phishing instead.

In the View data by Email > Phish and Chart breakdown by Detection Technology view, the following information is shown in the chart:

• Advanced filter: Phishing signals based on machine learning.
• Campaign^*: Messages identified as part of a campaign.
• File detonation^*: Safe Attachments detected a malicious attachment during detonation analysis.
• File detonation reputation^*: File attachments previously detected by Safe Attachments detonations in other Microsoft 365 organizations.
• File reputation: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.
• Fingerprint matching: The message closely resembles a previous detected malicious message.
• General filter: Phishing signals based on analyst rules.
• Impersonation brand: Sender impersonation of well-known brands.
• Impersonation domain^*: Impersonation of sender domains that you own or specified for protection in anti-phishing policies.
• Impersonation user^*: Impersonation of protected senders that you specified in anti-phishing policies or learned through mailbox intelligence.
• Mailbox intelligence impersonation^*: Impersonation detections from mailbox intelligence in anti-phishing policies.
• Mixed analysis detection: Multiple filters contributed to the message verdict.
• Spoof DMARC: The message failed DMARC authentication.
• Spoof external domain: Sender email address spoofing using a domain that's external to your organization.
• Spoof intra-org: Sender email address spoofing using a domain that's internal to your organization.
• URL detonation^*: Safe Links detected a malicious URL in the message during detonation analysis.
• URL detonation reputation^*: URLs previously detected by Safe Links detonations in other Microsoft 365 organizations.
• URL malicious reputation: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.

^* Defender for Office 365 only

In the details table below the chart, the following information is available:

• Date
• Subject
• Sender
• Recipients
• Detection technology: The same detection technology values from the chart.
• Delivery status
• Sender IP
• Tags: For more information about user tags, see User tags.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date
• Detection: The same values as in the chart.
• Protected by: MDO (Defender for Office 365) or EOP
• Direction:
  • All
  • Inbound
  • Outbound
• Tag: All or the specified user tag (including priority accounts).
• Domain: All or an accepted domain.
• Policy type:
  • All
  • Anti-malware
  • Safe Attachments
  • Anti-phish
  • Anti-spam
  • Mail flow rule (transport rule)
  • Others
• Policy name (details table view only): All or the specified policy.
• Recipients

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Threat protection status page, the Create schedule, Request report, and Export buttons are available.

View data by Email > Spam and Chart breakdown by Detection Technology

In the View data by Email > Spam and Chart breakdown by Detection Technology view, the following information is shown in the chart:

• Advanced filter: Phishing signals based on machine learning.
• Bulk: The bulk complaint level (BCL) of the message exceeds the defined threshold for spam.
• Domain reputation: The message was from a domain that was previously identified as sending spam in other Microsoft 365 organizations.
• Fingerprint matching: The message closely resembles a previous detected malicious message.
• IP reputation: The message was from a source that was previously identified as sending spam in other Microsoft 365 organizations.
• Mixed analysis detection: Multiple filters contributed to the verdict for the message.
• URL malicious reputation: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.

In the details table below the chart, the following information is available:

• Date
• Subject
• Sender
• Recipients
• Detection technology: The same detection technology values from the chart.
• Delivery status
• Sender IP
• Tags: For more information about user tags, see User tags.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date
• Detection: The same values as in the chart.
• Bulk Complaint Level
• Direction:
  • All
  • Inbound
  • Outbound
• Tag: All or the specified user tag (including priority accounts).
• Domain: All or an accepted domain.
• Policy type:
  • All
  • Anti-malware
  • Safe Attachments
  • Anti-phish
  • Anti-spam
  • Mail flow rule (transport rule)
  • Others
• Policy name (details table view only): All or the specified policy.
• Recipients

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Threat protection status page, the Create schedule, Request report, and Export buttons are available.

