Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Wondering what to do with suspicious email messages, URLs, email attachments, or files? In all organizations with cloud mailboxes, users and admins have different ways to report suspicious email messages, URLs, and email attachments to Microsoft.
In addition, admins in Microsoft 365 organizations with Microsoft Defender for Endpoint also have several methods for reporting files.
Watch this video that shows more information about the unified submissions experience.
Report suspicious email messages to Microsoft
Important
When you make a submission to Microsoft, everything associated with the submission is copied and included in the continual algorithm reviews. This copy includes all data associated with submission, including: message content, headers, any attachments, related data about routing and all other data directly associated with the submission.
Microsoft treats your submission as your organization's permission to analyze all the information to fine tune the submission hygiene algorithms. Your submission is held in secured and audited data centers in the USA. The submission is deleted as soon as it's no longer required. Microsoft personnel might read your submitted messages and attachments, which is normally not permitted for customer data in Microsoft 365. However, your submission is still treated as confidential between you and Microsoft, and your data isn't shared with any other party as part of the review process. Microsoft may also use AI to evaluate and create responses tailored to your submissions.
For information about reporting messages in Microsoft Teams in Defender for Office 365 Plan 2, see User reported message settings in Microsoft Teams.
| Method | Submission type | Comments | 
|---|---|---|
| The built-in Report button in supported versions of Outlook | User | |
| The Submissions page in the Microsoft Defender portal | Admin | Admins can report good (false positives) and bad (false negative) messages, email attachments, and URLs (entities) from the available tabs on the Submissions page. Admins can also submit user reported messages from the User reported tab on the Submissions page to Microsoft for analysis. The Submissions page is available only in organizations with cloud mailboxes. | 
| Report messages from quarantine | Admin and User | Admins can submit quarantined messages to Microsoft for analysis (false positives and false negatives). If users are allowed to release their own messages from quarantine, and user reported settings is configured to allow users to report quarantined messages, users can select Report message as having no threats (false positive) when they release a quarantined message. | 
Related reporting settings for admins
User reported settings allow admins to configure whether user reported messages go to a specified reporting mailbox, to Microsoft, or both. After this feature is configured, user reported messages appear on the User reported tab on the Submissions page in the Defender portal.
User reported messages are also available to admins in the following locations in the Microsoft Defender portal:
- The User-reported messages report
- Automated investigation and response (AIR) results (Defender for Office 365 Plan 2)
- Threat Explorer (Defender for Office 365 Plan 2)
In Defender for Office 365, admins can also submit messages from the Email entity page and from Alerts in the Defender portal.
Admins can use the sample submission portal at https://www.microsoft.com/wdsi/filesubmission to submit other suspected files to Microsoft for analysis. For more information, see Submit files for analysis.
To report suspected phishing or fraud, you can also go directly to the submission portal: Reportsubmission.
If you encountered a tech support scam, report it here: Reportscam.
Tip
In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit messages to Microsoft for analysis. The messages are analyzed for email authentication and policy checks only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary). If you report a message, URL, or email attachment to Microsoft from one of these organizations, you get the following message in the result details:
Further investigation needed. Your tenant doesn't allow data to leave the environment, so nothing was found during the initial scan. You'll need to contact Microsoft support to have this item reviewed.