No way to automate restoring user‑reported emails after “no threats found”

When a user reports an email as phishing in Defender, the message gets moved to Deleted Items. After we triage it, if we mark it as “no threats found,” there’s no way to push it back to the user’s inbox as part of that workflow.

That creates a bit of a broken experience:

• User is told the email is safe with our customized email response, but has to go find it themselves
• In a lot of cases they don’t (Outlook search won’t find it)
• We end up with follow‑ups like “where did it go?”

Technically we could restore the email as part of our triage process, but that just shifts the effort onto the SOC. It doesn’t scale, and it’s not really the right place for that work.  We have tried to create an automation to do this, but we have not been able to create an advanced hunting query based on our triage result that can then trigger an action to restore it to the mailbox.  

So we end up choosing between:

• Users having a bad experience, or
• Analysts doing manual mailbox work

Neither is ideal.

Other platforms (like Proofpoint) handle this end‑to‑end — once something is confirmed clean, it can be returned to the user automatically.

Right now Defender stops at classification instead of completing the workflow.

Is there a reason this isn’t wired in, or anything on the roadmap to address it?