Submit reported threats to Defender

Introduction

The Hoxhunt button in Outlook can be used to submit reported emails from personal and shared mailboxes to your tenant's Microsoft Defender as User reported messages. This feature is a part of the base Hoxhunt product. 

To access User reported messages in Defender, please ensure you have access to the required licenses as specified by Microsoft. All users need to purchase E5 licenses to access user submissions in Defender. For more information about licensing, please contact Microsoft directly and ask them what licenses would be the most appropriate for your organisation to access user submissions.

NOTE: If you have configured Hoxhunt Defender integration before January 27th 2025, please refer to the following article as you need to re-configure the integration: (2025-01) Action required: Defender integration must be re-configured by Feb 28th, 2025

 

Technical requirements

Technically, when Hoxhunt uploads a suspicious email to Microsoft Defender, it is considered as a user reported message. Microsoft’s user reported message policies apply to:

To modify the configuration for User reported messages the user need to be a part of one of the following role groups:

Read more about how to access the user reported messages at: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission?view=o365-worldwide.

 

Technical limitations

Microsoft's add-in framework imposes some restrictions on how Hoxhunt add-in can interact with Defender. Under certain scenarios, reported emails are not uploaded to Defender nor removed automatically from user's Inbox. See below for details.

  1. Microsoft's add-in framework doesn't support reporting spam or phishing emails from an on-premise mailbox. Thus, no user submission is created in Defender when an email is reported from an on-premise mailbox.
  2. The automatic email removal feature is not supported when reporting non-Hoxhunt emails from a shared mailbox or from an on-premise mailbox. However, Hoxhunt training emails are always removed natively by Hoxhunt add-in, even when you have Defender integration with Hoxhunt.

 

How does the integration work?

The integration works as follows:

1. End user clicks the Hoxhunt add-in. This opens the menu options for reporting a real threat.

Screenshot_2021-12-01_at_9.06.15.png

2. End user reports an email as phishing. If the end user reports an email as phishing from a personal mailbox, Hoxhunt forwards that information to Defender just as if the user reported something as phishing with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Defender is complete, the email is optionally uploaded to Hoxhunt and/or forwarded to your chosen mailbox - depending on your Hoxhunt settings. As a final step, the reported email is moved to Deleted Items folder (see Technical limitations).

3. End user reports an email as spam. If the user reports an email as spam from a personal mailbox, Hoxhunt forwards that information to Defender just as if the user reported something as junk with Microsoft’s own native reporting options. A message is shown that the email is being uploaded to Microsoft. After upload to Defender is complete, the email is optionally uploaded to Hoxhunt and/or forwarded to your chosen mailbox - depending on your Hoxhunt settings. As a final step, the reported email is moved to Junk folder and sender is added to Blocked Senders list. (see Technical limitations).

4. End user reports an email as not spam*. If the user reports an email as not spam from the Junk folder, Hoxhunt forwards that information to Defender just as if the user reported something as not junk with Microsoft’s own native reporting options. The reported email is then moved back to the user’s Inbox.

*Allowing users to report emails as not spam is an additional feature that can be enabled by your Onboarding Manager or Customer Success Manager at Hoxhunt. If the Report as not spam feature is not enabled, users can report any email as spam, including emails located in their Junk folder.

Screen_Recording_2022-03-04_at_13.49.57.gif

4. The submissions are sent to Microsoft Defender, and they are visible at Microsoft Defender portal > Actions & submissions > Submissions > User reported tab.

 

How to set up Hoxhunt’s Defender integration

1. Create and specify the SecOps mailbox in Defender

1.1 Create a mailbox in Exchange Online for a SecOps mailbox

SecOps mailbox is a dedicated mailbox that's used by security teams to receive unfiltered messages (both good and bad) for investigation and analysis.

 

1.2. Specify the SecOps mailbox under Advanced Delivery

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery.
See: Use the Microsoft Defender portal to configure SecOps mailboxes in the advanced delivery policy

To go directly to the Advanced Delivery page, use https://security.microsoft.com/advanceddelivery.

