M365 Defender for Office 365 User reported Settings

Andres Bohren
Hi All,

Do you know the User reported Settings in Microsoft 365 Defender for Office 365?
For instance, you can send the Mails that a user reports with the "Report Message" Add-In  to Microsoft also to a reporting Mailbox that you own.

User reported settings


User Reported Settings
https://security.microsoft.com/securitysettings/userSubmission



I've enabled that a while ago.

As you can see the Reporting Mailbox receives all types:
- Junk
- Phishing
- Not Junk

The Mail contains the Header and the Original Mail as Attachment.


In a past Project the Security Team was only interested in Reported Phishing Messages.

I've created the following Transport Rule to solve that

$AdminEmailaddress = "postmaster@icewolf.ch"
if ($Null -eq (Get-TransportRule -identity "[EOP] Bcc Messages Reported to Microsoft" -ErrorAction SilentlyContinue))
{
    Write-Host "INFO: Create Transport Rule: [EOP] Bcc Messages Reported to Microsoft"
    New-TransportRule -Name "[EOP] Bcc Messages Reported to Microsoft" -RecipientAddressContainsWords phish@office365.microsoft.com -BlindCopyTo $AdminEmailaddress -Mode Enforce -Comment "Bcc Messages Reported to Microsoft" -Enabled $true
}


The Transport Rule looks like this


Now i report a Message as Phishing




Now i only receive Mails that are reported as Phishing



You can see in the MessageTrace that the Transport Rule has worked

Get-MessageTrace -StartDate (get-date).AddDays(-1) -EndDate (get-date) -RecipientAddress phish@office365.microsoft.com
Get-MessageTrace -StartDate (get-date).AddDays(-1) -EndDate (get-date) -RecipientAddress phish@office365.microsoft.com | Get-MessageTraceDetail



You can argue, that this is very dependent on the Userbase and how good they understand the diffrence between Junk- and Phishing Emails. You're absolute correct on that. Such a "technical" approach has to be accompanied by a well designed user communication strategy.

Regards
Andres Bohren