Microsoft 365 Built-in “Report Phish” Integration
🔹Overview
Microsoft 365 supports a native Report button in Outlook that users click to report suspicious email. Admins can configure these reports to be delivered to a designated reporting mailbox.
This guide assists your organization in sending user reports to CyberHoot.
1️⃣ Access Microsoft Defender Portal
Open your browser and go to:
👉
Sign in with an admin account that has one of these roles:
✔ Global Administrator
✔ Security Administrator
✔
Exchange Administrator
2️⃣ Open User Reported Settings
You can get to the correct page either of two ways:
Option A — Navigate Manually
From the Defender portal:
Select System (gear icon ⚙️
at bottom left)
Choose Settings, Email & collaboration
Option B — Use Direct Link
If you have permission, you can jump straight to the configuration page:
👉
3️⃣ Turn on Monitoring of Reported Messages
On the User reported settings page:
Look at the top — find Monitor reported messages in Outlook
Check the box
to enable it.
If this setting isn’t enabled, the rest of the configuration won’t work.
4️⃣ Configure the Report Button
Below the Outlook settings:
Under Select an Outlook report button configuration, choose:
Use the built-in Report button in Outlook
This ensures users see the native Report (flag/Phish) option in Outlook clients.
5️⃣ Choose Where Reported Messages Go
In the Reported message destinations select:
Option | Meaning |
My reporting mailbox only | Sends reports only to your designated mailbox |
6️⃣ Enter Your Reporting Mailbox
Below the destination choice:
In the field Add an Exchange Online mailbox to send reported messages to, enter your internal mailbox address (e.g., reportphish@yourdomain.com ).
Only internal domain mailboxes are accepted here.
Microsoft will not let you enter an external domain directly at this step.
Click Save when done.
7️⃣ Verify the Report Button Works for Users
Have a test user perform these steps:
Open a suspected phishing email in Outlook (desktop or web).
Click Report → Report phishing.
Confirm the message is delivered to the reporting mailbox.
You can also check the
User reported tab under
Actions & submissions → Submissions in Defender (optional).(
Microsoft Learn)
8️⃣ Forward Reports to CyberHoot
).
In Exchange Online, configure that mailbox to forward all received reports to your CyberHoot ingestion address.
Keep a copy
in the internal mailbox if you want retention/audit.
This ensures only this mailbox has external referencing forwarding, not all users.
8️⃣.1️⃣ Allow External Forwarding for the Reporting Mailbox Only
Microsoft blocks automatic external forwarding by default.
You must enable it only for the reporting mailbox.
Go to:
Navigate to:
Email & collaboration → Policies & rules → Threat policies → Anti-spam
Click:
Anti-spam outbound policy (Default)
Click:
Edit protection settings
Under Forwarding rules
Select On – Forwarding is enabled
Leave all the other settings to their Default
8️⃣.2️⃣ Configure Mailbox Forwarding in Exchange Admin Center
Now configure the reporting mailbox to forward to CyberHoot.
Go to:
Navigate to:
Recipients → Mailboxes
Select:
Mailflow settings
Click:
Email forwarding
Toggle Forward all emails sent to this mailbox to On
Enable:
Deliver message to both forwarding address and mailbox
Click Save
📌
Result:
User-reported messages arrive in the internal mailbox and are automatically forwarded to CyberHoot.
8️⃣.3️⃣ Validate the Full Flow
Send a test phishing email to a user
User clicks Report phishing
Confirm:
• Message arrives in the internal reporting mailbox
• Message forwards to CyberHoot
• The original email is preserved as a .eml
attachment