Blog Post

Microsoft Defender for Office 365 Blog
2 MIN READ

SOC can see Microsoft analysis for Third-party add-in user report

Dhairyya_Agarwal's avatar
Dhairyya_Agarwal
Icon for Microsoft rankMicrosoft
Apr 09, 2025

This applies to worldwide customers who have Exchange Online Protection, Defender for Office 365 Plan 1, or Defender for Office 365 Plan 2.

We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis.

A prerequisite for using this is to already have set up the third-party user report tool on Outlook for your end users and that tool is forwarding the user report to an exchange online mailbox within the organization. We do not recommend using the exchange transport rule for it.

To enable this setting, you must do the following:

  1. Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button.
  2. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis.

 

The analysis results from Microsoft are displayed on the User reported page in the Defender portal.

 

Alerts are automatically generated for user-reported messages in Defender for Office 365.

 

If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user-reported phishing messages. These alerts and their investigations are automatically linked to Defender Incidents, assisting security teams with automation for triage, investigation, and response.

Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and helps improve Defender for Office 365 filters.

 

To learn more, check out these articles:

  1. Report suspicious email messages to Microsoft
  2. Automatic user notifications for user reported phishing results in AIR

 

Share Your Feedback!

We are eager for you to experience the capabilities of Microsoft feedback, triage, investigation, and analysis for user reports while utilizing the advantages of third-party report add-ins. Share your thoughts with us by commenting below.

Updated Apr 14, 2025
Version 2.0
awareness & training
configuration
hunting
microsoft 365 defender

8 Comments

Sort By
  • Rod_Labs's avatar
    Rod_Labs
    Copper Contributor
    Apr 16, 2025

    I'm wondering real benefit on distinguishing between 'report junk' or 'report phishing' when reporting from Outlook. Ultimately it's up to the admins decide what the reported message really is based on manual review or by submitting to MS for analysis? 

    • Dhairyya_Agarwal's avatar
      Dhairyya_Agarwal
      Icon for Microsoft rankMicrosoft
      Apr 17, 2025

      Hey Rod_Labs from a Microsoft perspective, lot of the customers actually want to educate their end users to distinguish between phish and junk to reduce workload on their SOC teams as they have separate triage for phish vs junk.

      Moreover, Microsoft's built-in Report button is a split button. Clicking on the button without using the dropdown list reports the message as phishing. Use the dropdown list to report messages as junk or not junk.

      Now why there is a distinction on third party tools, is not something I can answer. Please do reach out to them for their reasoning. 

      • Rod_Labs's avatar
        Rod_Labs
        Copper Contributor
        Apr 17, 2025

        You should educate users with security awareness programs, in my opinion. While SOC may have different playbooks for junk or phish, it shouldn’t rely on end user to determine that. Third-party button such as KnowBe4 doesn’t distinguish it, so users just report it. However, when integrating to MDO, they must distinguish it due to defender requirements, demanding a subject indicating the threat type, along with original msg attached, etc.

        my point is that I believe it should be simpler for the user to report bad and good stuff.

  • skdyer's avatar
    skdyer
    Brass Contributor
    Apr 15, 2025

    Love this new capability, but it has a pretty major bug.  If you select this new option, it enables the Microsoft reporting buttons in New Outlook.  They should stay disabled.  Can you please fix?