Microsoft 365 Message Center Archive

MC962528 - Microsoft Defender for Office 365: Third-party add-in user report can be sent to Microsoft for analysis

Message ID

MC962528

View in Message Center

Service

Exchange Online

Published

Dec 20, 2024

Tag

New feature
User impact
Admin impact

Roadmap ID

406167

View in M365 Roadmap

Platforms

Web

Summary

Defender for Office 365 now allows administrators to configure the system to send messages reported by third-party add-ins to Microsoft for analysis. This feature is part of the Microsoft 365 Roadmap ID 406167 and will be available in early February 2025. Configuration steps are provided for users to enable this setting.

More information

Administrators and security operators who are using third-party report message solutions in Microsoft Outlook to allow their users to report suspicious messages (for example, Knowbe4, Hoxhunt, Cofense, Proofpoint add-ins, and so on) can now configure Defender for Office 365 to automatically send these messages to Microsoft for analysis.

This message is associated with Microsoft 365 Roadmap ID 406167.

When this will happen:

General Availability: We will begin rolling out early February 2025 and expect to complete by mid-February 2025.

How this will affect your organization:

You must configure this setting if you want the benefit of sending third-party reported messages to Microsoft.

To enable this setting:

  1. Go to User reported settings in the Microsoft Defender portal, select Monitor reported messages in Outlook, and then select Use a non-Microsoft add-in button.
  2. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-ins are being routed to. If the third-party vendor follows the guidance for message submissions format, Defender for Office 365 will submit these messages automatically to Microsoft for analysis.
  3.  The result from Microsoft after analysis is shown on the User reported page in the Defender portal.

For more details about how Microsoft handles user-reported suspicious messages, see Report suspicious email messages to Microsoft.


Alerts are automatically generated for user reported messages in Defender for Office 365. If you have Defender for Office 365 Plan 2, Automated investigation and response (AIR) is also automatically triggered for user reported phishing messages. Both alerts and their investigations are automatically correlated to Defender XDR Incidents, which helps SOC teams with automation to triage, investigate, and respond. Submitting these messages to Microsoft for analysis provides a response of this analysis to security analysts and also helps improve Defender for Office 365 filters.

What you need to do to prepare:

If your user reporting settings are already set to Use a non-Microsoft add-in button and Microsoft and my reporting mailbox, you don't need to do anything to benefit from this change. However, if the destination is My reporting mailbox only, you need to change the destination to Microsoft and my reporting mailbox to benefit from this change.