Submit messages, URLs, files, and attachments to Microsoft for analysis

  • 5 minutes

In Microsoft 365 organizations with Exchange Online mailboxes, users and administrators can submit messages, URLs, and attachments to Microsoft for analysis. They can do so using the Submissions page in the Microsoft Defender portal. By helping Microsoft improve detections, submissions help reduce investigation and mitigation effort. They can therefore improve an organization's productivity.

Additional viewing. Watch this short video to learn how to use admin submissions in Microsoft Defender for Office 365 to submit messages to Microsoft for evaluation.

There are several reasons why it's important for organizations to use submissions, including:

  • Managing false positives and false negatives. False positives are good messages marked as bad. False negatives are bad messages that are allowed. Organizations should submit these message types so that Microsoft can improve its detections.
  • Increase attack visibility. Submissions allow users to report the threats that target them. By doing so, organizations can increase their visibility into all attacks that target their business.
  • Block suspicious entities. When an organization blocks suspicious entities while submitting suspicious emails, URLs, or attachments, it quickly protects its users from future threats.
  • Optimize security. When you submit messages to Microsoft, you optimize security operation workflows by removing the need to manually triage your organization's SecOps mailbox.
  • Increase productivity. Organizations can experience an increase in productivity when implementing Submissions for the following reasons:
    • Users can quickly report messages using the Report Message add-in within Outlook.
    • Administrators can triage, grade, and notify users of the results of their submissions.
    • Administrators can investigate and respond from within a single page.
    • Automated investigations are triggered from user submissions (this feature requires Defender for Office Plan 2).

Submissions enable organizations to track what their users have been reporting as false positives and false negatives. Actively reporting false positives and false negatives is an important activity for providing feedback about mistakes made during detection. Using submissions helps both Microsoft and your organization prevent attacks.

Tip

If you have Microsoft Defender for Office 365 Plan 2, automated investigations combine with submissions to automatically hunt for and remediate confirmed malicious campaigns based on any submission that was found to be a threat. This feature gives you 24/7 coverage.

Administrators can act, review, and remediate reported messages all from within the Microsoft Defender portal. Once reported messages are processed, administrators can view the results of Microsoft's analysis of the messages, URLs, attachments, and individual files that their organization submitted.

In the Microsoft Defender portal, select Actions & submissions in the navigation pane, and then select Submissions. As the following screenshot shows, the Submissions page provides separate tabs for each type of reported message: Emails, Teams messages, Email attachments, URLs, Files, and User-reported messages.

Screenshot showing the Submissions page in the Microsoft Defender portal, and the Submissions pane that appears.

When admins submit messages to Microsoft for analysis, Microsoft performs the following checks:

  • Email authentication check (email messages only). Whether email authentication passed or failed when it was delivered.
  • Policy hits. Information about any policies or overrides that allowed or blocked the incoming email into the organization, thus overriding Microsoft's filtering verdicts.
  • Payload reputation/detonation. Up-to-date examination of any URLs and attachments in the message.
  • Grader analysis. Review done by human graders to confirm whether messages are malicious.

Important

In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), administrators can submit email messages to Microsoft for analysis, but the messages are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).

Additional reading. For more information about how users can submit messages and files to Microsoft, see Report messages and files to Microsoft. For other ways that admins can report messages to Microsoft in the Defender portal, see Related reporting settings for admins.

Submit messages to Microsoft

By default, administrators and users can use Submissions with no extra setup required.

  • User-reported messages. Users can submit messages by using the Report Message add-in, Report Phishing add-in, and the built-in Report button in Outlook for the Web. User-reported messages are shown on the Submissions page in their own tab. Administrators can see and analyze what users reported and provide their own decision on whether a message is phishing, spam, or doesn't contain any threats. Users can also report phishing simulations, and you can track them separately from other messages using the Phish simulation column on the User report submissions page.
  • Admin-reported messages. Administrators can submit items to Microsoft from the following entity pages within the Microsoft Defender portal: Submissions, Explore, Advanced hunting, Alerts, Quarantine, and Email. Select the tab that matches the item you want to submit, whether it's an email, attachment, URL, or a user-submitted message, and then select Submit to Microsoft for analysis. If you have Microsoft 365 Defender or Microsoft Defender for Endpoint Plan 2, you can also submit files from the Files tab by selecting Add new submission. The Files tab is available on the Submissions page only in organizations with Microsoft Defender XDR or Microsoft Defender for Endpoint Plan 2. For information and instructions to submit files from the Files tab, see Submit files in Microsoft Defender for Endpoint.

