Exchange Online

Why User Submissions of Suspicious Email Delivered to Exchange Online are so Valuable

Avatar photo
Post author:Written By One comment

Improving the User Submissions Feature

User Submissions is a Microsoft 365 feature that allows users to report bad emails that they receive. Simply put, this feature is valuable because it enables a ‘boots on the ground’ defense for email. Malicious actors constantly look for new avenues to attack organizations through tricks such as social engineering, URL links, and attachments. One potential attack surface is an organization’s end users, trained or not, who will receive Phishing or Junk email at some point in time. With User Submissions, end users have the ability to report these emails to IT or Microsoft to protect against this type of attack. Reported messages will be analyzed by Microsoft, your IT department, or both depending on the configuration, and the results are added to Microsoft’s mail hygiene engines to help reduce false positives and identify these types of emails.

Additional articles on the User Submission process written by Tony Akers can be found here and here.

You may be familiar with the Report Message button option in Outlook, but did you know that there is more to be configured and that the backend interface has moved to Settings > Email and Collaboration > User Reported Settings in the Microsoft 365 Defender portal? You may have configured settings here in the past, but Microsoft moved User Submissions to the Settings section of the Defender portal. It’s here where you can customize the user experience in terms of branding, messaging, and information provided to the end user. In this article, we explore these changes and explain why you should make more use of this feature.

Recent Changes in User Submissions

Microsoft constantly changes cloud features by either adding enhancements or changing the GUI. Here is a quick summary of the changes:

  • As mentioned above, the configuration for User Submissions moved from Policies and Threats to Settings, which seems to be more of an operational change rather than functional.
  • The option to use the Integrated Report button in Outlook or the Report Message / Report Phish Outlook add-ins. However, this option is transitional, as the add-ins will stop working at some future time (Figure 1).
User Submissions
Figure 1: Transitional nature of the Report Button feature.
  • Custom messages for when an email is reported – IT can provide links to a FAQ or contact number for the Help Desk.
  • Identifying which type of message is being reported, for example, Phishing or Junk email.
  • Company Branding can be added to the admin review email, an email sent back to a user confirming the analysis of an email as malicious/safe or junk/not junk.

The Microsoft 365 Kill Chain and Attack Path Management

An effective cybersecurity strategy requires a clear and comprehensive understanding of how attacks unfold. Read this whitepaper to get the expert insight you need to defend your organization!

Learn More

Customizing User Submissions

User Submissions can be configured in such a way that organizations can do the following:

  • Set expectations of your end users: When can they expect a response, who can they reach out to for support, and provide a FAQ page and phone numbers, if needed.
  • Provide transparency: Thank them for reporting the message, as it helps everyone at the company.
  • Alleviate mistrust: Some users may mistrust Microsoft, and if the communications use the Company Branding integration with User Submissions, it may raise their confidence that the report will be actively looked at and resolved.

User Submissions is disabled by default, so the first step is to enable it. Once this feature is enabled, it is recommended that administrators use the default slider button (see Figure 2), enabling the built-in Report button as that will be the default option, and the Outlook add-ins will be deprecated.

User Submissions
Figure 2: Slider button to enable the User submissions feature.

Next, we choose who the message is reported to. The message report defaults to Microsoft, but we can choose a custom mailbox and Microsoft or just select a custom mailbox. Once that is done, we can work on some customizations to publish to users:

  • Custom Reporting Message
  • Custom Post Reporting Message
  • Custom Admin Review Message
  • Company Branding

Custom Reporting Message

Customized pop-up messages when reporting emails can provide IT an opportunity to educate and inform users of their part in the process of reporting malicious emails. With only 300 characters to work with, keep the message short, concise, and informational such as in the example below.

Click <b>Report</b> below to complete the process.<BR><BR>Thank you for reporting this %type% email to IT Support. We will review this message and provide a response withing 72 hours. Visit our <a href="http://intranet/emailsupport.html">FAQ</a> or contact IT Support @ 312-555-1212 with questions.

As you can see, we layout critical pieces of information:

  • Thank the user for reporting the message so they feel like part of the process.
  • Providing next steps – IT response in 72 hours (based off an internal SLA possibly).
  • Providing a link to Frequently Asked Questions (FAQ) for follow-up.
  • Providing an IT Support phone number for further support.
  • Visual cue provided with the ‘%type%’ exposes which message type is being reported.

