Get instant support with our search!
How to set up Microsoft Defender Integration
To configure the client Microsoft Windows defender to record the reported phish data, please follow the steps below.
- In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Advanced delivery in the 'Rules' section.....
- Or, to go directly to the 'Advanced delivery' page, use https://security.microsoft.com/advanceddelivery.
- On the 'Advanced delivery' page, verify that the 'SecOps mailbox' tab is selected.
- On the 'SecOps mailbox' tab, select the 'Add' button in the No SecOps mailboxes configured area of the page.
- If there are already existing entries on the 'SecOps mailbox' tab, select Edit; the 'Add' button isn't available here.
- In the 'Add SecOps mailboxes' flyout that opens, enter an existing Exchange Online mailbox that you want to designate as SecOps mailbox by doing either of the following steps:
- Click & select the mailbox.
- Click in the box and start typing an identifier for the mailbox, i.e. name, display name, alias, email address, account name, etc., and select the mailbox (display name) from the results.
- Repeat this step as many times as necessary. Distribution groups aren't allowed.
- To remove an existing value, select Remove next to the value.
- When you're finished in the 'Add SecOps mailboxes' flyout, select Add.
- Review the information in the Changes to SecOps mailbox override saved flyout, and then select Close.
Back on the 'SecOps mailbox' tab, the SecOps mailbox entries that you configured are now listed.
- 'Display name' column: contains display name of the mailboxes.
- 'Email' column: contains the email address for each entry.
- To change the list of entries from normal to compact spacing, select Change list spacing to compact or normal, and then select Compact list.
- The designated mailbox for the SecOps mailbox must be the address used for the builder for the Microsoft Outlook installer; so this information must be present on the client's request for the installer build.
- Source from Microsoft website here.
You must also remember to enable the 'User reported settings' in Microsoft Defender.
- In the Microsoft Defender portal at https://security.microsoft.com, go to Settings > Email & collaboration > 'User reported settings' tab.
- To go directly to the User reported settings page, use https://security.microsoft.com/securitysettings/userSubmission.
- On the 'User reported settings' page, the available settings for reporting messages in Outlook are determined by the 'Monitor reported messages in Outlook' setting in the Outlook section at the top of the page.
- Ensure Monitor reported messages in Outlook is selected, and then select Use a non-Microsoft add-in button.
- Configure user reported messages to go to the reporting mailbox, to Microsoft, or to both.
- Decide whether users receive default or customised pre-reporting and post-reporting pop-ups in supported version of Outlook.
- Ensure the reporting mailbox is set to the mailbox that was configured earlier in the process.
- Decide whether to customise the feedback email that's sent to users after an admin reviews and marks the message on the 'User submissions' tab on the 'Submissions' page.
- Decide whether users can report email messages from quarantine as they release quarantined messages.
- To finish, click on Save.