Admin review for user reported messages

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

In Microsoft 365 organizations with Exchange Online mailboxes and Microsoft Defender for Office 365, admins can send templated result messages back to users after they review the user reported messages. Admins can customize the notification message template that's used for the organization.

The feature is designed to give feedback to users without changing the message verdicts in the system. To help Microsoft update and improve its filters, admins need to submit user reported messages to Microsoft for analysis when the user reported settings are configured to send user reported messages to the reporting mailbox only. For more information, see User reported settings.

Admins can mark messages and notify users of review results only if the user reported the message as a false positive or a false negative.

What do you need to know before you begin?

  • You open the Microsoft Defender portal at https://security.microsoft.com. To go directly to the Submissions page, use https://security.microsoft.com/reportsubmission. To go directly to the User reported settings page, use https://security.microsoft.com/securitysettings/userSubmission.

  • If the User reported settings in the organization send user reported messages (email and Microsoft Teams) to Microsoft (exclusively or in addition to the reporting mailbox), we do the same checks as when admins submit messages to Microsoft for analysis from the Submissions page:

    • Email authentication check (email messages only): Whether email authentication passed or failed when it was delivered.
    • Policy hits: Information about any policies or overrides that might have allowed or blocked the incoming email into the organization, thus overriding our filtering verdicts.
    • Payload reputation/detonation: Up-to-date examination of any URLs and attachments in the message.
    • Grader analysis: Review done by human graders to confirm whether or not messages are malicious.

    So, submitting or resubmitting messages to Microsoft is useful to admins only for messages that have never been submitted to Microsoft, or when you disagree with the original verdict.

  • You need to be assigned permissions before you can do the procedures in this article. You have the following options:

    • Microsoft Defender XDR Unified role based access control (RBAC) (If Email & collaboration > Defender for Office 365 permissions is Active. Affects the Defender portal only, not PowerShell): Authorization and settings/System settings/manage or Authorization and settings/System settings/Read-only.

    • Email & collaboration permissions in the Microsoft Defender portal: Membership in the Organization Management or Security Administrator role groups.

    • Exchange Online permissions: Membership in the Organization Management role group.

    • Microsoft Entra permissions: Membership in the Global Administrator*, Security Administrator, or Global Reader roles gives users the required permissions and permissions for other features in Microsoft 365.

      Important

      * Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

  • You need access to Exchange Online PowerShell. If your account doesn't have access to Exchange Online PowerShell, you get the following error: Specify an email address in your domain. For more information about enabling or disabling access to Exchange Online PowerShell, see the following articles:

Notify users from within the portal

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to the Submissions page at Email & collaboration > Submissions. Or, to go directly to the Submissions tab, use https://security.microsoft.com/reportsubmission.

  2. On the Submissions page, select the User reported tab.

  3. On the User reported tab, select the user reported message by using either of the following methods:

    • Select the message from the list by selecting the check box next to the first column, and then select Mark as and notify.
    • Select the message from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select Mark as and notify or More options > Mark as and notify.
  4. In the Mark as and notify dropdown list, select one of the following values:

    • Available verdicts for email messages:

      • No threats found
      • Phishing
      • Spam
    • Available verdicts for Microsoft Teams messages:

      • No threats found
      • Phishing

The reported message is marked with the selected verdict, and an email message is automatically sent to notify the user who reported the message.

To customize the notification email, see the next section.

Customize the messages used to notify users

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to the User reported page at Settings > Email & collaboration > User reported settings tab. Or, to go directly to the User reported settings page, use https://security.microsoft.com/securitysettings/userSubmission.

  2. On the User reported settings page, verify that Monitor reported messages in Outlook is selected in the Outlook section at the top of the page.

  3. Find the Email notifications section and configure one or more of the following settings:

    • Results email section: Select Customize results email. In the Customize admin review email notifications flyout that opens, configure the following settings on the Phishing, Junk and No threats found tabs:

      • Email body results text: Enter the custom text to use. You can use different text for Phishing, Junk and No threats found.
      • Email footer text: Enter the custom message footer text to use. The same text is used for Phishing, Junk and No threats found.

      When you're finished in the Customize admin review email notifications flyout, select Confirm to return to the User reported settings page.

      The Customize confirmation message flyout.

    • Customize sender and branding section:

      • Specify a Microsoft 365 mailbox to use ads the From address of email notifications: Select this option and enter the sender's email address in the box that appears. If you don't select this option, the default sender is [email protected].
      • Replace the Microsoft logo with my organization's logo across all reporting experiences: Select this option to replace the default Microsoft logo that's used in notifications. Before you do this step, follow the instructions in Customize the Microsoft 365 theme for your organization to upload your custom logo.
  4. When you're finished on the User reported settings page, select Save.