Report false positives and false negatives in Outlook

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

In Microsoft 365 organizations with mailboxes in Exchange Online or in on-premises mailboxes that use hybrid modern authentication, users can report false positives (good email that was blocked or sent to their Junk Email folder) and false negatives (unwanted email or phishing that was delivered to their Inbox) from Outlook on all platforms using free tools from Microsoft.

Admins configure user reported messages to go to a designated reporting mailbox, to Microsoft, or both. For more information, see User reported settings.

Microsoft provides the following tools for users to report good and bad messages:

• Built-in reporting in Outlook on the web (formerly known as Outlook Web App or OWA).
• The Microsoft Report Message or Report Phishing add-ins. The add-ins work on all virtually all Outlook platforms, including Outlook on the web. For more information, see Enable the Microsoft Report Message or Report Phishing add-ins.

For more information about reporting messages to Microsoft, see Report messages and files to Microsoft.

Note

Admins in Microsoft 365 organizations with Exchange Online mailboxes use the Submissions page in the Microsoft 365 Defender portal to submit messages to Microsoft. For instructions, see Use the Submissions page to submit suspected spam, phish, URLs, and files to Microsoft.

Admins can view reported messages on the Submissions page at https://security.microsoft.com/reportsubmission only if both of the following settings are configured on the User reported page at https://security.microsoft.com/securitysettings/userSubmission:

• The toggle on the User reported page is On .
• Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options is selected.

Use the built-in Report button in Outlook on the web

Note

• The built-in Report button is available in Outlook on the web only if both of the following settings are configured on the User reported page at https://security.microsoft.com/securitysettings/userSubmission:

  • The toggle on the User reported page is On .
  • Use the built-in "Report" button with "Phishing", "Junk", and "Not Junk options is selected.

  If the toggle is Off or if Use a non-Microsoft add-in button is selected, then the Report button is not available in Outlook on the web.

• Currently, the Report button in Outlook on the web does not honor the Before a message is reported and After a message is reported settings (notification pop-ups) in the User reported settings.

Use the built-in Report button in Outlook on the web to report junk and phishing messages

• You can report a message as junk from the Inbox or any email folder other than Junk Email folder.
• You can report a message as phishing from any email folder.

In Outlook on the web, select one or more messages, click Report, and then select Report phishing or Report junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

• Reported as junk: The messages are moved to the Junk Email folder.
• Reported as phishing: The messages are deleted.

Use the built-in Report button in Outlook on the web to report messages that aren't junk

In Outlook on the web, select one or more messages in the Junk Email folder, click Report, and then select Not junk in the dropdown list.

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

Use the Report Message and Report Phishing add-ins in Outlook

Note

• The procedures in this section require the Microsoft Report Message or Report Phishing add-ins to be installed. For more information, see Enable the Microsoft Report Message or the Report Phishing add-in installed.
• The versions of Outlook that are supported by the Report Message and Report Phishing add-ins are described here.

Use the Report Message add-in to report junk and phishing messages in Outlook

• You can report a message as junk from the Inbox or any email folder other than the Junk Email folder.
• You can report a message as phishing from any email folder.

1. In Outlook, do one of the following steps:

   • Select an email message from the list.
   • Open a message.

2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

   • Classic Ribbon: Click Report Message, and then select Junk or Phishing in the dropdown list.

     

   • Simplified Ribbon: Click More commands > Protection section > Report Message > select Junk or Phishing.

     

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The following actions are also taken on the reported messages in the mailbox:

• Reported as junk: The messages are moved to the Junk Email folder.
• Reported as phishing: The messages are deleted.

Use the Report Message add-in to report messages that aren't junk in Outlook

1. In Outlook, open a message in the Junk Email folder.

2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

   • Classic Ribbon: Click Report Message, and then select Not Junk in the dropdown list.

     

   • Simplified Ribbon: Click More commands > Protection section > Report Message > select Not Junk.

     

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also moved out of Junk Email to the Inbox.

Use the Report Phishing add-in to report phishing messages in Outlook

You can report phishing messages from any email folder.

1. In Outlook, do one of the following steps:

   • Select an email message from the list.
   • Open a message.

2. Do one of the following steps based on your Ribbon Layout configuration in Outlook:

   • Classic Ribbon: Click Report Phishing.

     

   • Simplified Ribbon: Click More commands > Protection section > Phishing

     

Based on the User reported settings in your organization, the messages are sent to the reporting mailbox, to Microsoft, or both. The messages are also deleted.

Review reported messages

To review messages that users have reported to Microsoft, admins have these options:

• Use the User reported tab on the Submissions page in the Microsoft 365 Defender portal at https://security.microsoft.com/reportsubmission. For more information, see View user reported messages to Microsoft.

• Create a mail flow rule (also known as a transport rule) to send copies of reported messages to a recipient for review. For instructions, see Use mail flow rules to see what users are reporting to Microsoft.

More information

Admins can watch this short video to learn how to use Microsoft Defender for Office 365 to easily investigate user reported messages. Admins can determine the contents of a message and how to respond by applying the appropriate remediation action.