(2025-01) Action required: Defender integration must be re-configured by Feb 17th, 2025

This article explains how the API-based Defender integration must be re-configured by Hoxhunt customers to a mail flow-based Defender integration.

Customers who have hidden Microsoft’s native report button in Outlook clients, you should complete the steps below as we have made some improvements (see Background information below).

Customers who are setting up Defender integration for the first time, please follow the instructions here: Submit reported threats to Defender

 

Background information

Hoxhunt’s original Defender integration was based on an API call that sent reported emails directly to your tenant’s user submissions and further to Microsoft. Microsoft is deprecating the said API call, and requires user submissions to be uploaded to Defender via mail-based flow instead.

Many customers have also wanted to hide Microsoft’s native Report button in Outlook clients as it has a very prominent placement compared to third-party reporting add-ins. If you decided to hide the native Microsoft reporting button, you had to utilise Hoxhunt’s Phish forwarding address field to mimic the mail-based reporting flow to Defender, but this approach categorized all reported emails as phish, even when user reported the email as spam.

 

Thanks to the new mail-based submission of reported emails to Defender:

  • Customers can submit reported emails to their tenant’s Defender under User reported messages
  • Customers can configure Defender to automatically forward the reported emails further to Microsoft (pending release from Microsoft in February 2025, see Frequently asked questions section)
  • Submitted emails are correctly categorized as “Phish”, “Spam” and “Not Spam
  • Submitting emails from shared mailboxes to Defender is now natively supported
  • Customers can choose to hide Microsoft’s native report button and display only Hoxhunt’s reporting button
  • Customers can define Phish forwarding, Spam forwarding and Submit to Defender addresses separately if they so wish.

 

Timeline

Deadline for the change is February 17th, 2025. Hoxhunt’s original Defender integration was based on an API call that sent reported emails directly to your tenant’s user submissions. The API call is relying on legacy Exchange Online access tokens, and Microsoft is turning them off February 17th, 2025.

While customers can temporarily re-enable the legacy Exchange Online access tokens in their tenant, the change is inevitable - you must re-configure your Hoxhunt Defender integration by 17th of February 2025 to avoid any service disruption.

 

How to re-configure Hoxhunt’s Defender integration

1. Create and specify the SecOps mailbox in Defender

1.1 Create a mailbox in Exchange Online for a SecOps mailbox

SecOps mailbox is a dedicated mailbox that's used by security teams to receive unfiltered messages (both good and bad) for investigation and analysis.

 

1.2. Specify the SecOps mailbox under Advanced Delivery

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.
See: Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy

To go directly to the Advanced Delivery page, use https://security.microsoft.com/advanceddelivery.

2. On the Advanced delivery page, stay on the SecOps mailbox tab and add the mailbox created in step 1. Click Edit and add the mailbox you created in step 1 as a SecOps mailbox.
NOTE: You you have custom alert policies, remember to bypass your SecOps mailbox from them.

 

2. Re-configure Defender integration in Hoxhunt Admin Portal

  1. Go to Admin Portal > Settings > Email verification and add the new mailbox. See instructions here.
  2. Go to Admin Portal > Settings > Threat settings > Submit reported emails to Defender.
  3. Under Submit to Defender, select the address for your SecOps mailbox so Hoxhunt can submit all reported emails to your Defender’s User reported messages section.
  4. Finally, activate the new mail-based submission flow to Defender by ticking the checkbox.
  5. Click Save.

Submit_to_Defender.png

 

3. Hide native MS button (optional)

  1. Go back to Defender > Actions & submissions > Submissions > User reported settings.
    Defender_User_Reported_settings_path.png

  2. Under Select an Outlook report button configuration, it’s recommended to choose Use a non-Microsoft add-in button, as it hides Microsoft’s native report button from your employees.
    Use_non-MS-addin_button.png

4. Configure report forwarding in Defender

Make sure you are still in Defender > Actions & submissions > Submissions > User reported settings.

  1. Make sure to tick Monitor reported messages in Outlook.
    IMPORTANT: If you don't tick this checkbox, reported emails are won't flow to user submissions.
    Monitor_reported_messages_in_Outlook.png

  2. Under Reported message destinations, type in the address of the same SecOps mailbox you have used in your implementation.
    Reporting_destinations.png

 

4. Test the new integration

After everything has been set up, the change should be almost instantaneous.

  1. Report an email as spam with your Hoxhunt button.
  2. Go to Defender > Actions & submissions > Submissions > User reported. Observe as your recently reported email has been submitted to your Defender as spam.
    NOTE: It can take few minutes before the reported email appears in the list.

 

Frequently asked questions

Are the user submissions automatically sent to Microsoft?

Not currently, but soon Microsoft allows administrators to configure the system to send messages reported by third-party add-ins to Microsoft for analysis. This feature is part of the Microsoft 365 Roadmap ID 406167 and should be available in May 2025. For more detailed information, see Message Center post MC962528).
However, an admin can manually submit the messages to Microsoft for analysis.

Why is deadline 17th of February 2025 for this change?

Because current API call needs Outlook REST API, and Outlook REST API needs legacy Exchange Online access tokens to operate. Legacy Exchange Online tokens are turned off by Microsoft in all tenants on February 17th, 2025.

Can we now hide the native Microsoft report button without losing any functionality?

Yes. There should no longer be any restrictions when you hide native MS report button.

I don’t see “Forward reports from shared mailboxes to this email address” option in Hoxhunt settings anymore.

Reporting emails from shared mailboxes to Defender is now natively supported. It’s enough to set up the Hoxhunt Defender integration with your SecOps mailbox.

Can I relay user submissions from multiple M365 tenants to another defender tenant?

Microsoft submission requirements currently require that the tenantId in X-Ms-Exchange-Crosstenant-Id should be the same as the tenant - this will limit the cross-tenant reporting functionality.

See: Message submission format for third-party reporting tools

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request