Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In Microsoft 365 organizations with mailboxes in Exchange Online, user reported settings determine whether user reported email messages are sent to Microsoft for analysis. Even if the messages aren't initially sent to Microsoft, admins can manually send or resend email messages (including user reported email messages) from the Submissions page in, email attachments, URLs, and (in Microsoft Defender for Office 365 Plan 2 only) Microsoft Teams messages. For more information, see How do I report a suspicious email or file to Microsoft?.
When admins or users submit items to Microsoft for analysis, we do the following checks:
- Email authentication check (email messages only): Whether the message passed or failed email authentication checks: SPF, DKIM, DMARC, and composite authentication.
- Policy hits: Information about any policies or overrides that might have allowed or blocked the incoming email into the organization, thus overriding our filtering verdicts.
- Payload reputation/detonation: Up-to-date examination of any URLs and attachments in the message.
- Grader analysis: Review done by human graders to confirm whether messages are malicious.
For more information, see Learn more how submissions are processed behind-the-scenes to generate the result.
Note
- In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit items to Microsoft for analysis, but the items are analyzed for email authentication and policy hits only. Payload reputation, detonation, and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary). 
- AI-powered Submissions Response introduces generative AI explanations for email submissions to Microsoft. These explanations aim to provide enterprise admins with clear, detailed, human-readable explanations for why messages were classified. Currently, this feature is scoped to email submissions only, and AI-generated explanations aren't used for the following types of submissions: - Files
- URLs
- Microsoft Teams messages
- User submissions
 - AI-generated explanations are available for the following verdicts: - Spam
- Bulk
- Threats found
- No threats found
- Unknown
 - If the AI-generated explanation is unavailable, the system falls back to the existing explanation as described in the following table. 
The following table describes the results of submissions to Microsoft:
- Status indicates whether the previously described checks have been completed.
- Result indicates the details that were generated during the analysis using the previously described checks.
| Status | Result | Description | 
|---|---|---|
| Being analyzed | Under investigation | The item is being analyzed as previously described. After the analysis is complete, the status is updated and the result shows details of the analysis. | 
| Completed | Not submitted to Microsoft | The user reported settings are configured to deliver reported messages to the reporting mailbox only. Microsoft is unable to automatically receive the copy of the submitted item and act on it. You can update the user reported settings to deliver messages to the reporting mailbox and to Microsoft, or to Microsoft only. | 
| Completed | Phishing simulation | The submitted item is part of your part of an internal anti-phishing education campaign. Check the Advanced delivery policy or (in Defender for Office 365 Plan 2) Attack simulation training. | 
| Completed | Authentication failed | The message wasn't delivered because it failed email authentication. If you own this domain, review your domain authentication settings. Otherwise, contact the domain owner. For more information, see Email authentication. | 
| Completed | Spoofed message | The submitted item was sent by someone who is spoofing the sender. For more information, see Spoof intelligence insight. | 
| Completed | Domain Impersonation | In Defender for Office 365, the submitted item came from a domain that resembles a domain identified for domain impersonation protection. We recommend that you review the item and (if necessary) add the sender domain to the list of trusted senders in the anti-phishing policy that detected the message. For more information, see Domain impersonation protection. | 
| Completed | Brand Impersonation | In Defender for Office 365, the submitted item came from someone who is associated with a brand. We recommend that you review the item and (if necessary) add the sender address as an allow entry in the Tenant Allow/Block List. | 
| Completed | User Impersonation | In Defender for Office 365, the submitted item comes from a sender that resembles a user identified for user impersonation protection. We recommend that you review the item and (if necessary) add the sender to the list of trusted senders in the anti-phishing policy that detected the message. For more information, see User impersonation protection. | 
| Completed | Allowed due to organizational overrides | An entity associated with the submitted item was allowed in one of the following settings: 
 Check the submission result for the exact cause and remove or fix the setting. | 
| Completed | Allowed due to user overrides | The submitted item recipient has Outlook configurable allow settings in their mailbox (for example, a sender or domain in their Safe Senders List). Check the submission result for the exact cause and remove or fix the setting. | 
| Completed | Blocked due to organizational overrides | An entity associated with the submitted item was blocked in one of the following settings: 
 Check the submission result for the exact cause and remove or fix the setting. | 
| Completed | Blocked due to user overrides | The submitted item recipient has Outlook configurable block settings in their mailbox (for example, a sender or domain in the Blocked Senders list or Safe Lists only turned on). Check the submission result for the exact cause and remove or fix the setting. | 
| Completed | Item was not found | The submitted item is unavailable because it was deleted or the submission is invalid. Only items from Exchange Online mailboxes can be submitted. Resubmit the .eml file or Network Message ID of a message from an Exchange Online mailbox. | 
| Completed | The reason behind this verdict was lost in transit | The submitted item was routed via Hybrid mail flow between on-premises Exchange and Exchange Online, and the filtering verdict was lost. Check any similar messages that were delivered directly to your cloud mailbox and fix your routing. | 
| Completed | We did not receive the submission, please fix the problem and resubmit | The submitted item did not reach the submission service. Verify that no policies or mail flow rules prevent items from reaching our service. For more information, see Microsoft 365 URLs and IP address ranges. | 
| Completed | Further analysis needed | In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD) receive this result when nothing is found within the allowed checks for Email authentication checks and Policy hits. We recommend opening a support ticket to get the submitted item analyzed. | 
| Completed | Unknown - We checked but can't make a decision right now | Microsoft could not reach a decision regarding the submitted item. Explanations include different interpretations by different analysts or the item being inaccessible. Microsoft continuously invests in the analysis process so this result is less common. | 
| Completed | Bulk | The submitted item sender was classified as a bulk sender. In the future, similar items are blocked if they meet or exceed the bulk compliant level (BCL) threshold in anti-spam policies. For more information, see Bulk complaint level (BCL). To prevent similar items from being delivered, you can create block entries for domains or email addresses, files, or URLs in the Tenant Allow/Block List. For more information, see Block entries in the Tenant Allow/Block List. | 
| Completed | Spam | The submitted item was classified as spam. In the future, similar items are blocked if they meet or exceed the spam confidence level (SCL) threshold in anti-spam policies. For more information, see Spam confidence level (SCL). To prevent similar items from being delivered, you can create block entries for domains or email addresses, files, or URLs in the Tenant Allow/Block List. For more information, see Block entries in the Tenant Allow/Block List. | 
| Completed | No threats found | The submitted item was found to be clean. After a period of evaluation, the filters might be updated using the information from the submission. Until the filters learn about the submission, you can create block entries or allow entries for the item in the Tenant Allow/Block List. | 
| Completed | Threats found | The submitted item was found to be malicious. After a period of evaluation, the filters might be updated using the information from the submission. Until the filters learn about the submission, you can create block entries or allow entries for the item in the Tenant Allow/Block List. |