Microsoft Defender XDR: Report suspicious emails to Microsoft

Microsoft Defender XDR offers a wide range of features for detecting, analysing and responding to threats. One helpful but often overlooked feature is the ability for end users to report suspicious emails directly to Microsoft for further analysis. This feature can be crucial for detecting new phishing campaigns or malware at an early stage – but it also has data protection implications that administrators should be aware of.

Enabling the feature in the Defender XDR portal

To enable the feature that allows users to report suspicious messages to Microsoft, follow these steps:

1. Sign in to the Microsoft
   Defender portal Sign in with an administrator account at https://security.microsoft.com.
2. Navigate to SystemGo
   to "Settings > Email & Collaboration" > "User-reported settings"
3. Enabling user reporting
   : In the policy settings, enable the option "Monitor reported messages in Outlook". This option allows end users to report suspicious emails directly from Outlook or Outlook Online.
4. Integration with Microsoft
   Under "Send reported messages to", we can now activate forwarding so that they are also sent to Microsoft for further investigation.

What happens to the reported messages?

When this feature is enabled, the reported messages, including attachments and header information, are sent to Microsoft. It is important to note that:

• The data is transferred to the United States.
• Microsoft employees manually analyse the content to identify new threats and improve protection mechanisms.
• The messages may contain sensitive information – especially in the case of targeted phishing attacks.

Data protection and compliance

The transfer of personal data to a third country (the United States) is subject to the GDPR. Microsoft secures data transfers through standard contractual clauses and other mechanisms, but organisations should nevertheless:

• Consult your data protection officers before activating the function.
• Validate whether this is permissible for all emails received, including attachments, etc., should an employee, for example, make a false positive report containing contract documents or similar.
• Provide an internal policy on the use of the reporting function.

Conclusion

The feature for reporting suspicious messages to Microsoft is a powerful tool for improving security in your organisation. However, it should be used consciously and with consideration for data protection aspects. Activation is simple – the effects are profound.

Further sources & information on this topic:

Report spam, non-spam, phishing, suspicious emails, and files to Microsoft - Microsoft Defender for Office 365 | Microsoft Learn

Modern IT and cloud scenarios place new demands on security, governance and operations. Telekom's consulting services on Microsoft security help you analyse your environment in a structured manner and develop it in a targeted way – from initial classification to concrete implementation.

Start with a no-obligation orientation meeting or a Microsoft 365 Security Assessment and receive clear recommendations for action to improve security.