2. On the Advanced delivery page, stay on the SecOps mailbox tab and add the mailbox created in step 1. Click Edit and add the mailbox you created in step 1 as a SecOps mailbox.
NOTE: You you have custom alert policies, remember to bypass your SecOps mailbox from them.

 

2. Re-configure Defender integration in Hoxhunt Admin Portal

  1. Go to Admin Portal > Settings > Email verification and add the new mailbox. See instructions here.
  2. Go to Admin Portal > Settings > Threat settings > Submit reported emails to Defender.
  3. Under Submit to Defender, select the address for your SecOps mailbox so Hoxhunt can submit all reported emails to your Defender’s User reported messages section.
  4. Finally, activate the new mail-based submission flow to Defender by ticking the checkbox.
  5. Click Save.

Submit_to_Defender.png

 

3. Hide native MS button and configure report forwarding in Defender

  1. Go back to Defender > Actions & submissions > Submissions > User reported settings.
    Defender_User_Reported_settings_path.png
  2. Under Select an Outlook report button configuration, it’s recommended to choose Use a non-Microsoft add-in button, as it hides Microsoft’s native report button from your employees.

  3. Make sure you also tick Monitor reported messages in Outlook.
  4. Under Reported message destinations, type in the address of the same SecOps mailbox you have used in your implementation.

Use_non-MS-addin_button.png

 

4. Test the new integration

After everything has been set up, the change should be almost instantaneous.

  1. Report an email as spam with your Hoxhunt button.
  2. Go to Defender > Actions & submissions > Submissions > User reported. Observe as your recently reported email has been submitted to your Defender as spam.
    NOTE: It can take few minutes before the reported email appears in the list.

 

 

 

Viewing the reported threats by users in Defender

The reported emails can be found at Microsoft Defender portal > Actions & submissions > Submissions > User reported tab.

NOTE: It can take few minutes before the reports show up under User reported section. This is due to Microsoft's background processing.
NOTE: User reported section includes both emails reported via Hoxhunt and with Microsoft’s own reporting options.

Defender_User_reported_messages_view.png

Use Filter and Customize columns to easily find what you're looking for. Click on an item to see more details about the reported email. You can analyse the reports yourself, run automated investigation playbooks via Microsoft AIR or make usage of other Microsoft functionalities.

 

Processing User reported messages

To learn more about how to process, escalate and respond to employees about the suspicious emails they have reported, read this Microsoft article.

 

 

Frequently asked questions

Are the user submissions automatically sent to Microsoft?

Not currently, but soon Microsoft allows administrators to configure the system to send messages reported by third-party add-ins to Microsoft for analysis. This feature is part of the Microsoft 365 Roadmap ID 406167 and should be available in May 2025. For more detailed information, see Message Center post MC962528).

 

Can we now hide the native Microsoft report button without losing any functionality?

Yes. There should no longer be any restrictions when you hide native MS report button.

 

I don’t see “Forward reports from shared mailboxes to this email address” option in Hoxhunt settings anymore.

Reporting emails from shared mailboxes to Defender is now natively supported. It’s enough to set up the Hoxhunt Defender integration with your SecOps mailbox.

 

Can I distinguish emails reported via the Hoxhunt button from other user submissions?

Yes.

User reported section includes both emails reported via Hoxhunt and with Microsoft’s own reporting options, and there is a column and filter available called Reported from that reveals the chosen reporting method (Microsoft vs. Third party).

Hoxhunt reported emails are shown with value Third party

 

Can I relay user submissions from multiple M365 tenants to another defender tenant?

Microsoft submission requirements currently require that the tenantId in X-Ms-Exchange-Crosstenant-Id should be the same as the tenant - this will limit the cross-tenant reporting functionality.

See: Message submission format for third-party reporting tools

 

Was this article helpful?

11 out of 13 found this helpful

Have more questions? Submit a request