(2025-04) Automatically send reported message to Microsoft is now available for Hoxhunt customers using the new Defender integration

Automatically send reported message to Microsoft is now available for Hoxhunt customers using the new Defender integration (described here). Microsoft has just completed the rollout of this long-awaited feature improvement.

 

If you have already re-configured your Hoxhunt Defender integration but would like to enable automatic submission to Microsoft, please check How to just enable automatic reporting to Microsoft below.

If you decided to wait for the capability to become available before reconfiguring your Defender integration, please check How to re-configure Hoxhunt’s Defender integration further down the article.

 

How to just enable automatic reporting to Microsoft

  1. Go to Defender > Actions & submissions > Submissions > User reported settings.
  2. Scroll down to Reported message destinations.
  3. Under Send reported messages to, choose Microsoft and my reporting mailbox.

Below is an example for reference:

Defender_user_reported_toMSandMailbox.png

 

How to re-configure Hoxhunt’s Defender integration

This section explains how the API-based Defender integration can be re-configured by Hoxhunt customers to a mail flow-based Defender integration.

1. Create and specify the SecOps mailbox in Defender

1.1 Create a mailbox in Exchange Online for a SecOps mailbox

SecOps mailbox is a dedicated mailbox that's used by security teams to receive unfiltered messages (both good and bad) for investigation and analysis.

 

1.2. Specify the SecOps mailbox under Advanced Delivery

1. In the Microsoft 365 Defender portal at https://security.microsoft.com go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.
See: Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy

To go directly to the Advanced Delivery page, use https://security.microsoft.com/advanceddelivery.

2. On the Advanced delivery page, stay on the SecOps mailbox tab and add the mailbox created in step 1.
Click Edit and add the mailbox you created in step 1 as a SecOps mailbox.
NOTE: You you have custom alert policies, remember to bypass your SecOps mailbox from them.

 

2. Re-configure Defender integration in Hoxhunt Admin Portal

  1. Go to Admin Portal > Settings > Email verification and add the new mailbox. See instructions here.
  2. Go to Admin Portal > Settings > Threat settings > Submit reported emails to Defender.
  3. Under Submit to Defender, select the address for your SecOps mailbox so Hoxhunt can submit all reported emails to your Defender’s User reported messages section.
  4. Finally, activate the new mail-based submission flow to Defender by ticking the checkbox.
  5. Click Save.

Defender_re-config_in_AdminPortal_complete.png

 

3. Configure User reported settings in Defender

  1. Go to Defender > Actions & submissions > Submissions > User reported settings.Defender_User_Reported_settings_path.png

  2. As first step, make sure to tick Monitor reported messages in Outlook.
    IMPORTANT: If you don't tick this checkbox, reported emails won't flow to user submissions!
  3. Under Select an Outlook report button configuration, choose Use a non-Microsoft add-in button, as it hides Microsoft’s native report button from your employees.

    Below is an example for reference:
    UserReportedSettings_MonitorOutlook_non-MSButton.png
  4. Scroll down to Reported message destinations.
  5. Under Send reported messages to:, depending on your preference choose Microsoft and my reporting mailbox or My reporting mailbox only.

  6. Under Add an exchange online mailbox to send reported messages to:, type in the address of the same SecOps mailbox you have used in your implementation.

    Below is an example for reference:
    Defender_Reported_message_destinations.png

 

4. Test the new integration

After everything has been set up, the change should be almost instantaneous.

  1. Report an email as spam with your Hoxhunt button.
  2. Go to Defender > Actions & submissions > Submissions > User reported. Observe as your recently reported email has been submitted to your Defender as spam.
    NOTE: It can take few minutes before the reported email appears in the list.

 

Frequently asked questions

Are the user submissions automatically sent to Microsoft?

From April 2025, this is fully configurable by your tenant's admins. You can choose to have reported emails to be submitted only to your tenant's Defender, or also to Microsoft.

 

Can we now hide the native Microsoft report button without losing any functionality?

Yes. There should no longer be any restrictions when you hide native MS report button.

 

I don’t see “Forward reports from shared mailboxes to this email address” option in Hoxhunt settings anymore.

Reporting emails from shared mailboxes to Defender is now natively supported. It’s enough to set up the Hoxhunt Defender integration with your SecOps mailbox.

 

Can I relay user submissions from multiple M365 tenants to another defender tenant?

Microsoft submission requirements currently require that the tenantId in X-Ms-Exchange-Crosstenant-Id should be the same as the tenant - this requirement effectively prevents cross-tenant reporting.

See: Message submission format for third-party reporting tools

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request