Submit reported threats to Defender

Introduction

The Hoxhunt button in Outlook can be used to submit reported emails from personal and shared mailboxes to your tenant's Microsoft Defender as User reported messages. If you are using Sentinel for incident orchestrations, Defender XDR Connector can patch the reported messages further to Sentinel.

In order to user Hoxhunt's Defender integration, please ensure you have the required Microsoft 365 subscriptions. Please refer to Microsoft Defender for Office 365 overview for detailed information on Defender capabilities included in each plan.

NOTE
If you have configured Hoxhunt Defender integration before January 27th 2025, please refer to the following article as you need to re-configure the integration: (2025-01) Action required: Defender integration must be re-configured by Feb 28th, 2025

 

Technical requirements

Technically, when Hoxhunt uploads a suspicious email to Microsoft Defender, it is considered as a user reported message.

To be allowed to upload a reported message to Defender's User Reported messages, your employees need to have any of the following plans:

  • Exchange Online Protection
  • Microsoft Defender for Office 365 plan 1 and plan 2
  • Microsoft 365 E5 Security
  • Microsoft 365 Defender

Please refer to Microsoft Defender for Office 365 overview for detailed information on Defender capabilities included in each plan.

 

To modify the configuration for User reported messages the user need to be a part of one of the following role groups:

Read more about how to access the user reported messages at: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide.

 

Technical limitations

Microsoft's add-in framework imposes some restrictions on how Hoxhunt add-in can interact with Defender. See below for details.

  1. You should never use the same target mailbox for Threat Forwarding (phish, spam, non-spam) and Defender uploads. Doing this will generate duplicate reports in Defender's User reported messages section, and in some scenarios incorrect categorization of the reported emails.
  2. Microsoft's add-in framework doesn't support reporting spam or phishing emails from an on-premise mailbox. Thus, no user submission is created in Defender when an email is reported from an on-premise mailbox. However, the reported email is still forwarded to the mailbox dedicated for Hoxhunt's Defender integration.
  3. The automatic email removal feature is not supported when reporting non-Hoxhunt emails from a shared mailbox or from an on-premise mailbox. However, Hoxhunt training emails are always removed natively by Hoxhunt add-in, even when you have Defender integration with Hoxhunt.
  4. If you have set up a single Hoxhunt Organization for multiple M365 tenants, it's not possible to relay user submissions from multiple M365 tenants to each respective tenant. User submissions will work only for the tenant whose SecOps mailbox is configured in Hoxhunt's Defender settings. Microsoft submission requirements currently require that the tenantId in X-Ms-Exchange-Crosstenant-Id should be the same as the tenant - this requirement effectively prevents cross-tenant reporting functionality.

 

How does the integration work?

The integration works as follows:

1. End user clicks the Hoxhunt add-in
This opens the menu options for reporting a real threat.

Screenshot_2021-12-01_at_9.06.15.png

2. End user reports an email as phishing
If the end user reports an email as phishing from a personal mailbox, Hoxhunt forwards that information to Defender just as if the user reported something as phishing with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Defender is complete, the email is optionally uploaded to Hoxhunt and/or forwarded to your chosen mailbox - depending on your Hoxhunt settings. As a final step, the reported email is moved to Deleted Items folder (see Technical limitations).

3. End user reports an email as spam
If the user reports an email as spam from a personal mailbox, Hoxhunt forwards that information to Defender just as if the user reported something as junk with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Defender is complete, the email is optionally uploaded to Hoxhunt and/or forwarded to your chosen mailbox - depending on your Hoxhunt settings. As a final step, the reported email is moved to Junk folder and sender is added to Blocked Senders list. (see Technical limitations).

4. End user reports an email as not spam(*)
If the user reports an email as not spam from the Junk folder, Hoxhunt forwards that information to Defender just as if the user reported something as not junk with Microsoft’s own native reporting options. The reported email is then moved back to the user’s Inbox.

