Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Report messages with Exchange Online user submissions

Posted on 9. September 202011. November 2021

Note

11/11/2021

This post includes some information and screenshots that do not reflect the current status of the portals. It will be updated at a later date.

Mail filtering and security solutions have come a long way since AI and machine learning became mainstream. Still – being highly dependent on reputation levels – no system is perfect and false positives / false negatives can never be ruled out. As mail security plays the most important part as a first line of defence, this can become a problem as you are often not able to evaluate all emails that Exchange Online receives. To multiple the “sensors” for that task, Microsoft has implemented user submissions in Exchange Online to make it easier for users to report messages that were either sent to junk for no reason or delivered to the inbox although being malicious.

In this post I’d like to give you a short overview of this feature.

Most users will most likely use full desktop apps, so we have to start by deploying the so called “Report Message” add-in:

Deploying the Office add-in

Head over to the Microsoft 365 admin center.

Deploying Office add-ins can be found under Settings > Integrated apps > Get apps:

Search for “Report Message” and click “Get it now”:

Now we can select which users should receive the add-in:

Apps also require permissions so they must be accepted:

After finishing the deployment start but can take some time until available in Office.

The scope of the add-in can be changed afterwards at any time:

Configuring user submissions

Head over to https://protection.office.com/userSubmissionsReportMessage.

User submissions can be configured for reporting to Microsoft or to both Microsoft and a custom mailbox. I’d recommend using a custom mailbox if you want to learn about submitted messages right away.

You can adjust the title and message that is shown to the user before and after the submissions was done:

You can also limit the scope of settings a user can set locally. E.g. if you wanted to submit all messages automatically to Microsoft you can deselect “Ask me before sending a report” and “Never send reports”. Leaving that to the user looks like this:

As personal data might be submitted I suggest letting the user decide. Depends on your implementation, though.

User experience

Microsoft 365 Apps for enterprise

After deploying the add-in, users will get an additional option in the ribbon bar called “Report Message”:

Note

This is of course just an example mail that is very valid as it was generated by our automated guest user management system. 😉

It allows to report messages as:

  • Junk: message will be moved to junk and reported if the user consents
  • Phishing: message will be moved to deleted items and reported if the user consents. This will also start an Automated Investigation in Office ATP:
  • Not Junk: message will be moved to inbox and reported if the user consents

Options can also be adjusted if not done so from the admin side.

Outlook on the web

As with many other features, Outlook on the web differs from the full desktop client. Here, submitting messages is on by default but can be disabled using an Outlook on the web mailbox policy. We don’t want to do that here so let’s have a look at the reporting GUI.

Options in the Junk Email folder:

Options in other folders:

These actions will also ask for consent for reporting. Outlook on the web also has the settings for that:

Outlook for iOS and Android

The mobile apps also have reporting functionality:

Admin experience

Now let’s jump over to the admin side. You can view your users’ submissions here: https://protection.office.com/reportsubmission

The “User submissions” tab contains what users are reporting to Microsoft.

If you’ve configured a custom mailbox messages and users don’t consent to the report to Microsoft, submitted messages can be viewed there and also be sent to Microsoft on the admin side. You can also trigger an automated investigation:

As this builts on Threat Explorer capabilities you can also click the subject of a mail to get more information.

Considerations

  • Messages including their content may be transmitted to Microsoft for analysis
  • Users still need to be educated on how to use the Report Message add-in
  • The Report Message add-in is not available for mailboxes in on-premises Exchange organizations.
  • I didn’t covering licensing in this post.
  • Your organization needs centralized deployment: https://docs.microsoft.com/en-us/microsoft-365/admin/manage/centralized-deployment-of-add-ins?view=o365-worldwide
  • Exchange Online user submissions is “just” a supporting feature that complements your protection policies.

Thanks for reading!

Chris

Note

Please note that all content on this blog is provided ‘as is’ without any warranty.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT