Microsoft 365 Built-in “Report Phish” Integration 🔹 Overview Microsoft 365 supports a native Report button in Outlook that users click to report suspicious email. Admins can configure these reports to be delivered to a designated reporting mailbox.
This guide assists your organization in sending user reports to CyberHoot.
1️⃣ Access Microsoft Defender Portal
Open your browser and go to:https://security.microsoft.com
Sign in with an admin account that has one of these roles:
2️⃣ Open User Reported Settings You can get to the correct page either of two ways:
Option A — Navigate Manually
From the Defender portal:
Select System (gear icon ⚙️at bottom left)
Choose Settings, Email & collaboration
Click User reported settings (Microsoft Learn )
Option B — Use Direct Link
If you have permission, you can jump straight to the configuration page:
👉 https://security.microsoft.com/securitysettings/userSubmission Microsoft Learn )
3️⃣ Turn on Monitoring of Reported Messages On the User reported settings page:
Look at the top — find Monitor reported messages in Outlook
Check the box to enable it.
If this setting isn’t enabled, the rest of the configuration won’t work.
4️⃣ Configure the Report Button Below the Outlook settings:
Under Select an Outlook report button configuration , choose:Use the built-in Report button in Outlook
This ensures users see the native Report (flag/Phish) option in Outlook clients.
5️⃣ Choose Where Reported Messages Go In the Reported message destinations select:
Option Meaning My reporting mailbox only Sends reports only to your designated mailbox
6️⃣ Enter Your Reporting Mailbox Below the destination choice:
In the field Add an Exchange Online mailbox to send reported messages to , enter your internal mailbox address (e.g., reportphish@yourdomain.com ).
Only internal domain mailboxes are accepted here.
Microsoft will not let you enter an external domain directly at this step.
Click Save when done.
7️⃣ Verify the Report Button Works for Users Have a test user perform these steps:
Open a suspected phishing email in Outlook (desktop or web).
Click Report → Report phishing .
Confirm the message is delivered to the reporting mailbox.
You can also check the User reported tab under Actions & submissions → Submissions in Defender (optional).(Microsoft Learn )
8️⃣ Forward Reports to CyberHoot Microsoft 365 requires that user-reported messages be delivered to an internal Exchange Online mailbox. CyberHoot recommends using a dedicated reporting mailbox that securely relays reports to CyberHoot:
Create an internal mailbox (e.g., reportphish@yourdomain.com ).
In Exchange Online, configure that mailbox to forward all received reports to your CyberHoot ingestion address.
Keep a copy in the internal mailbox if you want retention/audit.This ensures only this mailbox has external referencing forwarding, not all users.
8️⃣ . 1️⃣ Allow External Forwarding for the Reporting Mailbox Only Microsoft blocks automatic external forwarding by default.
You must enable it only for the reporting mailbox.
Go to:https://security.microsoft.com
Navigate to:Email & collaboration → Policies & rules → Threat policies → Anti-spam
Click:Anti-spam outbound policy (Default)
Click:Edit protection settings
Under Forwarding rules
Select On – Forwarding is enabled
Leave all the other settings to their Default
8️⃣ .2️⃣ Configure Mailbox Forwarding in Exchange Admin Center Now configure the reporting mailbox to forward to CyberHoot.
Go to:https://admin.exchange.microsoft.com
Navigate to:Recipients → Mailboxes
Select the mailbox:reportphish@yourdomain.com
Select:Mailflow settings
Click:Email forwarding
Toggle Forward all emails sent to this mailbox to On
Forward to:reportphish@cyberhoot.com
Enable:Deliver message to both forwarding address and mailbox
Click Save
📌
8️⃣ .3️⃣ Validate the Full Flow
Send a test phishing email to a user
User clicks Report phishing
Confirm:
