Submit PHISHING & SPAM samples to Microsoft

%3CLINGO-SUB%20id%3D%22lingo-sub-3253807%22%20slang%3D%22en-US%22%3ESubmit%20PHISHING%20%26amp%3B%20SPAM%20samples%20to%20Microsoft%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3253807%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20receive%20several%20phish%20and%20spam%20messages%20everyday%20and%20we%20used%20to%20submit%20to%20Microsoft%20using%20the%20submission%20portal.%20we%20recently%20developed%20an%20automated%20process%20where%20when%20user%20reports%20this%20messages%20as%20an%20attachment%20to%20us%20in%20a%20shared%20mailbox%2C%20we%20extract%20that%20attachment%20using%20power%20automate%20and%20send%20to%20another%20mailbox%20and%20from%20there%20we%20use%20forwarding%20to%20send%20to%20%3CA%20href%3D%22mailto%3AEmail%20address%20removed%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EEmail%20address%20removed%3C%2FA%3E.%20So%20far%20we%20have%20submitted%20almost%2029000%20messages%20in%209%20months%20and%20I%20am%20wondering%20if%20Microsoft%20analyze%20these%20messages%20and%20take%20actions%20on%20their%20ML%20or%20AI%20logic%20or%20algorithm%20for%20phishing%20and%20spam%20messages.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3253807%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3261357%22%20slang%3D%22en-US%22%3ERe%3A%20Submit%20PHISHING%20%26amp%3B%20SPAM%20samples%20to%20Microsoft%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3261357%22%20slang%3D%22en-US%22%3EThanks%20for%20the%20help%20ExMSW4319.%3CBR%20%2F%3EOur%20InfoSec%20team%20does%20not%20allow%20Outlook%20add-in%20so%20we%20use%203rd%20party%20add-in%20and%20when%20user%20submit%20the%20message%20using%203rd%20party%2C%20the%20messages%20delivered%20to%20a%20shared%20mailbox%20as%20an%20attachment.%20We%20have%20designed%20a%20automated%20process%20using%20mail%20rule%20and%20Power%20automate%20that%20extract%20the%20spam%20or%20phish%20emails%20as%20an%20attachment%20sent%20by%20user%20to%20shared%20mailbox%20and%20delivered%20to%20another%20mailbox%20which%20is%20managed%20by%20messaging.%20from%20the%20another%20shared%20mailbox%2C%20we%20send%20the%20email%20as%20an%20attachment%20to%20MS%20at%20Email%20address%20removed%20and%20MS%20confirmed%20that%20this%20is%20valid%20process%20and%20they%20accept%20the%20messages%20and%20those%20emails%20should%20appear%20in%20user%20reported%20email%20view%20in%20submission%20portal%20but%20as%20of%20now%20we%20are%20unable%20to%20see%20any%20messages.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3261352%22%20slang%3D%22en-US%22%3ERe%3A%20Submit%20PHISHING%20%26amp%3B%20SPAM%20samples%20to%20Microsoft%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3261352%22%20slang%3D%22en-US%22%3ELook%20at%20the%20confidence%20of%20the%20sightings%20being%20sent%20to%20you.%20Are%20the%20senders%20sure%20the%20mails%20are%20spams%20or%20phish%2C%20or%20are%20they%20asking%20you%20for%20an%20opinion%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20they%20are%20asking%20for%20an%20opinion%20then%20yes%2C%20you%20have%20to%20process%20the%20sighting%20and%20respond%20or%20react.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20they%20are%20confident%20the%20mail%20is%20unwanted%2C%20they%20should%20be%20saving%20you%20the%20time%20by%20reporting%20the%20sighting%20themselves.%20For%20Exchange%20Online%20you%20want%20to%20deploy%20the%20Report%20Message%20add-in%20(and%20there%20is%20talk%20that%20it%20is%20about%20to%20be%20folded%20into%20the%20main%20Outlook%20program).%20For%20on-premises%20Exchange%2C%20I%20believe%20they%20have%20to%20send%20direct%20but%20there%20are%20still%20established%20ways%20to%20ensure%20your%20SecOps%20team%20get%20a%20copy%20of%20whatever%20is%20being%20reported.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3257525%22%20slang%3D%22en-US%22%3ERe%3A%20Submit%20PHISHING%20%26amp%3B%20SPAM%20samples%20to%20Microsoft%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3257525%22%20slang%3D%22en-US%22%3EYes%2C%20they%20are%20being%20checked.%20Compared%20to%20other%20reports%20for%20the%20same%20senders%20and%20recipients%20and%20the%20filters%20and%20AI%20are%20updated%20accordingly%2C%20if%20MS%20determines%20it%20is%20a%20valid%20threat.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Freport-junk-email-messages-to-microsoft%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Freport-junk-email-messages-to-microsoft%3Fview%3Do365-worldwide%3C%2FA%3E%3CBR%20%2F%3EData%20from%20submissions%20to%20Microsoft%20resides%20in%20the%20Office%20365%20compliance%20boundary%20in%20North%20American%20data%20centers.%20The%20data%20is%20reviewed%20by%20analysts%20on%20the%20engineering%20team%20to%20help%20improve%20the%20effectiveness%20of%20the%20filters.%20The%20submission%20is%20considered%20feedback%20to%20help%20improve%20the%20filters%20and%20is%20kept%20for%20a%20period%20of%2030%20days.%20After%20which%2C%20it%20is%20deleted.%3C%2FLINGO-BODY%3E
Occasional Contributor

We receive several phish and spam messages everyday and we used to submit to Microsoft using the submission portal. we recently developed an automated process where when user reports this messages as an attachment to us in a shared mailbox, we extract that attachment using power automate and send to another mailbox and from there we use forwarding to send to Email address removed. So far we have submitted almost 29000 messages in 9 months and I am wondering if Microsoft analyze these messages and take actions on their ML or AI logic or algorithm for phishing and spam messages.

3 Replies
Yes, they are being checked. Compared to other reports for the same senders and recipients and the filters and AI are updated accordingly, if MS determines it is a valid threat.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/report-junk-email-messag...
Data from submissions to Microsoft resides in the Office 365 compliance boundary in North American data centers. The data is reviewed by analysts on the engineering team to help improve the effectiveness of the filters. The submission is considered feedback to help improve the filters and is kept for a period of 30 days. After which, it is deleted.
Look at the confidence of the sightings being sent to you. Are the senders sure the mails are spams or phish, or are they asking you for an opinion?

If they are asking for an opinion then yes, you have to process the sighting and respond or react.

If they are confident the mail is unwanted, they should be saving you the time by reporting the sighting themselves. For Exchange Online you want to deploy the Report Message add-in (and there is talk that it is about to be folded into the main Outlook program). For on-premises Exchange, I believe they have to send direct but there are still established ways to ensure your SecOps team get a copy of whatever is being reported.
Thanks for the help ExMSW4319.
Our InfoSec team does not allow Outlook add-in so we use 3rd party add-in and when user submit the message using 3rd party, the messages delivered to a shared mailbox as an attachment. We have designed a automated process using mail rule and Power automate that extract the spam or phish emails as an attachment sent by user to shared mailbox and delivered to another mailbox which is managed by messaging. from the another shared mailbox, we send the email as an attachment to MS at Email address removed and MS confirmed that this is valid process and they accept the messages and those emails should appear in user reported email view in submission portal but as of now we are unable to see any messages.