Skip to main content
Integrate the Phish Alert Button with Microsoft Defender

Use the Phish Alert Button to submit suspected phishing emails to Microsoft Defender.

Anna Cunningham avatar
Written by Anna Cunningham
Updated over a week ago

The integration of the Phish Alert Button with Microsoft Defender means each time the Phish Alert Button is pressed, the emails will be submitted to Microsoft Defender where they can then be managed and reported to Microsoft for analysis.

Your Phish Alert Button will need be set up to ensure successful integration with Microsoft Defender and you will need to configure settings in the Advanced Delivery and User Reported sections of Microsoft Defender.

In this article, you’ll learn:


Configuration in Microsoft Defender

How to configure Advanced Delivery settings for Microsoft Defender integration

Note: You will need Global Administrator or Security Administrator permissions to configure these settings in Microsoft Defender.

1. First you will need to add a SecOps mailbox if you don't already have one added. Open your Microsoft Defender portal https://security.microsoft.com and navigate to the Advanced delivery page by going to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the Rules section.

2. On the SecOps mailbox tab, click on the Add button in the No SecOps mailboxes configured area of the page.

3. In the Add SecOps mailboxes flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox and click Add.

4. Review the information in the Changes to SecOps mailbox override saved flyout, and then click Close.


How to configure User Reported Settings for Microsoft Defender integration

1. Go to the User Reported Settings in Microsoft Defender by navigating to System > Settings > Email & collaboration > User reported settings.

You can click here to access it directly: https://security.microsoft.com/securitysettings/userSubmission

2. Under the Outlook section, tick the check box Monitor reported message in Outlook.

3. Under the section Select an Outlook report button configuration select the option Use a non-Microsoft add-in button.

4. Scroll to the section Reported message destinations and in the field Add an exchange online mailbox to send reported messages to, add the email address of the SecOps mailbox you added in the Advanced delivery page of Microsoft Defender (step 3 of the Advance Delivery configuration section).

5. Click Save.


Configuration in usecure

How to configure the Phish Alert Button in usecure for Microsoft Defender integration.

In usecure, go to the Phish Alert Button settings by navigating to Settings > uPhish > Phish Alert Button and make sure the following settings have been configured:

1. In the Add-in Configuration tab, the Phish Alert Button should be enabled.

2. In the Forwarding Suspecting Phishing Emails tab, the following settings must also be configured:

  • Forward Suspected Phishing Emails is toggled on.

  • The field Forwarded Email Recipients is populated with the email address of the SecOps mailbox added in Microsoft Defender.

  • The field Forwarded Email Subject has Phishing: or 3| at the start of the text.

  • Include Suspected Email as EML file attachment is toggled on.

  • Include Suspected Email's Attachments in EML File is toggled on.

  • Retrieve Message Data via the MS Graph API on Behalf of a User using SSO is toggled on.

3. Save your settings.

Once an email is submitted to your Microsoft Defender portal, it can be reported to Microsoft for analysis.


Next steps

Did this answer your question?