View data by Email > Malware and Chart breakdown by Detection Technology

Note

Starting in May 2021, malware detections in email were updated to include harmful URLs in messages attachments. This change might shift some of the detection volume out of the View data by Email > Phish view and into the View data by Email > Malware view. In other words, harmful URLs in message attachments that were traditionally identified as phishing now might be identified as malware instead.

In the View data by Email > Malware and Chart breakdown by Detection Technology view, the following information is shown in the chart:

• File detonation^*: Safe Attachments detected a malicious attachment during detonation analysis.
• File detonation reputation^*: File attachments previously detected by Safe Attachments detonations in other Microsoft 365 organizations.
• File reputation: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.
• Anti-malware engine^*: Detection from anti-malware engines.
• Anti-malware policy file type block: The message was blocked due to the file type of the attachment (common attachment filtering in anti-malware policies).
• URL detonation^*: Safe Links detected a malicious URL in the message during detonation analysis.
• URL detonation reputation^*>: URLs previously detected by Safe Links detonations in other Microsoft 365 organizations.
• Campaign^*: Messages identified as part of a campaign.

^* Defender for Office 365 only

In the details table below the chart, the following information is available:

• Date
• Subject
• Sender
• Recipients
• Detection technology: The same detection technology values from the chart.
• Delivery Status
• Sender IP
• Tags: For more information about user tags, see User tags.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date
• Detection: The same values as in the chart.
• Protected by: MDO (Defender for Office 365) or EOP
• Direction:
  • All
  • Inbound
  • Outbound
• Tag: All or the specified user tag (including priority accounts).
• Domain: All or an accepted domain.
• Policy type:
  • All
  • Anti-malware
  • Safe Attachments
  • Anti-phish
  • Anti-spam
  • Mail flow rule (transport rule)
  • Others
• Policy name (details table view only): All or the specified policy.
• Recipients

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On theThreat protection status page, the Create schedule, Request report, and Export buttons are available.

Chart breakdown by Policy type

In the View data by Email > Phish, View data by Email > Spam, or View data by Email > Malware views, selecting Chart breakdown by Policy type shows the following information in the chart:

• Anti-malware
• Safe Attachments^*
• Anti-phish
• Anti-spam
• Mail flow rule (also known as a transport rule)
• Others

In the details table below the chart, the following information is available:

• Date
• Subject
• Sender
• Recipients
• Detection technology: The same detection technology values from the chart.
• Delivery status
• Sender IP
• Tags: For more information about user tags, see User tags.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date
• Detection: Detection technology values as previously described in this article and at Detection technologies.
• Protected by: MDO (Defender for Office 365) or EOP
• Direction:
  • All
  • Inbound
  • Outbound
• Tag: All or the specified user tag (including priority accounts).
• Domain: All or an accepted domain.
• Policy type:
  • All
  • Anti-malware
  • Safe Attachments
  • Anti-phish
  • Anti-spam
  • Mail flow rule (transport rule)
  • Others
• Policy name (details table view only): All or the specified policy.
• Recipients

^* Defender for Office 365 only

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Threat protection status page, the Create schedule, Request report, and Export buttons are available.

Chart breakdown by Delivery status

In the View data by Email > Phish, View data by Email > Spam, or View data by Email > Malware views, selecting Chart breakdown by Delivery status shows the following information in the chart:

• Hosted mailbox: Inbox
• Hosted mailbox: Junk
• Hosted mailbox: Custom folder
• Hosted mailbox: Deleted Items
• Forwarded
• On-premises server: Delivered
• Quarantine
• Delivery failed
• Dropped

In the details table below the chart, the following information is available:

• Date
• Subject
• Sender
• Recipients
• Detection technology: The same detection technology values from the chart.
• Delivery status
• Sender IP
• Tags: For more information about user tags, see User tags.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date
• Detection: Detection technology values as previously described in this article and at Detection technologies.
• Protected by: MDO (Defender for Office 365) or EOP
• Direction:
  • All
  • Inbound
  • Outbound
• Tag: All or the specified user tag (including priority accounts).
• Domain: All or an accepted domain.
• Policy type:
  • All
  • Anti-malware
  • Safe Attachments
  • Anti-phish
  • Anti-spam
  • Mail flow rule (transport rule)
  • Others
• Policy name (details table view only): All or the specified policy.
• Recipients

^* Defender for Office 365 only

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Threat protection status page, the Create schedule, Request report, and Export buttons are available.