(*)
Allowing users to report emails as not spam is an additional feature that can be enabled by your Onboarding Manager or Customer Success Manager at Hoxhunt. If the Report as not spam feature is not enabled, users can report any email as spam, including emails located in their Junk folder.

 

5. Reported email gets submitted to Microsoft Defender
They are visible at Microsoft Defender portal > Actions & submissions > Submissions > User reported tab.

 

How to set up Hoxhunt’s Defender integration

1. Create and specify the SecOps mailbox in Defender

1.1 Create a new mailbox in Exchange Online dedicated only for Defender integration

Create a new dedicated mailbox for Hoxhunt's Defender integration.

IMPORTANT!
Defender integration requires a dedicated SecOps mailbox that is used only for Hoxhunt's Defender integration.

Do not attempt to use same SecOps mailbox for both Defender integration and Threat Forwarding. Doing so will generate duplicate reports in Defender's User reported messages section, and in some scenarios incorrect categorization of the reported emails. See Frequently asked questions section for more information.

NOTE
If you have enabled forwarding from the SecOps mailbox to another mailbox, make sure you have ticked checkbox "Deliver message to both forwarding address and mailbox" in the mailbox settings. Otherwise, all incoming emails are actually redirected, not forwarded, and the reported emails may not get submitted to User Reported Messages section in your Defender.

Read more: Configure email forwarding for a mailbox in Exchange Online

1.2. Specify the SecOps mailbox under Advanced Delivery

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.
See: Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy

To go directly to the Advanced Delivery page, use https://security.microsoft.com/advanceddelivery.

2. On the Advanced delivery page, stay on the SecOps mailbox tab and add the mailbox created in step 1.
Click Edit and add the mailbox you created in step 1 as a SecOps mailbox.

NOTE
You you have custom alert policies, remember to bypass your SecOps mailbox from them.

 

 

2. Re-configure Defender integration in Hoxhunt Admin Portal

  1. Go to Admin Portal > Settings > Email verification and add the new mailbox. See instructions here.
  2. Go to Admin Portal > Settings > Threat settings > Submit reported emails to Defender.
  3. Under Submit to Defender, select the address for your SecOps mailbox so Hoxhunt can submit all reported emails to your Defender’s User reported messages section.
  4. Finally, activate the new mail-based submission flow to Defender by ticking the checkbox.
  5. Click Save.

Submit_to_Defender.png

 

3. Configure User reported settings in Defender

1. Go to Defender > Actions & submissions > Submissions > User reported settings.Defender_User_Reported_settings_path.png
 

2. As first step, make sure to tick Monitor reported messages in Outlook.

IMPORTANT!
If you don't tick this checkbox, reported emails won't flow to user submissions in Defender.


The next two settings depend on what your end goal is vs. the technical limitations tied to the corresponding Microsoft Defender capabilities.

3. Under Select an Outlook report button configuration, we recommend to choose Use a non-Microsoft add-in button, as it hides Microsoft’s native report button from your employees.

NOTE
Choosing the recommended option will hide the native Microsoft reporting option from all mailbox users in your M365 tenant. If you don't plan to deploy Hoxhunt button to all employees but instead keep some using the native Microsoft report button, do not choose this option.

If you plan to replace native Microsoft report button with Hoxhunt button, it is done via separate process. In other words, choosing the recommended option here won't replace native Microsoft report button with Hoxhunt button - it will simply hide native reportion option from the ribbon completely.

Once you have replaced native Microsoft report button with Hoxhunt button, this Outlook report button configuration setting won't have any effect - Hoxhunt button will still always place of the native reporting button and will also remain available in its original location(s).



Below is an example for reference:
UserReportedSettings_MonitorOutlook_non-MSButton.png

 

4. Scroll down to Reported message destinations.

5. Under Send reported messages to:, depending on your preference choose between:

  • Microsoft only
  • Microsoft and my reporting mailbox
  • My reporting mailbox only
NOTE
If you decided to keep native Microsoft report button visible in Outlook in the previous step, choosing any option from the drop-down that involves Microsoft won't actually send the reported messages to Microsoft.
In other words, if you don't hide native Microsoft report button, emails reported with third-party reporting buttons (like Hoxhunt) won't be submitted to Microsoft for analysis - not automatically nor manually as admin submissions.

