submissionResult resource type

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents the result of a review after the threat submission is processed by Microsoft.

Properties

Property Type Description
category microsoft.graph.security.submissionResultCategory The submission result category. The possible values are: notJunk, spam, phishing, malware, allowedByPolicy, blockedByPolicy, spoof, unknown, noResultAvailable, unknownFutureValue, beingAnalyzed, notSubmittedToMicrosoft, phishingSimulation, allowedDueToOrganizationOverride, blockedDueToOrganizationOverride, allowedDueToUserOverride, blockedDueToUserOverride, itemNotfound, threatsFound, noThreatsFound, domainImpersonation, userImpersonation, brandImpersonation, authenticationFailure, spoofedBlocked, spoofedAllowed, bulk, and reasonLostInTransit. You must use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: beingAnalyzed, notSubmittedToMicrosoft, phishingSimulation, allowedDueToOrganizationOverride, blockedDueToOrganizationOverride, allowedDueToUserOverride, blockedDueToUserOverride, itemNotfound, threatsFound, noThreatsFound, domainImpersonation, userImpersonation, brandImpersonation, authenticationFailure, spoofedBlocked, spoofedAllowed, bulk, and reasonLostInTransit.
detail security.submissionResultDetail Specifies the extra details provided by Microsoft to substantiate their analysis result.
detectedFiles Collection(security.submissionDetectedFile) Specifies the files detected by Microsoft in the submitted emails.
detectedUrls Collection(String) Specifies the URLs detected by Microsoft in the submitted email.
userMailboxSetting security.userMailboxSetting Specifies the setting for user mailbox denoted by a comma-separated string.

userMailboxSetting values

Member Description
none no user mailbox setting related with this threat submission.
junkMailDeletion The submitted email was applied with junk mail deletion.
isFromAddressInAddressBook The submitted email was from address in address book.
isFromAddressInAddressSafeList The submitted email was from address in address safe list.
isFromAddressInAddressBlockList The submitted email was from address in address safe list.
isFromAddressInAddressImplicitSafeList The submitted email was from address in address implicit safe list.
isFromAddressInAddressImplicitJunkList The submitted email was from address in address implicit junk list.
isFromDomainInDomainSafeList The submitted email was from domain in domain safe list.
isFromDomainInDomainBlockList The submitted email was from domain in domain blocklist.
isRecipientInRecipientSafeList The submitted email was to recipient in recipient safe list.
customRule The submitted email was handled by one user custom rule.
senderPraPresent The submitted email was from sender who presents before.
fromFirstTimeSender The submitted email was from first time sender.
exclusive The recipients of the submitted email are exclusive to the recipient's address book while delivery was only allowed from address book contacts.
priorSeenPass The submitted email was prior seen passed.
senderAuthenticationSucceeded The sender authentication of the submitted email was succeeded.
isJunkMailRuleEnabled The junk mail rule was enabled.
unknownFutureValue unknown future value.

