Edit

Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft

  • Article

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the Submissions page in the Microsoft 365 Defender portal to submit messages, URLs, and attachments to Microsoft for analysis. There are two basic types of admin submissions:

  • Admin-originated submissions: Admins identify and report messages, attachments, or URLs (entities) by selecting Submit to Microsoft for analysis from the tabs on the Submissions page as described in the Admin-originated submissions section.

    After the admin reports the entity, an entry appears on the corresponding tab on the Submissions page (anywhere except the User reported tab).

  • Admin submission of user reported messages: The built-in user reporting experience is turned on and configured. User reported messages appear on the User reported tab on the Submissions page, and admins submit or resubmit the messages to Microsoft from the User reported tab.

    After an admin submits the message, an entry is also created on the corresponding tab on the Submissions page (for example, the Emails tab). These types of admin submissions are described in the Admin options for user reported messages section.

When admins submit email messages for analysis, Microsoft does the following checks:

  • Email authentication check: Whether email authentication passed or failed when it was delivered.
  • Policy hits: Information about any policies or overrides that might have allowed or blocked the incoming email into the organization, thus overriding our filtering verdicts.
  • Payload reputation/detonation: Up-to-date examination of any URLs and attachments in the message.
  • Grader analysis: Review done by human graders to confirm whether or not messages are malicious.

Important

In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit messages to Microsoft for analysis, but the messages are analyzed for email authentication and policy checks only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).

Watch this short video to learn how to use admin submissions in Microsoft Defender for Office 365 to submit messages to Microsoft for evaluation.

For more information about how users can submit messages and files to Microsoft, see Report messages and files to Microsoft.

For other ways that admins can report messages to Microsoft in the Defender portal, see Related reporting settings for admins.

What do you need to know before you begin?

  • You open the Microsoft 365 Defender portal at https://security.microsoft.com/. To go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

  • Admins can submit email messages as old as 30 days if they're still available in the mailbox and haven't been purged by the user or an admin.

  • Admin submissions are throttled at the following rates:

    • Maximum submissions in any 15-minute period: 150 submissions
    • Same submissions in a 24 hour period: Three submissions
    • Same submissions in a 15-minute period: One submission

  • A Files tab is available on the Submissions page only in organizations with Microsoft 365 Defender or Microsoft Defender for Endpoint Plan 2. For information and instructions to submit files from the Files tab, see Submit files in Microsoft Defender for Endpoint.

Admin-originated submissions

Tip

The tab where you select select Submit to Microsoft for analysis doesn't particularly matter, as long as you set Select the submission type to the correct value.

Report questionable email to Microsoft

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

  2. On the Submissions page, verify that the Emails tab is selected.

  3. On the Emails tab, select Submit to Microsoft for analysis.

  4. In the Submit to Microsoft for analysis flyout that opens, enter the following information:

    • Select the submission type: Verify the value Email is selected.

    • Add the network message ID or upload the email file: Select one of the following options:

      • Add the email network message ID: The GUID value is available in the X-MS-Exchange-Organization-Network-Message-Id header in the message or in the X-MS-Office365-Filtering-Correlation-Id header in quarantined messages.
      • Upload the email file (.msg or .eml): Select Browse files. In the dialog that opens, find and select the .eml or .msg file, and then select Open.

    • Choose a recipient who had an issue: Specify the recipients to run a policy check against. The policy check determines if the email bypassed scanning due to user or organization policies or override.

    • Select a reason for submitting to Microsoft: Verify Should have been blocked (False negative) is selected.

      • The email should have been categorized as: Select Phish, Malware, or Spam. If you're not sure, use your best judgment.

      • Block all emails from this sender or domain: Select this option to create a block entry for the sender domain or email address in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see Manage allows and blocks in the Tenant Allow/Block List.

        After you select this option, the following settings are available:

        • By default, Sender is selected but you can select Domain instead.
        • Remove block entry after: The default value is 30 days, but you can select from the following values:
          • 1 day
          • 7 days
          • 30 days
          • 90 days
          • Never expire
          • Specific date: The maximum value is 90 days from today.
        • Block entry note: Enter optional information about why you're blocking this email.

