Built-in report button is available in Microsoft Outlook across platforms
Outlook and Defender for Office 365 are excited to announce the release of built-in report button in Microsoft Outlook across platforms (web, new Outlook for Windows, classic Outlook for Windows, Outlook for Mac, Outlook for Android, Outlook for iOS, and Outlook for android Lite) for both personal and commercial accounts. You can find the built-in button across Outlook: Outlook on the web. New Outlook for Windows. Outlook for Mac version 16.89 (24090815) or later. Classic Outlook for Windows version Current channel: Version 16.0.17827.15010 or later. Monthly Enterprise Channel: Version 16.0.18025.20000 or later. Semi-Annual Channel (Preview): Release 2502, build 16.0.18526.20024 Semi-Annual Channel: Release 2502, build 16.0.18526.20024 Outlook for iOS version 4.2511 or later and Outlook for Android version 4.2446 or later. Outlook for Android Lite Benefits the built-in report button provides for security admins It works out of the box with no setup required The reporting experience for end user is the same across consumer and commercial accounts The report button is consistent across Outlook clients The report button is front and center on all clients The report button is present on the grid view, reading panel, preview panel, context menu The report button enables the user to select in bulk and report messages at once You can turn on and off the pre and post reporting popups for users in your organization using You can customize the individual pre and post reporting popup by adding text and links in 7 diff languages The report button is present on shared and delegate mailboxes enabling end users to report emails. Now present on outlook for web, new outlook for windows, outlook for mac, outlook for android and outlook for iOS The end user reports made by these clients are routed as per the message reported destination configured in the user reported settings. You can view the user report as soon as they are made on the If you have configured Microsoft only or Microsoft and my reporting mailbox in the user reported settings, the result from Microsoft analysis are available on the result column You can turn off the built-in report button on user reported settings by Selecting non-Microsoft add-in button and providing the address of the reporting mailbox of the 3 rd party add-in, or Deselecting monitor reported messages in outlook Note: The report phish add-in and the report message add-in does not provide support for shared and delegate mailbox. The report phish add-in, the report message add-in, and the built-in report button all read from the same user reported settings and use the same internal reporting API. In a way there are two different doors (entry point) to the same house (the backend). For the moment, the report message and report phish add-in are in maintenance mode to provide enough time for customers to migrate to the built-in button. To learn more, please check out Transition from Report Message or the Report Phishing add-ins - Microsoft Defender for Office 365 | Microsoft Learn Report phishing and suspicious emails in Outlook for admins - Microsoft Defender for Office 365 | Microsoft Learn User reported settings - Microsoft Defender for Office 365 | Microsoft Learn Protect yourself from phishing - Microsoft Support Report phishing - Microsoft Support How do I report phishing or junk email? - Microsoft SupportSOC can see Microsoft analysis for Third-party add-in user report
We are pleased to announce that if you are using third-party report message solutions in Microsoft Outlook, such as Knowbe4, Hoxhunt, and Cofense, you can now configure Defender for Office 365 to automatically forward these suspicious messages to Microsoft for analysis. A prerequisite for using this is to already have set up the third-party user report tool on Outlook for your end users and that tool is forwarding the user report to an exchange online mailbox within the organization. We do not recommend using the exchange transport rule for it. To enable this setting, you must do the following: Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis. The analysis results from Microsoft are displayed on the User reported page in the Defender portal. Alerts are automatically generated for user-reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user-reported phishing messages. These alerts and their investigations are automatically linked to Defender Incidents, assisting security teams with automation for triage, investigation, and response. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and helps improve Defender for Office 365 filters. To learn more, check out these articles: Report suspicious email messages to Microsoft Automatic user notifications for user reported phishing results in AIR Share Your Feedback! We are eager for you to experience the capabilities of Microsoft feedback, triage, investigation, and analysis for user reports while utilizing the advantages of third-party report add-ins. Share your thoughts with us by commenting below.Auto-Remediation of Malicious Messages in Automated Investigation and Response (AIR) is GA
We are excited to announce the GA release of auto-remediation of malicious messages through automated investigation and response (AIR) expanding this powerful tool and deliver on full end to end automation of key SOC scenarios. AIR works to triage, investigate and remediate and respond to high-impact, high-volume security alerts providing tenant level analysis to increase customer protection and optimize SOC teams. With this enhancement, customers will be able to configure AIR to automatically execute remediations for messages within malicious entity clusters saving SOC teams time and further expediting remediation by removing the need to for SOC teams to approve these actions! To highlight the key user submission scenario, in addition to AIR completing triage, investigation, remediation identification, and end user feedback responses, customers may now configure AIR to take this a step even further to automatically execute on identified remediations. Auto-Remediation Action When AIR recognizes a malicious file or URL, it creates a