submissionResultDetail values

Member Description
none Microsoft has no other details on the result to share.
underInvestigation Microsoft is still analyzing the sample and the results should be available soon.
simulatedThreat The reported message was blocked as it's a phish simulated email send to users for phish education. To configure EOP/MDO to allow, it checks out advanced delivery
allowedBySecOps The reported message was allowed due to advanced delivery flow for security operators mailbox. To block the message, remove it from advanced delivery.
allowedByThirdPartyFilters The reported message was either allowed or blocked due third-party filters working with EOP/MDO. Configure enhanced filtering so that EOP/MDO can filter accurately.
messageNotFound Microsoft can't provide a verdict on the reported message as Microsoft can't find the actual message. Resubmit by uploading the email using submissions in security.microsoft.com.
urlFileShouldNotBeBlocked Microsoft finds the reported entity to be clean. Existing emails containing it have been released. The phish and malware filters will learn from this after a few weeks. Until the filters learn, create an allow entry in Tenant allow/block list if not done already.
urlFileShouldBeBlocked Microsoft finds the reported entity to be malicious. Existing emails containing it have been quarantined. The phish and malware filters will learn from this after a few weeks. Until the filters learn, create a block entry in Tenant allow/block list if not done already.
urlFileCannotMakeDecision Microsoft can't reach a verdict at this time. Resubmit it to get a verdict on it after analysis. Use Tenant allow/block list to immediately allow/block it if not already done.
domainImpersonation The reported message was either allowed or blocked due to domain impersonation policy settings. Configure domain impersonation policy so that EOP/MDO can filter accordingly.
userImpersonation The reported message was either allowed or blocked due to user impersonation policy settings. Configure user impersonation policy so that EOP/MDO can filter accordingly.
brandImpersonation The reported message was either allowed or blocked due to brand impersonation policy settings. Configure brand impersonation policy so that EOP/MDO can filter accordingly.
outboundShouldNotBeBlocked The reported outgoing messages has been found clean and Microsoft will update its machine learning based outbound filters in the coming weeks.
outboundShouldBeBlocked The reported outgoing messages has been found malicious and Microsoft will update its machine learning based outbound filters in the coming weeks.
outboundBulk Microsoft finds the reported message to be spam/junk. The outbound filters will learn after a few weeks.
outboundCannotMakeDecision Microsoft can't reach a verdict at this time. Resubmit it to get to a verdict on it after analysis.
outboundNotRescanned Microsoft can't provide a verdict on the reported outbound message as Microsoft can't find the actual message. Resubmit by uploading the email using submissions in security.microsoft.com.
zeroHourAutoPurgeAllowed The reported message was removed from quarantine as it was found to be clean.
zeroHourAutoPurgeBlocked The Reported message was blocked or quarantined because it was found to be malicious.
zeroHourAutoPurgeQuarantineReleased The reported message was released from Quarantine despite being quarantined due to zap as message turned malicious after delivery.
onPremisesSkip The reported message can't be analyzed as this went through an on-premises setup of exchange online protection. Configure your hybrid setup so that EOP/MDO can scan messages before delivering to exchange on-premises mailboxes.
allowedByTenantAllowBlockList The reported message was allowed as one or more entities in the email are on the tenant allow/block list. Remove allows from Tenant allow/block list so that EOP/MDO can filter accordingly.
blockedByTenantAllowBlockList The reported message was blocked as one or more entities in the email are on the tenant allow/block list. Remove blocks from Tenant allow/block list so that EOP/MDO can filter accordingly.
allowedUrlByTenantAllowBlockList The reported URL was allowed as it is on the Tenant allow/block list. Remove the allow from Tenant allow/block list so that EOP/MDO can filter accordingly.
allowedFileByTenantAllowBlockList The reported file was allowed as it is on the Tenant allow/block list. Remove the allow from Tenant allow/block list so that EOP/MDO can filter accordingly.
allowedSenderByTenantAllowBlockList The reported message was allowed as the sender of the email is on the Tenant allow/block list. Remove allow from Tenant allow/block list so that EOP/MDO can filter accordingly
allowedRecipientByTenantAllowBlockList The reported outgoing message was allowed as recipient is on the Tenant allow/block list. Remove allow from Tenant allow/block so that EOP/MDO can filter accordingly.
blockedUrlByTenantAllowBlockList The reported URL was blocked as it is on the Tenant allow/block list. Remove the block from Tenant allow/block list so that EOP/MDO can filter accordingly.
blockedFileByTenantAllowBlockList The reported file was blocked as it is on the Tenant allow/block list. Remove the block from Tenant allow/block list so that EOP/MDO can filter accordingly.
blockedSenderByTenantAllowBlockList The reported message was blocked as the sender of the email is on the Tenant allow/block list. Remove block from Tenant allow/block list so that EOP/MDO can filter accordingly
blockedRecipientByTenantAllowBlockList The reported outgoing message was blocked as recipient is on the Tenant allow/block list. Remove block from Tenant allow/block so that EOP/MDO can filter accordingly.
allowedByConnection The reported message was allowed as the sending IP is on the hosted connection filter policy. Remove the IP from the hosted connection filter policy so that EOP/MDO can filter accordingly.
blockedByConnection The reported message was blocked as the sending IP is on the hosted connection filter policy. Remove the IP from the hosted connection filter policy so that EOP/MDO can filter accordingly.
allowedByExchangeTransportRule The reported message was allowed as the organization has a related exchange transport rule. Remove the exchange transport rule so that EOP/MDO can filter accordingly.
blockedByExchangeTransportRule The reported message was blocked as the organization has a related exchange transport rule. Remove the exchange transport rule so that EOP/MDO can filter accordingly.
quarantineReleased The reported message was released from Quarantine despite being quarantined by EOP/MDO.
quarantineReleasedThenBlocked The reported message was blocked by user setting after being released from Quarantine. Remove the user setting so that the mail can be released to the inbox.