    When you're finished in the Submit to Microsoft for analysis flyout, select Submit, and then select Done.

Submit a false negative (bad) email to Microsoft for analysis on the Submissions page in the Defender portal.

After a few moments, the block entry is available on the Domains & addresses tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=Sender.

Report questionable email attachments to Microsoft

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

  2. On the Submissions page, select the Email attachments tab.

  3. On the Email attachments tab, select Submit to Microsoft for analysis.

  4. On the Submit to Microsoft for analysis flyout that opens, enter the following information:

    • Select the submission type: Verify the value Email attachment is selected.

    • File: Select Browse files to find and select the file to submit.

    • Select a reason for submitting to Microsoft: Verify Should have been blocked (False negative) is selected.

      • The email should have been categorized as: Select Phish or Malware. If you're not sure, use your best judgment.

      • Block this file: Select this option to create a block entry for the file in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see Manage allows and blocks in the Tenant Allow/Block List.

        After you select this option, the following settings are available:

        • Remove block entry after: The default value is 30 days, but you can select from the following values:

          • 1 day
          • 7 days
          • 30 days
          • 90 days
          • Never expire
          • Specific date: The maximum value is 90 days from today.

        • Block entry note: Enter optional information about why you're blocking this file.

    When you're finished in the Submit to Microsoft for analysis flyout, select Submit, and then select Done.

Submit a false negative (bad) email attachment to Microsoft for analysis on the Submissions page in the Defender portal.

After a few moments, the block entry is available on the Files tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=FileHash.

Report questionable URLs to Microsoft

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

  2. On the Submissions page, select the URLs tab.

  3. On the URLs tab, select Submit to Microsoft for analysis.

  4. In the Submit to Microsoft for analysis flyout that opens, enter the following information:

    • Select the submission type: Verify the value URL is selected.

    • URL: Enter the full URL (for example, https://www.fabrikam.com/marketing.html), and then select it in the box that appears. You can enter up to 50 URLs at once.

    • Select a reason for submitting to Microsoft: Verify Should have been blocked (False negative) is selected.

      • The email should have been categorized as: Select Phish or Malware. If you're not sure, use your best judgment.

      • Block this URL: Select this option to create a block entry for the URL in the Tenant Allow/Block List. For more information about the Tenant Allow/Block List, see Manage allows and blocks in the Tenant Allow/Block List.

        After you select this option, the following settings are available:

        • Remove block entry after: The default value is 30 days, but you can select from the following values:

          • 1 day
          • 7 days
          • 30 days
          • 90 days
          • Never expire
          • Specific date: The maximum value is 90 days from today.

        • Block entry note: Enter optional information about why you're blocking this URL.

    When you're finished in the Submit to Microsoft for analysis flyout, select Submit, and then select Done.

Submit a false negative (bad) URL to Microsoft for analysis on the Submissions page in the Defender portal.

After a few moments, the block entry is available on the URL tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=Url.

Report good email to Microsoft

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

  2. On the Submissions page, verify that the Emails tab is selected.

  3. On the Emails tab, select Submit to Microsoft for analysis.

  4. In the Submit to Microsoft for analysis flyout that opens, enter the following information:

    • Select the submission type: Verify the value Email is selected.

    • Add the network message ID or upload the email file: Select one of the following options:

      • Add the email network message ID: The GUID value is available in the X-MS-Exchange-Organization-Network-Message-Id header in the message or in the X-MS-Office365-Filtering-Correlation-Id header in quarantined messages.
      • Upload the email file (.msg or .eml): Select Browse files. In the dialog that opens, find and select the .eml or .msg file, and then select Open.

    • Choose a recipient who had an issue: Specify the recipients to run a policy check against. The policy check determines if the email was blocked due to user or organization policies or overrides.

    • Select a reason for submitting to Microsoft: Select Should not have been blocked (False positive), and then configure the following settings:

      • Allow emails with similar attributes (URL, sender, etc.): Turn on this setting .

        • Remove allow entry after: The default value is 30 days, but you can select from the following values:

          • 1 day
          • 7 days
          • 30 days
          • Specific date: The maximum value is 30 days from today.

