Check provider logo

Defender report submission policy uses customized addresses for junk, not junk and phish, and chat reports are sent only to a customized address

defender_chat_report_policy_configured

Severitymedium
Servicedefender
by Prowler
email-securitye3

Microsoft Defender for Office 365 user-reported settings ensure junk, not-junk, and phish reports are sent to customized addresses with valid destinations, and that Teams chat reports route to customized addresses while direct chat reporting to Microsoft is disabled.

Risk

Misrouted or disabled user reports reduce visibility into Teams threats, delaying containment. Attackers can keep distributing phishing links or malicious files, causing credential theft (confidentiality), message manipulation (integrity), and channel disruption from ongoing spam (availability).

Run this check with Prowler CLI

prowler m365 --checks defender_chat_report_policy_configured

Run in Prowler Cloud

Recommendation

Send all user-reported junk, not-junk, and phish to monitored custom mailboxes and enable Teams chat reporting to those addresses, keeping direct chat submissions to Microsoft disabled. Apply least privilege to reviewer access, establish a triage workflow, and integrate alerts for defense in depth.

Remediation

CLI

Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -ReportJunkToCustomizedAddress $true -ReportNotJunkToCustomizedAddress $true -ReportPhishToCustomizedAddress $true -ReportJunkAddresses <EMAIL_ADDRESS> -ReportNotJunkAddresses <EMAIL_ADDRESS> -ReportPhishAddresses <EMAIL_ADDRESS> -ReportChatMessageEnabled $false -ReportChatMessageToCustomizedAddressEnabled $true

Other
  1. Go to Microsoft 365 Defender: https://security.microsoft.com
  2. Navigate to Settings > Email & collaboration > User reported settings
  3. In Reported message destinations (Outlook):
    • Turn on Send Junk to a customized address and enter <EMAIL_ADDRESS>
    • Turn on Send Not junk to a customized address and enter <EMAIL_ADDRESS>
    • Turn on Send Phish to a customized address and enter <EMAIL_ADDRESS>
  4. In Microsoft Teams section:
    • Turn off Monitor reported messages in Microsoft Teams
    • Turn on Send reported Teams messages to a customized address

Source Code

Resource Type

NotDefined

References