M365 Defender for Office 365 User reported Settings

Hi All,

Do you know the User reported Settings in Microsoft 365 Defender for Office 365?

For instance, you can send the Mails that a user reports with the “Report Message” Add-In to Microsoft also to a reporting Mailbox that you own.

User Reported Settings


I’ve enabled that a while ago.

As you can see the Reporting Mailbox receives all types:

  • Junk
  • Phishing
  • Not Junk

The Mail contains the Header and the Original Mail as Attachment.

In a past Project the Security Team was only interested in Reported Phishing Messages.

I’ve created the following Transport Rule to solve that

$AdminEmailaddress = "postmaster@icewolf.ch"
if ($Null -eq (Get-TransportRule -identity "[EOP] Bcc Messages Reported to Microsoft" -ErrorAction SilentlyContinue)) 
    Write-Host "INFO: Create Transport Rule: [EOP] Bcc Messages Reported to Microsoft"
    New-TransportRule -Name "[EOP] Bcc Messages Reported to Microsoft" -RecipientAddressContainsWords phish@office365.microsoft.com -BlindCopyTo $AdminEmailaddress -Mode Enforce -Comment "Bcc Messages Reported to Microsoft" -Enabled $true

The Transport Rule looks like this

Now i report a Message as Phishing

Now i only receive Mails that are reported as Phishing

You can see in the MessageTrace that the Transport Rule has worked

Get-MessageTrace -StartDate (get-date).AddDays(-1) -EndDate (get-date) -RecipientAddress phish@office365.microsoft.com
Get-MessageTrace -StartDate (get-date).AddDays(-1) -EndDate (get-date) -RecipientAddress phish@office365.microsoft.com | Get-MessageTraceDetail

You can argue, that this is very dependent on the Userbase and how good they understand the diffrence between Junk- and Phishing Emails. You’re absolute correct on that. Such a “technical” approach has to be accompanied by a well designed user communication strategy.

Andres Bohren