          For spoofed senders, this value is meaningless, because entries for spoofed senders never expire.

        • Allow entry note: Enter optional information about why you're allowing and submitting this email message.

          For spoofed senders, any value you enter here isn't shown in the allow entry on the Spoofed senders tab on the Tenant Allow/Block Lists page.

    When you're finished in the Submit to Microsoft for analysis flyout, select Submit, and then select Done.

    Submit a false positive (good) email to Microsoft for analysis on the Submissions page in the Defender portal.

After a few moments, the associated allow entries appear on the Domains & addresses, Spoofed senders, URLs, or Files tabs on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList.

Important

  • Allow entries are added during mail flow based on the filters that determined the message was malicious. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL.
  • If the sender email address is not found to be malicious by our filtering system, submitting the email message to Microsoft won't create an allow entry in the Tenant Allow/Block List.
  • When an allowed domain or email address, spoofed sender, URL, or file (entity) is encountered again, all filters that are associated with the entity are skipped. For email messages, all other entities are still evaluated by the filtering system before making a decision.
  • During mail flow, if messages from the allowed domain or email address pass other checks in the filtering stack, the messages are delivered. For example, if a message passes email authentication checks, a message from an allowed sender email address are delivered.
  • By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the allow entries and removes them or automatically extends them. After Microsoft learns from the removed allow entries, messages from those domains or email addresses are delivered, unless something else in the message is detected as malicious. By default, allow entries for spoofed senders never expire.
  • For messages that were incorrectly blocked by domain or user impersonation protection, the allow entry for the domain or sender is not created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the anti-phishing policy that detected the message.
  • When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem.

Report good email attachments to Microsoft

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

  2. On the Submissions page, select the Email attachments tab.

  3. On the Email attachments tab, select Submit to Microsoft for analysis.

  4. On the Submit to Microsoft for analysis flyout that opens, enter the following information:

    • Select the submission type: Verify the value Email attachment is selected.

    • File: Select Browse files to find and select the file to submit.

    • Select a reason for submitting to Microsoft: Select Should not have been blocked (False positive), and then configure the following settings:

      • Allow this file: Turn on this setting .

        • Remove allow entry after: The default value is 30 days, but you can select from the following values:

          • 1 day
          • 7 days
          • 30 days
          • Specific date: The maximum value is 30 days from today.

        • Allow entry note: Enter optional information about why you're allowing and submitting this file.

    When you're finished in the Submit to Microsoft for analysis flyout, select Submit, and then select Done.

    Submit a false positive (good) email attachment to Microsoft for analysis on the Submissions page in the Defender portal.

After a few moments, the allow entry is available on the Files tab on the Tenant Allow/Block List page. For more information about the Tenant Allow/Block List, see Manage allows and blocks in the Tenant Allow/Block List.

Important

  • By default, allow entries for files exist for 30 days. During those 30 days, Microsoft learns from the allow entries and removes them or automatically extends them. After Microsoft learns from the removed allow entries, messages that contain those files are delivered, unless something else in the message is detected as malicious.
  • When the file is encountered again during mail flow, Safe Attachments detonation or file reputation checks and all other file-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered.
  • During selection, all file-based filters, including Safe Attachments detonation or file reputation checks are overridden, allowing user access to the file.

Report good URLs to Microsoft

For URLs reported as false positives, we allow subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL www.contoso.com/abc. If your organization later receives a message that contains the URL (for example but not limited to: www.contoso.com/abc, www.contoso.com/abc?id=1, www.contoso.com/abc/def/gty/uyt?id=5, or *.contoso.com/abc), the message won't be blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.

  1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

  2. On the Submissions page, select the URLs tab

  3. On the URLs tab, select Submit to Microsoft for analysis.

  4. In the Submit to Microsoft for analysis flyout that opens, enter the following information:

    • Select the submission type: Verify the value URL is selected.

    • URL: Enter the full URL (for example, https://www.fabrikam.com/marketing.html), and then select it in the box that appears. You can also provide a top level domain (for example, https://www.fabrikam.com/*), and then select it in the box that appears. You can enter up to 50 URL at once.

    • Select a reason for submitting to Microsoft: Select Should not have been blocked (False positive), and then configure the following settings:

      • Allow this URL: Turn on this setting .

        • Remove allow entry after: The default value is 30 days, but you can select from the following values:

          • 1 day
          • 7 days
          • 30 days
          • Specific date: The maximum value is 30 days from today.

        • Allow entry note: Enter optional information about why you're allowing and submitting this URL.

    When you're finished in the Submit to Microsoft for analysis flyout, select Submit, and then select Done.

    Submit a false positive (good) URL to Microsoft for analysis on the Submissions page in the Defender portal.

After a few moments, the allow entry is available on the URL tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=Url.

Note

  • By default, allow entries for URLs exist for 30 days. During those 30 days, Microsoft learns from the allow entries and removes them or automatically extends them. After Microsoft learns from the removed allow entries, messages that contain those URLs are delivered, unless something else in the message is detected as malicious.
  • When the URL is encountered again during mail flow, Safe Links detonation or URL reputation checks and all other URL-based filters are overridden. If the filtering system determines that all other entities in the email message are clean, the message are delivered.
  • During selection, all URL-based filters, including Safe Links detonation or URL reputation checks are overridden, allowing user access to content at the URL.

View email admin submissions to Microsoft

In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

On the Submissions page, verify that the Emails tab is selected.

On the Emails tab, you can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

  • Submission name*
  • Sender*
  • Recipient
  • Date submitted*
  • Reason for submitting*
  • Original verdict*
  • Status*
  • Result*
  • Delivery/Block reason
  • Submission ID
  • Network Message ID
  • Direction
  • Sender IP
  • Bulk compliant level (BCL)
  • Destination
  • Policy action
  • Submitted by
  • Phish simulation
  • Tags*: For more information about user tags, see User tags.
  • Action

To group the entries, select Group and then select one of the following values:

  • Reason
  • Original verdict
  • Status
  • Result
  • Tags

To ungroup the entries, select None.

To filter the entries, select Filter. The following filters are available in the Filter flyout that opens:

  • Date submitted: Start date and End date values.
  • Submission ID: A GUID value that's assigned to every submission.
  • Network Message ID
  • Sender
  • Recipient
  • Submission name
  • Submitted by
  • Reason for submitting: Any of the following values:
    • Not junk
    • Phish
    • Malware
    • Spam.
  • Status: Pending and Completed.
  • Tags: All or select user tags from the dropdown list.

When you're finished on the Filter flyout, select Apply. To clear the filters, select Clear filters.

Use Export to export the list of entries to a CSV file.

View email attachment admin submissions to Microsoft

In the Microsoft 365 Defender portal at https://security.microsoft.com, go to the Submissions page at Actions & submissions > Submissions. To go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

On the Submissions page, select the Email attachments tab.

On the Email attachments tab, you can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

  • Attachment filename*
  • Date submitted*
  • Reason for submitting*
  • Status*
  • Result*
  • Filter verdict
  • Delivery/Block reason
  • Submission ID
  • Object ID
  • Policy action
  • Submitted by
  • Tags*: For more information about user tags, see User tags.
  • Action

To group the entries, select Group and then select one of the following values:

  • Reason
  • Original verdict
  • Status
  • Result
  • Tags

To ungroup the entries, select None.

To filter the entries, select Filter. The following filters are available in the Filter flyout that opens:

  • Date submitted: Start date and End date.
  • Submission ID: A GUID value that's assigned to every submission.
  • Attachment filename
  • Submitted by
  • Reason for submitting: Any of the following values:
    • Not junk
    • Phish
    • Malware
    • Spam.
  • Status: Pending and Completed.
  • Tags: All or select user tags from the dropdown list.

When you're finished on the Filter flyout, select Apply. To clear the filters, select Clear filters.

Use Export to export the list of entries to a CSV file.

View URLs admin submissions to Microsoft

In the Microsoft 365 Defender portal at https://security.microsoft.com, go to the Submissions page at Actions & submissions > Submissions. To go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

On the Submissions page, select the URLs tab.