View data by Content > Malware

In the View data by Content > Malware view, the following information is shown in the chart for Microsoft Defender for Office 365 organizations:

• Anti-malware engine: Malicious files detected in SharePoint, OneDrive, and Microsoft Teams by the built-in virus detection in Microsoft 365.
• MDO detonation: Malicious files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
• File reputation: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.

In the details table below the chart, the following information is available:

• Date (UTC)
• Attachment filename
• Workload
• Detection technology: The same detection technology values from the chart.
• File size
• Last modifying user

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date.
• Detection: The same values as in the chart.
• Workload: Teams, SharePoint, and OneDrive

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Threat protection status page, the Create schedule, Request report, and Export buttons are available.

View data by System override and Chart breakdown by Reason

In the View data by System override and Chart breakdown by Reason view, the following override reason information is shown in the chart:

• On-premises skip
• IP allow
• Exchange transport rule (mail flow rule)
• Organization allowed senders
• Organization allowed domains
• ZAP not enabled
• User Safe Sender
• User Safe Domain
• Phishing simulation: For more information, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.
• Third party filter

In the details table below the chart, the following information is available:

• Date
• Subject
• Sender
• Recipients
• System override
• Sender IP
• Tags: For more information about user tags, see User tags.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date
• Reason: The same values as the chart.
• Delivery Location: Junk Mail folder not enabled or SecOps mailbox.
• Direction:
  • All
  • Inbound
  • Outbound
• Tag: All or the specified user tag (including priority accounts).
• Domain: All or an accepted domain.
• Policy type: All
• Policy name (details table view only): All
• Recipients

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Threat protection status page, the Export button is available.

View data by System override and Chart breakdown by Delivery location

In the View data by System override and Chart breakdown by Delivery location view, the following override reason information is shown in the chart:

• Junk Mail folder not enabled
• SecOps mailbox: For more information, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.

In the details table below the chart, the following information is available:

• Date
• Subject
• Sender
• Recipients
• System override
• Sender IP
• Tags: For more information about user tags, see User tags.

If you click Filter, the following filters are available:

• Date (UTC) Start date and End date
• Reason
  • On-premises skip
  • IP allow
  • Exchange transport rule (mail flow rule)
  • Organization allowed senders
  • Organization allowed domains
  • ZAP not enabled
  • User Safe Sender
  • User Safe Domain
  • Phishing simulation: For more information, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes.
  • Third party filter
• Delivery Location: Junk Mail folder not enabled or SecOps mailbox.
• Direction:
  • All
  • Inbound
  • Outbound
• Tag: All or the specified user tag (including priority accounts). For more information about user tags, see User tags.
• Domain: All or an accepted domain.
• Policy type:
  • All
  • Anti-malware
  • Safe Attachments^*
  • Anti-phish
  • Anti-spam
  • Mail flow rule (transport rule)
  • Others
• Policy name (details table view only): All
• Recipients

^* Defender for Office 365 only

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Threat protection status page, the Export button is available.

Top malware report

The Top malware report shows the various kinds of malware that was detected by anti-malware protection in EOP.

To view the report in the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Top malware and then click View details. To go directly to the report, open https://security.microsoft.com/reports/TopMalware.

When you hover over a wedge in the pie chart, you can see the name of a kind of malware and how many messages were detected as having that malware.

On the Top malware report page, a larger version of the pie chart is displayed. The details table below the chart shows the following information:

• Top malware
• Count

If you click Filter, you can specify a date range with Start date and End date.

