Microsoft Defender for Office 365 enables users and administrators to submit suspicious items for analysis (email and Teams messages, files, or URLs) to enhance detection and prevention. Your submissions allow Microsoft to determine the nature of the item, update filtering decisions, and offer you actionable insights. We're often asked what happens after you submit an item to Microsoft, so here's a brief overview of what happens behind-the-scenes.
You can submit items to Microsoft Defender for Office 365 in diverse ways, depending on your role and the source of the item. For example, you can submit items from:
TIP: There’s no difference between user reported items and admin submissions from a feedback point of view. They’re just ways for different personas to report items.
We strongly recommend configuring the message destination as either Microsoft only or Microsoft and reporting mailbox in user reported settings. This configuration reinsures that admins don't need to resubmit user reports. When user reported settings are configured to send messages only to the reporting mailbox, security teams should actively submit user reports via admin submissions.
After an item is submitted to Defender for Office 365 by users or admins, it goes through the following steps:
Sometimes, Microsoft Defender for Office 365 has already caught up with the Indicator of Compromise (IOC; URL/Attachment/Sender/IP) associated with the submission. This updated decision could be due to changes in Sender/IP reputation or detection of URLs and files involving delayed weaponization (initially clean, but malicious after a delay).
The submitted item is analyzed and classified by a mix of our state of the art automated and human graders. The graders look at the messages, examine URLs and attachments, QR codes, and all metadata associated with the submitted item.
Based on the combination of these 5 steps, you get the result, result details, and recommended steps. The complete set of results can be found here.
In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can submit items to Microsoft for analysis, but the items are analyzed for phishing simulation, authentication, and policy hits only. Rescan and grader analysis aren't done for compliance reasons (data isn't allowed to leave the organization boundary).
While we know most customers have done their due diligence before submitting items to Microsoft, trusting every submission can be a critical security loophole. Some email verdicts can be subjective (spam for one user can be acceptable to another users), and some submissions may involve human errors. Hence, it’s critical for Microsoft to confirm the submission before using it to update filters.
In cases where Microsoft’s final grade is different from what was reported, we ensure we have a strong signal for disagreement. For example, if the email was submitted as clean but our human analysts found convincing evidence of malicious entity/intent, the submission result shows the verdict of the human analyst. Microsoft tries to ensure the instances of incorrect disagreements are low. However, there can be exceedingly rare cases (human error) where customers might feel the disagreement is invalid.
This verdict happens due to two reasons:
If the submitted item is identified as malicious (a false negative), Microsoft takes one or more of the following actions:
If the submitted item is identified as clean (a false positive), Microsoft takes one or more of the following actions:
For user reported phishing messages, automated investigation and response (AIR) is triggered from the alerts. AIR clusters all related messages, and then analyses them to determine if the original email was malicious. When a user submission cluster is deemed to be malicious, it will recommend remediation action to the SOC team for the entire cluster, increasing SOC team efficiency in remediating threats and responding back with automated feedback to end users.
Even if your submission is accepted as valid, our technologies are designed for long-term improvements and actions to durably fix the Microsoft Defender for Office 365 filtering stack (bulk/phishing/spam/malware/clean) is not straightforward in all instances. Hence, several reasons can influence the immediate nature of changes, including:
For all the previously explained reasons, even though we have several ongoing investments to improve the process of learning from submissions, some customers might perceive no immediate change, even after a submission. We recommend using the Tenant Allow/Block Lists actions available during submission (in Take action wizard or Submission pages) for immediate relief and let Defender for Office 365 manage the expiry of those depending on the time to learn.
Submissions are the most critical source of information for Defender for Office 365 to improve. We continue to encourage performing submissions to fix FP/FN issues and resort to Support tickets only when you feel the need for additional intervention. Defender for Office 365 utilizes every single submission, even if one might not perceive any immediate change. Apart from contributing to the collective security intel by submitting items as spam, phish, malware, or clean, you are also indirectly helping Defender for Office 365 get better and be on top of attackers. In turn, submissions benefit your organization and other customers across the service by reducing the number of unwanted email messages you receive and ensures that legitimate email messages aren't mistakenly flagged.
More information
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.