Mail filtering and security solutions have come a long way since AI and machine learning became mainstream. Still – being highly dependent on reputation levels – no system is perfect and false positives / false negatives can never be ruled out. As mail security plays the most important part as a first line of defence, this can become a problem as you are often not able to evaluate all emails that Exchange Online receives. To multiple the “sensors” for that task, Microsoft has implemented user submissions in Exchange Online to make it easier for users to report messages that were either sent to junk for no reason or delivered to the inbox although being malicious.
In this post I’d like to give you a short overview of this feature.
Most users will most likely use full desktop apps, so we have to start by deploying the so called “Report Message” add-in:
Deploying the Office add-in
Head over to the Microsoft 365 admin center.
Deploying Office add-ins can be found under Settings > Integrated apps > Get apps:
Search for “Report Message” and click “Get it now”:
Now we can select which users should receive the add-in:
Apps also require permissions so they must be accepted:
After finishing the deployment start but can take some time until available in Office.
The scope of the add-in can be changed afterwards at any time:
Configuring user submissions
Head over to https://protection.office.com/userSubmissionsReportMessage.
User submissions can be configured for reporting to Microsoft or to both Microsoft and a custom mailbox. I’d recommend using a custom mailbox if you want to learn about submitted messages right away.
You can adjust the title and message that is shown to the user before and after the submissions was done:
You can also limit the scope of settings a user can set locally. E.g. if you wanted to submit all messages automatically to Microsoft you can deselect “Ask me before sending a report” and “Never send reports”. Leaving that to the user looks like this:
As personal data might be submitted I suggest letting the user decide. Depends on your implementation, though.
User experience
Microsoft 365 Apps for enterprise
After deploying the add-in, users will get an additional option in the ribbon bar called “Report Message”:
Note
This is of course just an example mail that is very valid as it was generated by our automated guest user management system. 😉
It allows to report messages as:
- Junk: message will be moved to junk and reported if the user consents
- Phishing: message will be moved to deleted items and reported if the user consents. This will also start an Automated Investigation in Office ATP:
- Not Junk: message will be moved to inbox and reported if the user consents
Options can also be adjusted if not done so from the admin side.
Outlook on the web
As with many other features, Outlook on the web differs from the full desktop client. Here, submitting messages is on by default but can be disabled using an Outlook on the web mailbox policy. We don’t want to do that here so let’s have a look at the reporting GUI.
Options in the Junk Email folder:
Options in other folders:
These actions will also ask for consent for reporting. Outlook on the web also has the settings for that:
Outlook for iOS and Android
The mobile apps also have reporting functionality:
Admin experience
Now let’s jump over to the admin side. You can view your users’ submissions here: https://protection.office.com/reportsubmission
The “User submissions” tab contains what users are reporting to Microsoft.
If you’ve configured a custom mailbox messages and users don’t consent to the report to Microsoft, submitted messages can be viewed there and also be sent to Microsoft on the admin side. You can also trigger an automated investigation:
As this builts on Threat Explorer capabilities you can also click the subject of a mail to get more information.
Considerations
- Messages including their content may be transmitted to Microsoft for analysis
- Users still need to be educated on how to use the Report Message add-in
- The Report Message add-in is not available for mailboxes in on-premises Exchange organizations.
- I didn’t covering licensing in this post.
- Your organization needs centralized deployment: https://docs.microsoft.com/en-us/microsoft-365/admin/manage/centralized-deployment-of-add-ins?view=o365-worldwide
- Exchange Online user submissions is “just” a supporting feature that complements your protection policies.
Thanks for reading!
Chris
Note
Please note that all content on this blog is provided ‘as is’ without any warranty.