junkMailRuleDisabled The reported message was bound to be delivered to the junk folder, but junk folder has been disabled. Turn on junk folder setting so that EOP/MDO can deliver emails accordingly.
allowedByUserSetting The reported message was allowed due to user safe or trusted sender setting in outlook. Remove the safe or trusted sender setting so that EOP/MDO can filter accordingly.
blockedByUserSetting The reported message was blocked due to user blocked or trusted sender setting in outlook. Remove the blocked or trusted sender setting so that EOP/MDO can filter accordingly.
allowedByTenant The reported message was allowed due to tenant policy or policy action settings. Review the EOP/MDO policy or policy action settings so that EOP/MDO can filter accordingly.
blockedByTenant The reported message was blocked due to tenant policy or policy action settings. Review the EOP/MDO policy or policy action settings so that EOP/MDO can filter accordingly.
invalidFalsePositive The reported message is already allowed by EOP/MDO.
invalidFalseNegative The reported message is already blocked by EOP/MDO.
spoofBlocked The reported message is determined as spoof by our system and so blocked. Create a spoof allow in Tenant allow/block list so that EOP/MDO can allow emails from this spoofed sender.
goodReclassifiedAsBad Microsoft finds the reported message to be malicious. Existing emails are quarantined. The phish and malware filters will learn from this after a few weeks. Until the filters learn, create a block entry in Tenant allow/block list if not done already.
goodReclassifiedAsBulk Microsoft finds the reported message to be spam. The spam and bulk filters will learn from this message after a few weeks. Until the filters learn, create a block entry in Tenant allow/block list if not done already.
goodReclassifiedAsGood Microsoft finds the reported message to be clean, if you disagree with this verdict resubmit the email. Until Microsoft blocks the message, create a block entry in Tenant allow/block list if not done already.
goodReclassifiedAsCannotMakeDecision Microsoft can't reach a verdict at this time. Resubmit it to get a verdict on it after analysis. Use Tenant allow/block list to immediately block it if not done already.
badReclassifiedAsGood Microsoft finds the reported message to be clean. Existing emails have been released. The phish and malware filters will learn from this after a few weeks. Until the filters learn, create an allow entry in Tenant allow/block list if not done already.
badReclassifiedAsBulk Microsoft finds the reported message to be spam. The spam and bulk filters will learn from this message after a few weeks. Until the filters learn, create an allow entry in Tenant allow/block list if not done already.
badReclassifiedAsBad Microsoft finds the reported message to be malicious. If you disagree with this verdict, resubmit the email. Until the message is allowed, create an allow entry in Tenant allow/block list if not done already.
badReclassifiedAsCannotMakeDecision Microsoft can't reach a verdict at this time. Resubmit it to get a verdict on it after analysis. Use Tenant allow/block list to immediately allow it if not done already.
unknownFutureValue Any future value, which isn't in use now.
willNotifyOnceDone We'll notify you as soon as we've analyzed your message.
checkUserReportedSettings If you want to submit messages to Microsoft, go to "User Reported Settings" and select either Microsoft only or Microsoft and my reporting mailbox under "Reported Message Destinations".
partOfEducationCampaign The reported message was part of a phishing education campaign. For more information, see the Advanced Delivery or Attack Simulation page.
allowedByAdvancedDelivery The reported message was allowed due to advanced delivery flow for security operators mailbox. To block the message, remove it from advanced delivery.
allowedByEnhancedFiltering The reported message was either allowed due to enhanced filtering for connectors policy, if you no longer want to allow this item remove the entry.
itemDeleted Microsoft can't provide a verdict on the reported message as Microsoft can't find the actual message. Resubmit by uploading the email using submissions in security.microsoft.com.
itemFoundClean Microsoft finds the reported message to be clean, if you disagree with this verdict resubmit the email. Until Microsoft blocks the message, create a block entry in Tenant Allow/Block List if not done already.
itemFoundMalicious Microsoft finds the reported message to be malicious. If you disagree with this verdict, resubmit the email. Until the message is allowed, create an allow entry in Tenant Allow/Block List if not done already.
unableToMakeDecision Microsoft can't reach a verdict at this time. Resubmit it to get a verdict on it after analysis. Use Tenant Allow/Block List to immediately allow or block it if not done already.
domainResembledYourOrganization The reported message comes from a domain that resembles your organization. Reevaluate item and, if it still appears to be clean, add the sender domain to the list of trusted domains within the Anti phish policy.
endUserBeingImpersonated Someone impersonating the end user sent this reported message. Reevaluate item and, if it still appears to be clean, add the sender's address to the list of trusted senders within the anti-phishing policy.
associatedWithBrand The reported message contains content that appears to be associated with a particular brand. Review and, if you deem it to be clean and necessary, use the Tenant Allow Block List to allow these items in the future.
senderFailedAuthentication The reported message wasn't delivered because it failed authentication. Review your domain authentication settings or contact the domain owner.
endUserBeingSpoofed The reported message is determined as spoof by our system and so blocked. Create a spoof allow in Tenant allow/block list so that EOP/MDO can allow emails from this spoofed sender.
itemFoundBulk Microsoft finds the reported message to be bulk. The spam and bulk filters will learn from this message after a few weeks. Until the filters learn, create a block entry in Tenant Allow/Block List if not done already.
itemNotReceivedByService Microsoft can't provide a verdict on the reported message as Microsoft can't find the actual message. Verify that no policies or mail flow rules prevent items from reaching our service.
itemFoundSpam Microsoft finds the reported message to be spam. The spam and bulk filters will learn from this message after a few weeks. Until the filters learn, create a block entry in Tenant Allow/Block List if not done already.

Relationships

None.

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.security.submissionResult",
  "category": "String",
  "detail": "String",
  "userMailboxSetting": "String",
  "detectedUrls": [
    "String"
  ],
  "detectedFiles": [
    {
      "@odata.type": "microsoft.graph.security.submissionDetectedFile"
    }
  ]
}