End User Applications - Configuring Outlook End-User Reporting

Updated

This article contains information on setting up Microsoft Outlook End-User Reporting with Mimecast, including prerequisites, connector creation, configuration steps, troubleshooting, and compatibility details to enable users to report suspicious messages effectively.

Considerations

  • Settings will change under Microsoft Defender | System | Settings | Email and collaboration | User-reported settings, when following the steps below. If you like to revert changes, take note of current User report settings prior to following steps below.
  • Microsoft Outlook end-user reporting is a Microsoft 365 tenant-level-based configuration. A Mimecast account can only be integrated with a single Microsoft 365 tenant

Prerequisites

  • You are at least a Basic Administrator user, with Read and Edit permissions.
  • You are a Microsoft 365 Administrator.

Setting up Outlook End-User Reporting

You can set up Microsoft End-User Reporting so your users can use the native reporting button to report suspicious messages. This process involves two stages: the first being to Create a Connector that will give permissions in Office 365 to configure end-user reporting, and the second being to Configure end-user reporting via the Configuration page, which shows details of the current configuration to be changed where necessary. Additionally, as part of this process, a SecOps Mailbox is automatically set up for you.

You do not require a license for the SecOps Mailbox.

To set up Microsoft End User Reporting use the following steps:

Creating a Connector

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Integrations | Connectors.
  3. Click Create New Connector, and you will be directed to the Connectors page. 
  4. Once again, click Create a Connector
  5. Select Outlook End-User Reporting.
  6. Select Microsoft O365.
  7. Click Log In. By doing this, you grant permissions to your account. 

    This step should be done as soon as possible, as there is a time limit for creating the connector. 

  8. You will now need to Sign in to your account.
  9. Click Accept to grant the permissions listed on this screen.


  1. You will need to Enter the connector details, which include a Name, and a Description field.

  1. Once you have reviewed the connector details, click Create Connector.

Configuration

Once the connector has been created, you will see a window in the top left of your screen instructing you to configure Outlook End-User Reporting. To do this:

  1. Navigate to Services | Outlook End-User Reporting, and refresh the page
  2. Click Configure.

  1. Once you have read through and acknowledged the changes that will be made to your configuration, click Confirm. You will be notified that the configuration has started with a window stating Config Started.
  2. You will need to use the refresh button Refresh button in the configuration page, and should see Configuration in progress below the Status

  • End-user notifications are enabled by default but can be disabled as required. You can also change settings for this via Services | Outlook End-User Reporting.
  • The configuration process usually takes 10-15 minutes.
  1. When the configuration is complete, you will see End-user reporting configured below the Status.

  1. Once complete, take note of the SecOps Mailbox, and verify changes by:
    • Logging in to Microsoft Defender.
    • Navigating to System | Settings | Email and collaboration | User-reported settings.
      The SecOps Mailbox shows, e.g. Mimecast-End-User-Reporting@domain.onmicrosoft.com

Microsoft 365 Troubleshooting

Settings with Microsoft 365 for Microsoft End-User Reporting are updated for you as part of the configuration process for this feature.

To assist with troubleshooting, you can review these settings by using the following steps:

  1. Navigate to Microsoft Defender | System | Settings | Email and collaboration | User-reported settings.
  2. Then click on Reported message destinations to see the configured email address.
  3. You can select from a choice of options under Send reported messages to:
      • Microsoft only sends reported messages to Microsoft. If you had this set before configuring the native reporting button in Microsoft Outlook, it will automatically change to My Reporting Mailbox Only.
      • My Reporting Mailbox Only sends reported messages to the reporting mailbox created during configuration.
      • Microsoft and My Reporting Mailbox give you the option to send reported messages to Microsoft and designated mailbox(es):
        • If Microsoft and My Reporting Mailbox were already selected before configuration, this will not be changed, and no listed mailboxes will be deleted.
        • The SecOps Mailbox created during configuration will automatically be populated into the Add an Exchange online mailbox to send reported messages to: field.

When using this option, your users can continue to send reported emails to Microsoft, as this doesn’t affect our scanners or our process of updating them.

Reported message destinations

To view details for the SecOps Mailbox that has been automatically set up:

  1. Navigate to Teams & Groups | Shared mailboxes; your SecOps Mailbox will appear here.
  2. Navigate to Policies & Rules | Threat policies | Advanced delivery. Your SecOps Mailbox is displayed, and you are informed that emails sent to these mailboxes are delivered unfiltered (with no additional scanning for spam/malware/phishing so that messages are received in their entirety). 

Reconfigure/Disable the Microsoft Reporting Configuration

To repair or reinstall Microsoft's native end-user reporting configuration:

  1. Navigate to Services | Outlook End-User Reporting.
  2. Select the Reconfigure or the Disable Configuration button.

End User Reporting 

      • The sender of every reported message will be added to the reporter's personal blocklist. This will be identical to the current behavior of existing reporting methods.
      • Notifications that are sent to end users are configurable. The notification under the Suspicious Message Reporting header can be enabled or disabled on the configuration page by selecting or deselecting the checkbox as shown below. Note that this does not include the Awareness Training Congratulations notification, as this is always sent to the end-user. 
      • End-user notifications can be turned off in the Mimecast Administration Console by an administrator; however, Mimecast's logo and colors cannot be modified.
      • Notifications are not customizable through the Mimecast Notification Branding functionality.