Microsoft performs the same checks on user-reported messages as it does on admin-reported messages. As a result, submitting or resubmitting messages to Microsoft is useful to administrators only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

Important

Organizations can customize user-reported settings, such as adding organizational branding, customize messaging, and allowing Microsoft to automatically provide analyzed results to the submitter. For more information on configuring user-reported settings, see User reported settings.

You can submit email messages as old as 30 days if they're still available in the mailbox and haven't been purged by the user or an administrator. Administrator submissions are throttled at the following rates:

  • Maximum submissions in any 15-minute period: 150 submissions
  • Same submissions in a 24-hour period: Three submissions
  • Same submissions in a 15-minute period: One submission

Track submission results

After Microsoft reviews a submission, the reported message appears on the relevant tab as Completed. Select an entry on the tab by selecting anywhere in the entry's row other than its check box Doing so displays information about the original reported item, its status, and the analysis results. You can also provide your own verdict on user-reported submissions using Mark as and notify.

When you submit a blocked message as Should not have been blocked (False positive), an allow entry for the sender is added to the Domains & email addresses tab on the Tenant Allow/Block Lists page.

  • Domains and email addresses, files, and URLs. Allow entries are added based on the filters that determined the message was malicious during mail flow. For example, if the sender email address and a URL in the message were determined to be bad, an allow entry is created for the sender (email address or domain) and the URL. When the entity in the Allow entry is encountered again (during mail flow or at time of selection), all filters associated with that entity are overridden. By default, allow entries for domains and email addresses exist for 30 days. During those 30 days, Microsoft learns from the Allow entries and removes them or automatically extends them. After Microsoft learns from the removed allow entries, messages that contain those entities are delivered, unless something else in the message is detected as malicious. During mail flow, if messages containing the allowed entity pass other checks in the filtering stack, the messages are delivered. For example, if a message passes email authentication checks, URL filtering, and file filtering, the message is delivered if it's from an allowed sender.
  • Spoofed senders. If spoof intelligence blocked the message as spoofing, use the Submissions page to report the email to Microsoft as Should not have been blocked (False positive). You can proactively create an allow entry for a spoofed sender on the Spoofed sender tab in the Tenant Allow/Block List before spoof intelligence identifies and blocks the message as spoofing.

The following list describes what happens in the Tenant Allow/Block List when you report something to Microsoft as a false positive on the Submissions page:

  • Email attachments and URLs. An allow entry is created and the entry appears on the Files or URLs tab in the Tenant Allow/Block List respectively. For URLs reported as false positives, Microsoft allows subsequent messages that contain variations of the original URL. For example, you use the Submissions page to report the incorrectly blocked URL www.contoso.com/abc. If your organization later receives a message that contains the URL (for example but not limited to: www.contoso.com/abc, www.contoso.com/abc?id=1, www.contoso.com/abc/def/gty/uyt?id=5, or www.contoso.com/abc/whatever), the message isn't blocked based on the URL. In other words, you don't need to report multiple variations of the same URL as good to Microsoft.
  • Email. If EOP or the Microsoft Defender for Office 365 filtering stack blocked a message, an allow entry might be created in the Tenant Allow/Block List per the following guidelines:
    • If the message is blocked by spoof intelligence, an allow entry for the sender is created, and the entry appears on the Spoofed senders tab in the Tenant Allow/Block List.
    • If user (or graph) impersonation protection in Defender for Office 365 blocked a message, an allow entry isn't created in the Tenant Allow/Block List. Instead, the domain or sender is added to the Trusted senders and domains section in the anti-phishing policy that detected the message.
    • If the message is blocked due to file-based filters, an allow entry for the file is created, and the entry appears on the Files tab in the Tenant Allow/Block List.
    • If the message is blocked due to URL-based filters, an allow entry for the URL is created, and the entry appears on the URL tab in the Tenant Allow/Block List.
    • If the message is blocked for any other reason, the system creates an allow entry for the sender email address or domain, and the entry appears on the Domains & addresses tab in the Tenant Allow/Block List.
    • If the message isn't blocked due to filtering, no allow entries are created anywhere.