Microsoft 365 Message Center Archive

MC962528 - Microsoft Defender for Office 365: Third-party add-in user report can be sent to Microsoft for analysis

Message ID

MC962528

View in Message Center

Service

Exchange Online

Last Updated

Jan 24, 2025

Published Dec 20, 2024

Tag

Updated message
New feature
User impact
Admin impact

Roadmap ID

406167

View in M365 Roadmap

Platforms

Web

Summary

Microsoft Defender for Office 365 now allows administrators using third-party add-ins to configure automatic sending of user-reported suspicious messages to Microsoft for analysis. This update is associated with Roadmap ID 406167 and will be rolled out in mid-May 2025. Configuration details and benefits are provided.

More information

Updated January 23, 2025: We have updated the content. Thank you for your patience.

Administrators and security operators who are using third-party report message solutions in Microsoft Outlook to allow their users to report suspicious messages (for example, Knowbe4, Hoxhunt, Cofense, Proofpoint add-ins, and so on) can now configure Defender for Office 365 to automatically send these messages to Microsoft for analysis.

This message is associated with Microsoft 365 Roadmap ID 406167.

When this will happen:

General Availability: We will begin rolling out mid-May 2025 (previously early February) and expect to complete by late May 2025 (previously mid-February).

How this will affect your organization:

You must configure this setting if you want the benefit of sending third-party reported messages to Microsoft.

To enable this setting:

  1. Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button.
  2. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis.
  3.  The result from Microsoft after analysis is shown on the User reported page in the Defender portal.

For more details about how Microsoft handles user-reported suspicious messages, see Report suspicious email messages to Microsoft.


Alerts are automatically generated for user reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user reported phishing messages. Both alerts and their investigations are automatically correlated to Defender XDR Incidents, which helps SOC teams with automation to triage, investigate, and respond. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and also helps improve Defender for Office 365 filters.

What you need to do to prepare:

If your user reporting settings are already set to Use a non-Microsoft add-in button and Microsoft and my reporting mailbox, you don't need to do anything to benefit from this change. However, if the destination is My reporting mailbox only, you need to change the destination to Microsoft and my reporting mailbox to benefit from this change.