Blog Post

Microsoft Defender for Office 365 Blog
4 MIN READ

Automated end-user feedback response is now GA

SehrishKhan's avatar
SehrishKhan
Icon for Microsoft rankMicrosoft
May 23, 2024

We are excited to announce that the automated end-user feedback response feature is now GA! The user submission automatic feedback response capability in Microsoft Defender for Office 365 enables organizations to automatically respond to end user submissions of phish based on the verdict from the automated investigation. 

 

This feature saves SecOps time by converting the process of sending manual responses back to end users on reported messages to be automated. This layers additional value to the automated investigation and response (AIR) feature for SecOps teams and also helps encourage end users to contribute to the security posture of the organization by providing acknowledgment and feedback on those user reports of phish automatically. 

 

Configuration 

The ability to automatically respond to end user submissions of phish is configurable and can be turned on from the user reported settings page (Settings > Email & collaboration > User reported settings) and configured to send based on the AIR verdict. 

 

User submission automatic feedback response configuration found in settings > email & collaboration > user reported settings > automatically email users the results of the investigation: 

 

 

 

  • Phishing or Malware: Selecting this box indicates that the organization would like end users to receive an automatic response email on email submissions of phish when the associated user submission investigation identifies a threat of normal phish, high confidence phish or malware. 
  • Spam: Selecting this box indicates that the organization would like end users to receive an automatic response email on email submissions of phish when the associated user submission investigation shows the threat of spam. 
  • No threats found: Selecting this box indicates that the organization would like end users to receive an automatic response email on email submissions of phish when the associated user submission investigation finds no threats. 

 

Response Timing 

The automated end user feedback response is sent at the conclusion of the investigation when the investigation hits a final status. This means investigations in pending approval status must be approved before the response will be sent. 

 

Email Template 

The email that is sent to the end users utilizes the same email template as the organization’s Mark & Notify email template and allows the customization of the email body for the respective threats of Phishing, Junk and No threats found (corresponding to the Phishing or Malware, Spam, and No threats found settings above respectively). Learn more about Mark & Notify on this page: Admin review for reported messages - Office 365 | Microsoft Learn. 

 

User submission automatic feedback response configuration of email message using customize admin review email notification: 

 

 

 

Function 

Once enabled, Microsoft Defender for Office 365 will automatically respond to end user submissions based on the investigation verdict and the configured settings. For example, if an organization has enabled the user feedback response for emails with no threats found, if a user reported a message as phish it would trigger automated investigation and response (AIR) and begin an investigation on the user reported message. If that investigation concludes with no threats found and the organization had enabled the automatic feedback response for no threats found, then the end user who submitted the message would receive an email stating there were no threats found on the submitted message. The message would resemble the below, but the body of the message and footers would contain what the organization has put in for admin review for reported messages for the no threats found option. 

 

Sample user submission automatic feedback response for no threats found: 

 

 

 

 

 

If an organization has enabled the user feedback response for emails with Phishing or Malware, if a user reported a message as phish it would begin an investigation on the user reported message. If that investigation discovers high confidence phish or malware the investigation would be looking for these to be remediated either with the approval of recommend actions, shown as pending actions in the investigation, incident and action center, or remediation through other means such as explorer. Once the high confidence phish or malware threats found in the investigation have been remediated, the investigation would close as “Remediated” or “Partially Remediated” at which point the user submission feedback email would automatically be sent to the user who reported the message. If only a threat of normal phish was identified for a message, the investigation would not produce pending actions however the end user would still receive a response indicating the message was phish. The message would resemble the below, but the body of the message and footers would contain what the organization has put in for admin review for reported messages for the phishing option. 

 

Sample user submission automatic feedback response for high confidence phish or malware: 

 

 

 

 

Note: The response is not sent to end users until any discovered high confidence phish or malware threats are remediated, meaning responses will not be sent when the investigation is pending action. The investigation must reach “Remediated” or “Partially Remediated” status in order for the response to be triggered. 

 

Display 

When users receive an automatic feedback response, this will be reflected in the submission queue as “Marked as” similar to other submissions that may have manually received a response. 

 

User submission automatic feedback response reflected on submissions queue marked as: 

 

Learn More 

To learn more about the automated end user feedback response feature visit Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Office 365 | Microsoft Learn. 

 

To learn more about submissions and investigations in MDO please visit the following pages: 

 

Updated Jul 11, 2024
Version 4.0
  • JSC-HFT's avatar
    JSC-HFT
    Brass Contributor
    May 28, 2024

    This is better, but Microsoft needs to go one step further and add option for automatic remediation of phishing and malware without waiting for admin approval.  Admins can always go and recover something if there is a false positive, but still requiring manual action to remediate isn't saving as much time as they could with these improvements.  SecOps team are busy and really shouldn't be manual approving to remove items from mailbox that are high confidence phishing or malware.  With the option to automatically remediate those, Microsoft would be able to 100% automate this process saving teams more valuable time to be spent elsewhere.

  • A-Rex's avatar
    A-Rex
    Brass Contributor
    Jul 11, 2024

    Many thanks for this Post. I have one open question. How does it behave if a phishing simulations mail is reported? Does it return a "No threat found" Mail?

  • Eric_Latreille's avatar
    Eric_Latreille
    Copper Contributor
    Jul 11, 2024

    Hello,

     

    We just trying the user submission with Report Message Add'ins in Outlook. We see the user submission in the report submission on Microsoft Defender. When we mark and notify the message, the notifications are always sent in english (we are french organization) and the email template is not working. The email notification is not sent to the user but to admin tenant only. We have configured like this (in french console)

     

    And in the notification received there is nothing in Email subject :

    Should i open a ticket on microsoft support ?

     

    Sincerelly

     

    Eric Latreille