MC962528 - Microsoft Defender for Office 365: Third-party add-in user report can be sent to Microsoft for analysis

Service

Exchange Online

Last Updated

Feb 24, 2025

Published Dec 20, 2024

Tag

Updated message
New feature
User impact
Admin impact

Platforms

Web

Summary

Administrators can now configure Microsoft Defender for Office 365 to automatically send third-party reported messages to Microsoft for analysis. The rollout starts late February 2025 and ends early March 2025. Configuration involves updating user reporting settings in the Defender portal. No action is needed if settings are already correctly configured.

More information

Updated February 24, 2025: We have updated the rollout timeline below. Thank you for your patience.

Administrators and security operators who are using third-party report message solutions in Microsoft Outlook to allow their users to report suspicious messages (for example, Knowbe4, Hoxhunt, Cofense, Proofpoint add-ins, and so on) can now configure Defender for Office 365 to automatically send these messages to Microsoft for analysis.

This message is associated with Microsoft 365 Roadmap ID 406167.

When this will happen:

General Availability: We will begin rolling out late February 2025 (previously mid-May) and expect to complete by early March 2025 (previously late May).

How this will affect your organization:

You must configure this setting if you want the benefit of sending third-party reported messages to Microsoft.

To enable this setting:

  1. Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button.
  2. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis.
  3.  The result from Microsoft after analysis is shown on the User reported page in the Defender portal.

For more details about how Microsoft handles user-reported suspicious messages, see Report suspicious email messages to Microsoft.


Alerts are automatically generated for user reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user reported phishing messages. Both alerts and their investigations are automatically correlated to Defender XDR Incidents, which helps SOC teams with automation to triage, investigate, and respond. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and also helps improve Defender for Office 365 filters.

What you need to do to prepare:

If your user reporting settings are already set to Use a non-Microsoft add-in button and Microsoft and my reporting mailbox, you don't need to do anything to benefit from this change. However, if the destination is My reporting mailbox only, you need to change the destination to Microsoft and my reporting mailbox to benefit from this change.