cluster around the malicious file or URL grouping all messages that contain that file or URL into the respective cluster. The automated investigation then checks the location of the messages within the cluster and if it finds messages within user’s mailboxes, AIR will produce a remediation action. With the auto-remediation enhancement, if the customer has configured the cluster type to auto-remediate, this action will automatically be executed without the need for SecOps approval - removing identified threats at machine speed! Auto-remediated clusters showing in action center history with decided by stating automation: Configuration Auto-remediation will be controlled by a configuration within Settings > Email & Collaboration > MDO automation settings. Within the message clusters section, organizations may specify which types of message clusters they would like to be auto-remediated: Similar files: When the automated investigation recognizes a malicious file, it creates a cluster around the malicious file grouping all messages that contain that file into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious file clusters. Similar URLs: When the automated investigation recognizes a malicious URL, it creates a cluster around the malicious URL grouping all messages that contain the URL into the cluster. Selecting this checkbox will opt the organization into auto-remediation for these malicious URL clusters. The next configuration is for the remediation action, designating soft delete as soft delete is currently the only action supported through AIR. Auto-remediation of malicious entity clusters configuration found in settings>Email & collaboration>MDO automation settings: Note: Customers interested in auto-remediation must turn it on through the MDO automation settings page as it will not be on by default. Auto-Remediation Action Logging The Defender portal provides several ways for customers to review remediation actions to stay cognizant of the actions executed. These include within the investigation, action center, email entity as well as threat explorer and advanced hunting. Should customers disagree with the action executed, the ability to move the messages back to mailboxes is available as well based on configuration and timing. Auto-remediated messages showing in Threat Explorer Additional actions as Automated Remediation: automated: Auto-remediated messages showing in Advanced Hunting with ActionType as Automated Remediation and ActionTrigger as Automation: Learn More Register for the deep dive webinar on Microsoft Defender for Office 365 automated investigation and response (AIR) on June 25, 2025, at 8:00am PDT / 3:00pm UTC. Learn more about the feature enhancements, as well as how AIR can help optimize SOC teams and accelerate threat response. To learn more about the auto-remediation in AIR, please visit Automated remediation in AIR - Microsoft Defender for Office 365 | Microsoft Learn. To learn more about investigations in MDO, please visit the following pages: Automated investigation and response in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn View the results of an automated investigation in Microsoft 365 - Office 365 | Microsoft Learn How automated investigation and response works in Microsoft Defender for Office 365 - Office 365 | Microsoft Learn Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Office 365 | Microsoft Learn
Microsoft Defender for Office 365's Language AI for Phish: Enhancing Email Security
Email security presents a complex challenge for individuals and organizations alike. Over the years, attackers have evolved from simple spam campaigns to sophisticated threats including ransomware, identity theft schemes, and carefully crafted phishing scams. Now, malicious actors are armed with Generative AI and are advancing at an alarming pace. In response, Microsoft Defender for Office 365 has dedicated extensive research and development efforts to making email security smarter, more flexible, and more proactive. This dedication led to the introduction of specialized language intelligence to fight Business Email Compromise (BEC) attacks, announced last year at Ignite 2024 (Microsoft Ignite: Redefining email security with LLMs to tackle a new era of social engineering | Microsoft Community Hub). With that announcement, we offered a significant leap in analyzing suspicious messages using advanced natural language processing, enabling organizations to better detect subtle manipulative emails designed to lure unsuspecting users into revealing confidential data or transferring funds. The threats, however, have not stopped with BEC. Phishing attacks are constantly evolving, leveraging new tactics and forms. As part of Defender for Office’s mission to stay one step ahead of these threats, we’re taking the same robust Language AI approach we used for BEC analysis and applying it to a broader spectrum of phishing attacks. Today we’re excited to announce Microsoft Defender for Office 365’s new Language AI for Phish model. This model progressively learns from thousands of real-world phishing attempts and analyzes all messages classified as phish. Furthermore, it incorporates advanced Machine Learning and Natural Language Processing (NLP) techniques to read, process, and understand email content the way a human analyst might, yet in a fraction of the time and at an immense scale. Our model has been operational since April 2025, achieving over 99.99% accuracy and blocking 1 million phishing emails daily. By advancing our language AI and rigorously training it on phishing email threats, we are further strengthening the comprehensive protections established by our BEC-focused innovations. These enhanced capabilities create an integrated security framework designed to proactively address evolving risks and accelerate response times to emerging threats. Through Microsoft Defender for Office 365’s commitment to continuous improvement, this expanded approach empowers organizations and individuals to maintain a strong security posture in the face of ever-changing cyber challenges. Learn More: To learn more about Microsoft Defender for Office 365’s Language AI capabilities, please read more here or visit our website.