On the Top malware page, the Create schedule and Export buttons are available.

Top senders and recipients report

The Top senders and recipients report is available in both EOP and Defender for Office 365; however, the reports contain different data. For example, EOP customers can view information about top malware, spam, and phishing (spoofing) recipients, but not information about malware detected by Safe Attachments or phishing detected by impersonation protection.

The Top senders and recipients report shows the top 20 message senders in your organization, as well as the top 20 recipients for messages that were detected by EOP and Defender for Office 365 protection features. By default, the report shows data for the last week, but data is available for the last 90 days.

To view the report in the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find Top senders and recipients report and then click View details. To go directly to the report, open one of the following URLs:

• Defender for Office 365: https://security.microsoft.com/reports/TopSenderRecipientsATP
• EOP: https://security.microsoft.com/reports/TopSenderRecipient

When you hover over a wedge in the pie chart, you can see the number of messages for the sender or recipient.

On the Top senders and recipients page, a larger version of the pie chart is displayed. The following charts are available:

• Show data for Top mail senders (this is the default view)
• Show data for Top mail recipients
• Show data for Top spam recipients
• Show data for Top malware recipients (EOP)
• Show data for Top phishing recipients
• Show data for Top malware recipients (MDO)
• Show data for Top phish recipients (MDO)

The data changes based on your selection.

When you hover over a wedge in the pie chart, you can see the message count for that specific sender or recipient.

The details table below the graph shows the senders or recipients and message counts based on the view you selected.

You can filter both the chart and the details table by clicking Filter and selecting Start date and End date. Users can also filter by user tags.

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

On the Top senders and recipients page, the Export button is available.

URL protection report

The URL protection report is available only in Microsoft Defender for Office 365. For more information, see URL protection report.

User reported messages report

Important

In order for the User reported messages report to work correctly, audit logging must be turned on for your Microsoft 365 environment. This is typically done by someone who has the Audit Logs role assigned in Exchange Online. For more information, see Turn Microsoft 365 audit log search on or off.

The User reported messages report shows information about email messages that users have reported as junk, phishing attempts, or good mail by using the built-in Report button in Outlook on the web or the Microsoft Report Message or Report Phishing add-ins.

To view the report in the Microsoft 365 Defender portal, go to Reports > Email & collaboration > Email & collaboration reports. On the Email & collaboration reports page, find User reported messages and then click View details. To go directly to the report, open https://security.microsoft.com/reports/userSubmissionReport. To go to admin submissions in the Microsoft 365 Defender portal, click Go to Submissions.

You can filter both the chart and the details table by clicking Filter and selecting one or more of the following values in the flyout that appears:

• Date reported: Start time and End time
• Reported by
• Email subject
• Message reported ID
• Network Message ID
• Sender
• Reported reason
  • Not junk
  • Phish
  • Spam
• Phish simulation: Yes or No

When you're finished configuring the filters, click Apply, Cancel, or Clear filters.

To group the entries, click Group and select one of the following values from the drop-down list:

• None
• Reason
• Sender
• Reported by
• Rescan result
• Phish simulation

The details table below the graph shows the following information:

• Email subject
• Reported by
• Date reported
• Sender
• Reported reason
• Rescan result
• Tags: For more information about user tags, see User tags.

To submit a message to Microsoft for analysis, select the message entry from the table, click Submit to Microsoft for analysis and then select one of the following values from the drop-down list:

• Report clean
• Report phishing
• Report malware
• Report spam'
• Trigger investigation (Defender for Office 365)

On the User reported messages page, the Export button is available.

What permissions are needed to view these reports?

