Reporting suspicious emails

  • 3 minutes to read

Overview

Methods attackers use to try to obtain sensitive information evolves daily. With that in mind, sometimes Spam or Phishing emails may be successfully delivered. Reporting these suspicious emails helps to ensure the filters are evolving to meet the attackers. To report a suspicious email:

  1. From within Outlook desktop or web app, from the “Home” tab click the “Report” button.
  2. Click “Report Junk”, “Report Phishing”, or “Not Junk” as applicable.

What is Phishing?

Phishing is the practice of luring you into disclosing personal information, such as bank account numbers and passwords. Often phishing messages look legitimate, but have deceptive links that actually open fake websites. If you select Phishing, a copy of you of the message will be reported to your security admins to update phishing filters, and the message will be moved from your Inbox to quarantine.

What is Spam?

Junk email messages are typically referred to as spam. These are messages that you don’t want to receive that may be advertising products you don’t use or find offensive. If you choose the Junk option, a copy of the message will be reported to your security admins to help update spam filters, and the message will be moved from your Inbox to quarantine.

Reporting a false positive

Sometimes filters incorrectly flag a legitimate email and be placed in quarantine. You will receive notification that the email was placed in quarantine and can review for legitimacy. If a legitimate email is quarantined, select the “Release” button. This will move the email from the quarantine to your Inbox as well as send a copy to your security admins to update filters.

Users can’t release their own messages that were quarantined as malware by anti-malware or Safe Attachments policies, or as high confidence phishing by anti-spam policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware or high-confidence phishing messages.

Reviewing user reported emails

Any time a user reports a suspicious email or releases a falsely flagged email, a submission is sent for review in Defender. After investigating the email to determine if it should be flagged as spam, phishing, or malware, these submissions should be reported to Microsoft to better tune the Spam and Phishing filters used.

  1. Navigate to Intune Admin Center (GCC) or Intune Admin Center (GCCH) -> Actions & Submissions -> Submissions - User Reported
  2. Investigate emails reported.
  3. Click “Submit to Microsoft for analysis”
  4. Click “Reports phishing”, “Report malware”, or “Report spam” depending on the results of your investigation.
  5. Determine if just the user or the entire domain should be blocked and the time period the block entry should be removed after.

    The default value is set to 30 days. To permanently block an address change this to “Never Expires”

  6. Click Submit
  7. After Microsoft completes there analysis, they will either provide additional steps to adjust filters or request further investigation.

If it is determined that an email was flagged as a false positive:

  1. Click “Submit to Microsoft for analysis”
  2. Click “Report clean”
  3. Check box to “Allow emails with similar attributes” and determine the timeframe for the temporary allow entry.

Microsoft will analyze the email to determine what flagged the email and adjust the filters during this temporary allow timeframe. Microsoft will either remove the entry once adjustments have been made or extended for further investigation.