Build custom email security reports and dashboards with workbooks in Microsoft Sentinel
Security teams in both small and large organizations track key metrics to make critical security decisions and identify meaningful trends in their organizations. Defender for Office 365 has rich, built-in reporting capabilities that provide insights into your security posture to support these needs. However, sometimes security teams require custom reporting solutions to create dedicated views, combine multiple data sources, and get additional insights to meet their needs. We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs. Why use workbooks in Microsoft Sentinel? There are many potential benefits to using workbooks if you already use Microsoft Sentinel and already stream the hunting data tables for Defender for Office 365: You can choose to store data for a longer period of time via configuring longer retention for tables you use for your workbooks. For example you can store Defender for Office 365 EmailEvents table data for 1 year and build visuals over longer period of time. You can customize your visuals easily based on your organization’s needs. You can configure auto-refresh for the workbook to keep the data shown up to date. You can access ready to use workbook templates and customize them if it's needed. Getting started After you connect your data sources to Microsoft Sentinel, you can visualize and monitor the data using workbooks in Microsoft Sentinel. Ensure that Microsoft Defender XDR is installed in your Microsoft Sentinel instance, so you can use Defender for Office 365 data with a few simple steps. Detection and other Defender for Office 365 insights are already available as raw data in the Microsoft Defender XDR advanced hunting tables: EmailEvents - contains information about all emails EmailAttachmentInfo - contains information about attachments in emails EmailUrlInfo - contains information about URLs in emails EmailPostDeliveryEvents – contains information about Zero-hour auto purge (ZAP) or Manual remediation events UrlClickEvents - contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps in supported desktop, mobile, and web apps. CloudAppEvents – CloudAppEvents can be used to visualize user reported Phish emails and Admin submissions with Defender for Office 365. The Microsoft Defender XDR solution in Microsoft Sentinel provides a connector to stream the above data continuously into Microsoft Sentinel. Microsoft Sentinel then allows you to create custom workbooks across your data or use existing workbook templates available with packaged solutions or as standalone content from the content hub. How to access the workbook template We are excited to share a new workbook template for Defender for Office 365 detection and data visualization, which is available in the Microsoft Sentinel Content hub. The workbook is part of the Microsoft Defender XDR solution. If you are already using our solution, this update is now available for you. If you are installing the Microsoft Defender XDR solution for the first time, this workbook will be available automatically after installation. After the Microsoft Defender XDR solution is installed (or updated to the latest available version), simply navigate to the Workbooks area in Microsoft Sentinel and on the Templates tab select Microsoft Defender for Office 365 Detection and Insights. Using the “View Template” action loads the workbook. What insights are available in the template? The template has the following sections with each section deep diving into various areas of email security, providing details and insights to security team members: Detection overview Email - Malware Detections Email - Phish Detections Email - Spam Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks Email - Top Users/Senders Email - Detection Overrides False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Email - Malware Detections Email - Business Compromise Detections (BEC) Email - Sender Authentication based Detections URL Detections and Clicks False Negative/Positive Submissions File - Malware Detections (SharePoint, Teams and OneDrive) Post Delivery Detections and Admin Actions Can I customize the workbook? Yes, absolutely. Based on the email attributes in the Advanced Hunting schema, you can define more functions and visuals as needed. For example, you can use the DetectionMethods field to analyse detections caught by capabilities like Spoof detections, Safe Attachment, and detection for emails containing URLs extracted from QR codes. You can also bring other data sources into Microsoft Sentinel as tables and use them when creating visuals in the workbook. This sample workbook is a powerful showcase for how you can use the Defender for Office 365 raw detection data to visualize email security detection insights directly in Microsoft Sentinel. It enables organizations to easily create customized dashboards that can help them analyse, track their threat landscape, and respond quickly—based on unique requirements. Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum. More information Integrate Microsoft Defender XDR with Microsoft Sentinel. Learn more about Microsoft Sentinel workbooks. Microsoft Defender for Office 365 Detection Details Report – Updated Power BI template for Microsoft Sentinel and Log Analytics Learn more about Microsoft Defender XDR.