• You need to be assigned permissions before you can view and use the reports that are described in this article. You have the following options:
  • Microsoft 365 Defender role based access control (RBAC): Currently, this option requires membership in the Microsoft 365 Defender Preview program.
  • Email & collaboration RBAC in the Microsoft 365 Defender portal: Membership in any of the following role groups:
    • Organization Management
    • Security Administrator
    • Security Reader
    • Global Reader
  • Azure AD RBAC: Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions and permissions for other features in Microsoft 365.

What if the reports aren't showing data?

If you are not seeing data in your reports, check the filters that you're using and double-check that your policies are set up correctly. To learn more, see Protect against threats.

Schedule report

Note

To create or manage report schedules, you need to be a member of the Organization management role.

1. On the main page for the specific report, select Create schedule.

2. The Create scheduled report wizard opens. On the Name scheduled report page, review or customize the Name value, and then click Next.

3. On the Set preferences page, configure the following settings:

   • Frequency: Select one of the following values:
     • Weekly (default)
     • Monthly
   • Start date: When generation of the report begins. The default value is today.
   • Expiry date: When generation of the report ends. The default value is one year from today.

   When you're finished, click Next.

4. On the Recipients page, choose recipients for the report. The default value is your email address, but you can add others.

   When you're finished, click Next.

5. On the Review page, review your selections. You can click the Back button or the Edit link in the respective sections to make changes.

   When you're finished, click Submit.

Managed existing scheduled reports

To manage scheduled reports that you've already created, do the following steps:

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > expand Email & collaboration > select Manage schedules.

   To go directly to the Manage schedules page, use https://security.microsoft.com/ManageSubscription.

2. On the Manage schedules page, the following information is shown for each scheduled report:

   • Schedule start date
   • Schedule name
   • Report type
   • Frequency
   • Last sent

   Find the existing scheduled report that you want to modify.

3. After you select the scheduled report do any of the following actions in the details flyout that opens:

   • Edit name: Click this button, change the name of the report in the flyout that appears, and then click Save.

   • Delete schedule: Click this button, read the warning that appears (previous reports will no longer be available for download), and then click Save.

   • Schedule details section: Click Edit preferences to change the following settings:

     • Frequency: Weekly or Monthly
     • Start date
     • Expiry date

     When you're finished, click Save.

   • Recipients section: Click Edit recipients to add or remove recipients for the scheduled report. When you're finished, click Save

   When you're finished, click Close.

Request report

1. On the main page for the specific report, click Request report.

2. The Create on-demand report wizard opens. On the Name on-demand report page, review or customize the Name value, and then click Next.

3. On the Set preferences page, review or configure the following settings:

   • Start date: When generation of the report begins. The default value is one month ago.
   • Expiry date: When generation of the report ends. The default value is today.

   When you're finished, click Next.

4. On the Recipients page, choose recipients for the report. The default value is your email address, but you can add others.

   When you're finished, click Next.

5. On the Review page, review your selections. You can click the Back button or the Edit link in the respective sections to make changes.

   When you're finished, click Submit.

6. After the report has been successfully created, you're taken to the New on-demand report created page, where you can click Create another report or Done.

   The report is also available on the Reports for download page as described in the next section.

Download reports

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Reports > expand Email & collaboration > select Reports for download.

   To go directly to the Reports for download page, use https://security.microsoft.com/ReportsForDownload.

2. On the Reports for download page, the following information is shown for each available report:

   • Start date
   • Name
   • Report type
   • Last sent
   • Direction

   Find and select the report you want to download.

Export report

On the main page for the specific report, click Export (if that link is available). An Export conditions flyout appears where you can configure the following settings:

• Select a view to export: Select one of the following values:
  • Summary: Data is available for the last 90 days.
  • Details: Data is available for the last 30 days.
• Date (UTC): Start date and End date.

When you're finished configuring the filters, click Export. In the dialog that opens, you can choose to open the file, save the file, or remember the selection.

Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, multiple .csv files are created.

Related topics

Anti-spam protection in EOP

Anti-malware protection in EOP

View mail flow reports in the EAC

View reports for Defender for Office 365