Suspicious Message Reporting

  • End-users will be able to report messages to Mimecast, by using the reporting buttons available in any Microsoft Outlook client.
  • Reporting messages via this new method will be processed identically to existing reporting methods for Email Incident Response customers.

To enable this feature, Administrators must configure a Connector in a two-stage process and ensure that the Configurations page has the correct setup. For more information on how to do this, refer to Setting up Outlook End-User Reporting

When end-users report a suspicious message, they will receive a notification thanking them for reporting it.

report message blur-600-s.jpg

Reporting Awareness Training Phishing Simulations

When an end-user reports an Awareness Training phishing simulation message, they will receive a Congratulations message to explain that they've successfully reported it. Awareness training statistics will be updated. The reported message is not sent to Mimecast.
 

report at simulation blur-600-s.jpg

Microsoft Compatibility

Native Reporting works with the built-in report buttons in Microsoft Outlook. It is compatible with the Outlook Clients listed below. Ensure that Microsoft Outlook clients are up to date. Additional details can be found in Microsoft’s blog post and report message documentation.

This feature is only available on Microsoft 365/Exchange Online. Exchange On-Premises environments do not support this functionality.

Platform Client Compatibility
Web Outlook on the Web Available
Microsoft Windows Classic Outlook for Windows
  • Current channel: Version 16.0.17827.15010 or later.
  • Monthly Enterprise Channel: Version 16.0.18025.20000 or later.
  • Semi-Annual Channel (Preview): Release 2502, build 16.0.18526.20024 or later.
  • Semi-Annual Channel: Release 2502, build 16.0.18526.20024 or later.
Microsoft Windows New Outlook for Windows Available
Apple macOS Legacy Outlook for Mac Version 16.89 (24090815) or later
Apple macOS New Outlook for Mac Version 16.89 (24090815) or later
Apple iOS Outlook for iOS Version 4.2511 or later
Google Android Outlook for Android Version 4.2446 or later

The Microsoft Report Message and Report Phishing add-ins will be deprecated in favor of built-in reporting in the near future. See the Transition from the Microsoft Report Message

If administrators move messages between folders within the SecOps mailbox, Microsoft treats these messages as new reports and sends them to us again. Due to the way these reports are processed, we cannot distinguish between genuinely new submissions and messages that have simply been relocated within the SecOps mailbox. As a result, the reporting user receives a duplicate "thank you for reporting" notification, which can cause confusion.

Reported Messages

To see what your users have reported via End User Reporting, follow these steps:

  1. Log in to the Mimecast Administration Console
  2. Navigate to AccountsAudit Logs
  3. Select your desired date range
  4. In the filter-by dropdown, select Account logs and click Apply.
  5. Enter the keywords "Message Reported" in the search bar
  6. Copy the message ID
  7. Navigate to Archive | Archive Search
  8. Paste the message ID to the Search Text box
  9. Select the Search Message Headers box
  10. Scroll down to select your Date Range in the drop-down box, then click Apply
  11. Click Search

See Also...

Related to

Was this article helpful?
1 out of 6 found this helpful

Comments

6 comments
Date Votes
  • Avatar
    Randy Mumma

    Where can I find the messages that users have submitted in the mimecast portal for review?

    0
  • Avatar
    Admin - KP

    Hi Randy, 

    Thank you for your feedback. For information on reported messages, please see the following article: https://mimecastsupport.zendesk.com/hc/en-us/articles/34000392088595-Spam-Phishing-Reporting-Spam-Malware-and-Phishing.

     

    0
  • Avatar
    Prasanna Madushanka

    When a user reported an email as phishing what is the next step? Can admin view reported email through Mimecast web portal?

     

    0
  • Avatar
    Admin - CL

    hi Prasanna Madushanka, many thanks for your comment.

    We've updated the article to include a “Reported Messages” section, to explain where to find details of what's been reported to Mimecast.

    0
  • Avatar
    John Edwards

    When I attempted the process listed above, the message ID provided in the audit logs of the user reported message did NOT match the Message ID in the header of the email that was reported, thus leading me to “No Results” if I followed the above instructions to locate the reported email in the Archive Search - is there a setting that needs to be changed for this to work correctly?

    1
  • Avatar
    Admin - LI

    Hi John,

    Thank you for the comment. In order to get you the best solution possible, would you please post it into our Community? Not only will it be addressed by Cybersecurity peers, but the Mimecast team as well. Once you receive a solution, it can be bookmarked for easy retrieval.

    If your issue is more urgent and/or you wish to open a new Support case, please do so here.

    0

Please sign in to leave a comment.