As shown above, the text can include HTML coding such as bold text (<b></b>), hyperlinks (<a href=””></a>), and line returns (<BR>) to generate an informational message for the end user.

Custom Post Reporting Message

A second message can be configured that acknowledges the completion of the reporting process, which can also be used to thank the end user, as seen in Figure 3. However, the message appears so briefly that the user reporting the bad email may never notice it.

User Submissions
Figure 3: Location of the post-reporting pop-up message.

Custom Admin Review Message

After an administrator reviews the reported message (in the Submissions section of the Defender portal) and decides what to do with the message, an email about the decision is sent to the user to tell them what happened. There are three types of message that a user could receive – No Threats Found, Phishing, and Junk – and the message text should be similar to the other messages, thanking the users for their involvement, providing the next steps, and any contact information needed for follow-up. Once a user is notified, an Administrator should then report any malicious emails to Microsoft for analysis and choose Phishing, Malware, Spam, or Trigger an Investigation.

The message is sent once an administrator reviewed the email, determines the email’s status, and picks an option from the drop-down shown in Figure 4.

Figure 4: Sample Administrator designation in the User Submissions interface.
Figure 4: Sample Administrator designation in the User Submissions interface.

When creating the Automated email response for Phishing, Junk, or No Threats Found, a couple of pointers for this block of text are:

  • HTML code is available for use.
  • There is an 1113-character limit, and the text box is expandable for ease of use.
  • The Footer box is used for all three types of messages, so tailor this as generic as possible.
  • If using a custom logo, with a recommended size of 280×60 pixels or about 10kb, make sure that the image used (from Custom Themes) is uploaded and not a URL link. Also, the image appears differently in OWA vs. Outlook (much larger).

End User Experience

Once settings are configured in the Microsoft Defender portal, Exchange Online publishes the changes. After a short delay, the updated messages are available to users. Afterward, users see the customized text if they report a message, when an email is analyzed, and when an admin reviews the submission. Figure 5 shows an example of the custom message sent when an end user reports a message:

Figure 5: End User View when Reporting an Email
Figure 5: End User View when Reporting an Email

If an email is reported as Junk, it will be moved to their mailbox’s Junk Mail folder. If an email is reported as Not Junk, then it will be removed from the Junk Mail folder and placed back in the Inbox. For phishing emails, the email is removed from the users’ mailbox completely. These actions are performed by Exchange Online Protection (EOP). Additionally, once an email has been reviewed by an administrator, the end user receives information about the review. If the email is a Phishing email, a red bar with the word ‘Phish’ is present in the email (Figure 4), an email with no threats has a green bar with the words ‘No threats found,’ and finally, an email classified as junk has an orange-colored bar with the word ‘Junk.’

Figure 6: An Admin review message after the submission was marked as a Phishing email.
Figure 6: An Admin review message after the submission was marked as a Phishing email.

Start Configuring Today

User Submissions are not a splashy feature in Microsoft 365, but it is something worthwhile to configure as it leads to a better end-user experience and assists Microsoft in providing email defense with Exchange Online Protection by updating their filters against future malicious email campaigns. For Microsoft 365 administrators, the takeaways are that it’s possible to apply branding and custom messaging for User Submissions. IT Support can provide useful, succinct information to users and provide confidence that actions are being taken. By enabling User Submissions, administrators allow users to participate in the defense process for their organization and raise awareness around bad emails that arrive in user inboxes.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Learn More!
Tags: ,

About the Author

Damian Scoles

Damian Scoles is an eight-time Microsoft MVP, specializing in Exchange, Office 365 and PowerShell. He is currently based out of the Chicago area and started out managing Exchange 5.5 and Windows NT. He has worked with Office 365 since BPOS and has experience with Azure AD, Security and Compliance Admin Centers, and Exchange Online. Contributions to the community include helping on TechNet forums, creating PowerShell scripts that are located in the TechNet Gallery, writing detailed PowerShell / Office365 / Exchange blog articles (https://www.powershellgeek.com), tweets (https://twitter.com/PPowerShell) and creating PowerShell videos on YouTube (https://www.youtube.com/channel/UClxHtLF0c_VAkjw5rzsV1Vg). He has written five PowerShell books and is actively working on the Microsoft 365 Security for IT Pros book as well.

Comments

  1. Ricardo 6 Oct 2023 Reply

    Thank your for this excellent article Damian!, Do you know if this setting can be configured for specific users? Or it once enabled it becomes a global affair?

Leave a Reply