How do I report a suspicious email or file to Microsoft?
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.
Wondering what to do with suspicious email messages, URLs, email attachments, or files? In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, users and admins have different ways to report suspicious email messages, URLs, and email attachments to Microsoft.
In addition, admins in Microsoft 365 organizations with Microsoft Defender for Endpoint also have several methods for reporting files.
Watch this video that shows more information about the unified submissions experience.
Report suspicious email messages to Microsoft
When you report a message to Microsoft, everything associated with the message is copied and included in the continual algorithm reviews. This copy includes email content, email headers, any attachments, and related data about email routing.
Microsoft treats your feedback as your organization's permission to analyze all the information to fine tune the message hygiene algorithms. Your message is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for email in Microsoft 365. However, your email is still treated as confidential between you and Microsoft, and your email or attachments isn't shared with any other party as part of the review process.
For information about reporting messages in Microsoft Teams in Defender for Office 365 Plan 2, see User reported message settings in Microsoft Teams.
|The built-in Report button||User||Currently, this method is available only in Outlook on the web (formerly known as Outlook Web App or OWA).|
|The Microsoft Report Message and Report Phishing add-ins||User||These free add-ins work in Outlook on all available platforms. For installation instructions, see Enable the Report Message or the Report Phishing add-ins.|
|The Submissions page in the Microsoft Defender portal||Admin||Admins can report good (false positives) and bad (false negative) messages, email attachments, and URLs (entities) from the available tabs on the Submissions page.
Admins can also submit user reported messages from the User reported tab on the Submissions page to Microsoft for analysis. The Submissions page is available only in organizations with Exchange Online mailboxes as part of a Microsoft 365 subscription (not available in standalone EOP).
|Report messages from quarantine||Admin and User||Admins can submit quarantined messages to Microsoft for analysis (false positives and false negatives).
If users are allowed to release their own messages from quarantine, and user reported settings is configured to allow users to report quarantined messages, users can select Report message as having no threats (false positive) when they release a quarantined message.
Related reporting settings for admins
User reported settings allow admins to configure whether user reported messages go to a specified reporting mailbox, to Microsoft, or both. After this feature is configured, user reported messages appear on the User reported tab on the Submissions page in the Defender portal.
User reported messages are also available to admins in the following locations in the Microsoft Defender portal:
- The User-reported messages report
- Automated investigation and response (AIR) results (Defender for Office 365 Plan 2)
- Threat Explorer (Defender for Office 365 Plan 2)
Admins can use the sample submission portal at https://www.microsoft.com/wdsi/filesubmission to submit other suspected files to Microsoft for analysis. For more information, see Submit files for analysis.
In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit messages to Microsoft for analysis. The messages are analyzed for email authentication and policy checks only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary). If you report a message, URL, or email attachment to Microsoft from one of these organizations, you get the following message in the result details:
Further investigation needed. Your tenant doesn't allow data to leave the environment, so nothing was found during the initial scan. You'll need to contact Microsoft support to have this item reviewed.