On the URLs tab, you can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

  • URL*
  • Date submitted*
  • Reason for submitting*
  • Status*
  • Result*
  • Filter verdict
  • Delivery/Block reason
  • Submission ID
  • Object ID
  • Policy action
  • Submitted by
  • Tags*: For more information about user tags, see User tags.
  • Action

To group the entries, select Group and then select one of the following values:

  • Reason
  • Original verdict
  • Status
  • Result
  • Tags

To ungroup the entries, select None.

To filter the entries, select Filter. The following filters are available in the Filter flyout that opens:

  • Date submitted: Start date and End date.
  • Submission ID: A GUID value that's assigned to every submission.
  • URL
  • Submitted by
  • Reason for submitting: Any of the following values:
    • Not junk
    • Phish
    • Malware
    • Spam.
  • Status: Pending and Completed.
  • Tags: All or select user tags from the dropdown list.

When you're finished on the Filter flyout, select Apply. To clear the filters, select Clear filters.

Use Export to export the list of entries to a CSV file.

Admin submission result details

Messages, email attachments, and URLs that admins submit to Microsoft for analysis are available on the corresponding tabs on the Submissions page.

When you select an entry on the tab by clicking anywhere in the row other than the check box next to the first column, complete information about the original reported item, the status of the reported item, and the analysis results of the reported item are shown in the details flyout that opens:

  • If there was a failure in the sender's email authentication at the time of delivery.
  • Information about any policies or overrides that could have affected or overridden the message verdict from filtering system.
  • Current detonation results to see if the URLs or files in the message were malicious or not.
  • Feedback from graders.

If an override or policy configuration was found, the result should be available in several minutes. If there wasn't a problem in email authentication or delivery wasn't affected by an override or policy, the detonation and feedback from graders could take up to a day.

Actions for admin submissions in Defender for Office 365 Plan 2

In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions are available for admin submissions in the details flyout that opens after you select an entry from the list by clicking anywhere in the row other than the check box:

  • Open email entity: Available in the details flyout of entries on the Emails tab only. For more information, see How to read the email entity page.

  • Take actions: Available in the details flyout of entries on the Emails tab only. This action starts the same Action wizard that's available on the email entity page. For more information, see Actions you can take on the Email entity Page.

  • View alert. An alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert.

  • In the Result details section, the following links for Threat Explorer might also be available, depending on the status and result of the reported item:

    • View this message in Explorer: Emails tab only.
    • Search for similar messages in Explorer: Emails tab only.
    • Search for URL or file: Email attachments or URL tabs only.

Admin options for user reported messages

If the user reported settings are turned on and you've deployed supported methods for users to report messages (the Microsoft Report Message or Report Phishing add-ins, the built-in Report button in Outlook on the web, or supported third-party reporting tools), you can see what users are reporting on the User reported tab on the Submissions page:

  • User reported messages that are sent to Microsoft only or to Microsoft and the reporting mailbox appear on the User reported tab. Although these messages have already been reported to Microsoft, admins can resubmit the reported messages.
  • User reported messages that are sent only to the reporting mailbox appear on the User reported tab with the Result value Not Submitted to Microsoft. Admins should report these messages to Microsoft for analysis.

In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Actions & submissions > Submissions. Or, to go directly to the Submissions page, use https://security.microsoft.com/reportsubmission.

On the Submissions page, select the User reported tab.

The following subsections describe the information and actions that are available on the User reported tab on the Submissions page.

View user reported messages to Microsoft

On the User reported tab, you can sort the entries by clicking on an available column header. Select Customize columns to change the columns that are shown. The default values are marked with an asterisk (*):

  • Name and type*
  • Reported by*
  • Date reported*
  • Sender*
  • Reported reason*
  • Original verdict*
  • Result*
  • Message reported ID
  • Network Message ID
  • Sender IP
  • Reported from
  • Phish simulation
  • Converted to admin submission
  • Marked as*
  • Marked by
  • Date marked
  • Tags*: For more information about user tags, see User tags.