This is a technical limitation imposed by Microsoft.

 

6. Under Add an exchange online mailbox to send reported messages to: type in the address of the same SecOps mailbox you have used in your implementation.

Below is an example for reference:
Defender_Reported_message_destinations.png

4. Test the new integration

After everything has been set up, the change should be almost instantaneous.

  1. Report an email as spam with your Hoxhunt button.
  2. Go to Defender > Actions & submissions > Submissions > User reported
    Observe as your recently reported email has been submitted to your Defender as spam.
NOTE
It can take few minutes before the reported email appears in the list.

 

 

Viewing the reported threats by users in Defender

The reported emails can be found at Microsoft Defender portal > Actions & submissions > Submissions > User reported tab.

NOTE
It can take few minutes before the reports show up under User reported section. This is due to Microsoft's background processing.

User reported section includes both emails reported via Hoxhunt and with Microsoft’s own reporting options.

 

Defender_User_reported_messages_view.png

Use Filter and Customize columns to easily find what you're looking for. Click on an item to see more details about the reported email. You can analyse the reports yourself, run automated investigation playbooks via Microsoft AIR or make usage of other Microsoft functionalities.

 

Processing User reported messages

To learn more about how to process, escalate and respond to employees about the suspicious emails they have reported, read this Microsoft article.

 

 

Frequently asked questions

Are the user submissions automatically sent to Microsoft?

From April 2025, this is fully configurable by your tenant's admins. You can choose to have reported emails to be submitted only to your tenant's Defender, or also to Microsoft.

 

Can we hide the native Microsoft report button without losing any functionality?

Yes.

 

After setting up Hoxhunt's Defender integration, User reported messages section is receiving duplicate reports - emails reported as phish arrive twice, and emails reported as spam arrive as spam and as phish.

You have likely configured same target mailbox for Spam Forwarding, Phishing Forwarding and Defender submissions. Defender submission’s target SecOps mailbox must always be different than the one defined for Spam Forwarding or Phishing Forwarding.
Defender's User reported messages section requires reported emails to arrive in a specific format - Hoxhunt’s Defender submission is fully compatible with the format requirements and takes care of the custom formatting. If Defender receives a report in incorrect format, the email is automatically categorized as phish report.
 
If you have Spam Forwarding, Phishing Forwarding and Defender integration enabled simultaneously, and you have defined the same mailbox to be used for all of them, the reported email is sent to same mailbox twice - first via phishing/spam forwarding using incorrect format, and then via Defender submission using correct format.
 
For example:
  • Email reported as phish is received twice by Defender - both as phish reports.
  • Email reported as spam is received twice by Defender - once as phish report and once as spam report.

 

I don’t see “Forward reports from shared mailboxes to this email address” option in Hoxhunt settings anymore.

Reporting emails from shared mailboxes to Defender is now natively supported. It’s enough to set up the Hoxhunt Defender integration with a dedicated SecOps mailbox.

 

Can I distinguish emails reported via the Hoxhunt button from other user submissions?

Yes. User reported section includes both emails reported via Hoxhunt and with Microsoft’s own reporting options, and there is a column and filter available called Reported from that reveals the chosen reporting method (Microsoft vs. Third party).

Hoxhunt reported emails are shown with value Third party

 

Can I relay user submissions from multiple M365 tenants to another defender tenant?

Microsoft submission requirements currently require that the tenantId in X-Ms-Exchange-Crosstenant-Id should be the same as the tenant - this requirement effectively prevents cross-tenant reporting functionality.

See: Message submission format for third-party reporting tools

 

Was this article helpful?

17 out of 20 found this helpful

Have more questions? Submit a request