What is User Submissions?
User Submissions is a feature where an end user can submit emails as Junk Mail, Phishing, etc. if they suspect an issue with the email. On the backend, have some configuration options on order to tweak the experience for both the Administrator as well as the end user. We will review each side of this as well as look at the end result of where these submissions go and can be tracked for further analysis.
First, we need to open up the Security and Compliance Center and browse to Threat Management –> Policy –> User Submissions. Once here we see we have a few configurable options. We can see that by default it is configured to the defaults, where the Report Message feature is available and the reports go to Microsoft only:
Let’s explore the available options in this interface.
Customize the end user confirmation message
With this option we can configure what the end user will see in their client when they want to report a message as Junk or Phish or not junk from the Report Message plug-in. This is a configurable option in the User Submissions page of the SCC:
When we click on this option, we get a dialog box on what we can configure. On the left is the SCC Configuration page and on the right are the changes the user will see. Arrows are pointing between the two for illustrative purposes:
As we can see, an end user in Outlook who clicks on Junk will receive a custom message now when reporting it. Also, when the email goes to junk, it is also tagged with more information as well.
Customizing the end user reporting Options
With this option we can configure what the end user will see in their client when they click on the Options option from the Report Message plug-in. This is a configurable option in the User Submissions page of the SCC:
When we click on this option, we get a dialog box on what we can configure. On the left is the SCC Configuration page and on the right are the changes the user will see. Arrows are pointing between the two for illustrative purposes.
Now, with this setting, when an end user clicks on Report Message and click on Options, they now see some custom text as well. Notice that on the left, we have three checkboxes where we can modify what options are available to an end user will see for Junk Mail reporting.
Send the Reported Messages To
Next, we have an option to choose where the messages to be analyzed will go to. The default sends the emails to Microsoft only for analysis. We also can choose to send it to both Microsoft and a custom Mailbox or we can choose just a custom mailbox. See below:
The default is just Microsoft, but some Security groups may ask to have the email sent internally for review by using the Custom Mailbox option.
Turn Off Report Message for Outlook
Lastly, we have an option to complete disable this feature for a tenant. With this radio button the Report Message feature would not be available in a tenant: [This is NOT recommended]
User Submissions – Where do they Go?
Once we have this feature enabled and your end users are using it, reporting messages, etc, we should be able to pick-up the data on this and see what they are doing. This is made visible in The Security And Compliance Center, under Threat Management –> Submissions and click on the User Submissions Tab. [Note the Custom Mailbox tab is available here as well]
Recommended Action
It is recommended to leave this feature on and have end users use it. IF you have the personnel, adding a member of a particular team to analyze these messages maybe worth using the custom mailbox feature.
Further Reading
I cover this topic and more topics related to email security in two books:
Security and Compliance Center PowerShell
|
Microsoft 365 Security for IT Pros
|