Create targeted attack simulation training campaigns with dynamic groups
When it comes to email security, even the most reliable employees can sometimes be unpredictable. Our days are filled with clicks, taps, likes, swipes, pings, texts, and more, leaving us open to acting fast without always being thorough and cautious. That’s why simulation training should be a key component in every organization’s email security strategy. It plays a critical role in educating and empowering employees to recognize common phishing and social engineering tactics, adopt a security first culture, and protect their organizations from associated security risks. Attack simulation training is an intelligent phish risk reduction tool that measures behavior change and automates deployment of an integrated security awareness training program across an organization. We’re excited to announce dynamic targeting for Attack simulation training in Defender for Office 365. You can now use the Microsoft 365 group – dynamic membership type created in Microsoft Entra admin center to define the recipients of your simulations and training campaigns. It provides a more efficient and effective way to manage target users for simulations and trainings, allowing you to assign foundational security training to new hires, send simulation campaigns to users in departments or locations with high turnover, and more such use cases—without having to manually manage groups. With this, the list of supported group types in Attack simulation training are as follows: Microsoft 365 group (both static and dynamic) Distribution group (static only) Mail-enabled security group (static only) What are dynamic groups? Dynamic group membership is defined by one or more rules that check for certain attributes in user accounts. These groups are automatically updated as user attributes change, ensuring that the group membership is always up to date. This is particularly useful for large organizations where manually managing group memberships can be time-consuming and error prone. Use the Microsoft 365 group dynamic membership type in Microsoft Entra ID to tailor your simulation and training campaigns to specific user groups, making the training more relevant and effective. Some use cases of dynamic groups in Attack simulation training: Target users more effectively based on specific criteria such as department, role, or location. Example: For sending a simulation email to users in Sales or Marketing departments, the dynamic membership rule can be written as: (user.department -eq "Sales") -or (user.department -eq "Marketing") Target users based on different hiring timeframes using the attribute "employee hire date". A few examples are shared below: To send a simulation email or a training campaign to those hired after a particular date, such as June 30, 2024, the dynamic membership rule can be written as: (user.employeeHireDate -ge 2024-06-30) To automate simulation emails for users who will be hired within the next 30 days, the dynamic membership rule can be written as: (user.employeeHireDate -le system.now -plus P30D) -and (user.employeeHireDate -ge system.now) How to create and use dynamic groups in simulations: To create and use dynamic groups, follow these steps: Sign in to Azure Portal as at least a Groups Administrator and select Microsoft Entra ID, followed by Groups. Create a new group and choose Microsoft 365 as the group type. Enter a name, email address, and description for the group. Select Dynamic user as the membership type and select Add dynamic query. Define the rules for the dynamic query based on the user properties that you want to use. You can add multiple rules and combine them with AND/OR operators. Validate the rule. Select Save and then select Create. Go to the Defender portal and select Attack simulation training. Select the Simulations tab and create a new simulation or edit/copy an existing one. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete rest of the simulation settings and Create or Save the simulation. How to use dynamic groups in training campaigns: Repeat steps 1-5 shared above. Select the Training campaign tab and create a new campaign. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete the rest of the campaign settings and Create or Save the campaign. How to use dynamic groups in simulation automations: Repeat steps 1-5 shared above. Select the Simulation Automations tab and create a new automation. On the Target users page, select Add users and search and select the dynamic group that you created and select Add user(s). Complete the rest of the automation settings and Create or Save the automation. Note for automated simulations: If a user is removed from a dynamic group after taking part in a simulation, this user will still appear in simulation reports and continue with assigned trainings. If a user is added to a dynamic group after the last simulation in an automation has run, the user won’t be simulated because this automation is considered complete. At the start of an automation, users are divided across different simulations. If new users are added after some simulations have run, these users will be distributed across the remaining simulations. More information: Learn more about the different types of Microsoft 365 groups Create or edit a dynamic group Manage rules for dynamic groups Learn about nested group properties in dynamic groups Modify groups based on your requirements.