To group the entries, select Group and then select one of the following values:

  • Sender
  • Reported by
  • Original verdict
  • Result
  • Reported from
  • Converted to admin submission
  • Tags

To ungroup the entries, select None.

To filter the entries, select Filter. The following filters are available in the Filter flyout that opens:

  • Date reported: Start date and End date.
  • Reported by
  • Name
  • Message reported ID
  • Network Message ID
  • Sender
  • Reported reason: The values Not junk, Phish, and Spam.
  • Reported from: The values Microsoft and Third party.
  • Phish simulation: The values Yes and No.
  • Converted to admin submission: The values Yes and No.
  • Tags: All or select user tags from the dropdown list.

When you're finished on the Filter flyout, select Apply. To clear the filters, select Clear filters.

Use Export to export the list of entries to a CSV file.

For more information about the actions that are available for messages on the User reported tab, see the next subsection.

Admin actions for user reported messages

On the User reported tab, actions for user reported messages are available on the tab itself or in the details flyout of a selected entry:

* Depending on the nature and status of the message, some actions might not be available, are available directly at the top of the flyout, or are available under More actions at the top of the flyout.

These actions are described in the following subsections.

Note

After a user reports a suspicious message, the user or admins can't undo the reporting of the message, regardless of where the reported message goes (to the reporting mailbox, to Microsoft, or both). The user can recover the reported message from their Deleted Items or Junk Email folders.

Submit user reported messages to Microsoft for analysis

After you select the message on the User reported tab, use either of the following methods to submit the message to Microsoft:

  • On the User reported tab: Select Submit to Microsoft for analysis*.

  • In the details flyout of the selected message: Select Submit to Microsoft for analysis or More options > Submit to Microsoft for analysis at the top of the flyout.

In the Submit to Microsoft for analysis dropdown list, select one of the following values:

  • Report clean: In the dialog that opens, review or configure the following settings:

    Allow email with similar attributes (URL, sender, etc.): Select this option to add corresponding allow entries in Tenant Allow/Block List. The following settings are available:

    • Remove allow entry after: The default value is 30 days, but you can select from the following values:
      • 1 day
      • 7 days
      • 30 days
      • Specific date: The maximum value is 30 days from today.
    • Allow entry note: Enter optional information about why you're blocking this email.

    When you're finished in the Submit message as clean to Microsoft dialog, select Submit.

  • Report phishing, Report malware or Report spam: These selections have the same options in the dialog that opens:

    Block all email from this sender or domain: Select this option to add a sender or domain block entry in Tenant Allow/Block List. The following settings are available:

    • Select Sender or Domain.
    • Remove allow entry after: The default value is 30 days, but you can select from the following values:
      • 1 day
      • 7 days
      • 30 days
      • Specific date: The maximum value is 30 days from today.

    When you're finished in the dialog, select Submit.

  • Trigger investigation: Defender for Office 365 Plan 2 only. For more information, see Trigger an investigation.

The available actions in the Submit to Microsoft for analysis dropdown list.

After you submit a user reported message to Microsoft from the User reported tab, the value of Converted to admin submission turns from No to Yes, and a corresponding admin submission entry is created on the appropriate tab on the Submissions page (for example, the Emails tab).

Notify users about admin submitted messages to Microsoft

After an admin submits a user reported message to Microsoft from the User reported tab, admins can use the Mark as and notify action to mark these messages as No threats found, Phishing, or Spam, and send templated notification messages to the user who reported the message.

For more information, see Notify users from within the portal.

View converted admin submissions

After an admin submits a user reported message to Microsoft from the User reported tab, the value of Converted to admin submission is Yes.

If you select one of these messages by clicking anywhere in the row other than the check box next to the name, the details flyout contains More actions > View the converted admin submission.

This action takes you to the corresponding admin submission entry on the appropriate tab (for example, the Emails tab).

Actions for user reported messages in Defender for Office 365 Plan 2

In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), the following actions might also be available in the details flyout of a user reported message on the User reported tab:

  • Open email entity: For more information, see How to read the email entity page.

  • Take actions: This action starts the same Action wizard that's available on the email entity page. For more information, see Actions you can take on the Email entity Page.

  • View alert. An alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert.