🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Exchange Online

How to Audit Phishing Emails in Microsoft 365

Imagine an employee receiving an email from the company's IT department requesting a security check. They follow a link and unknowingly enter their credentials into a convincing phishing site, giving hackers access to the company's network. Credential phishing is just one of many attacks, including spear phishing, whaling, and malware phishing. That's why detecting phishing emails is crucial, and this guide will show you how to get phishing emails report in Microsoft 365 effectively.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

View Email Phishing Report Using Microsoft Defender

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Login to the Microsoft 365 Defender portal.
  • Go to the Threat protection status report under Reports»Email & collaboration reports.
  • Select "View details" in the Threat protection status report to view the data.
  • Change the report view from 'View data by Overview' to "View data by Email > Phish" to monitor phishing related reports.
View Email Phishing Report Using Microsoft Defender

Detect Microsoft 365 Phishing Emails Using PowerShell

Microsoft 365 Permission Required
View-Only Recipients role Least Privilege
Global Admin Most Privilege
  • Connect to the Exchange Online PowerShell.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the PowerShell cmdlet below to obtain a report on Microsoft 365 phishing emails.
  • Windows PowerShell Windows PowerShell 
     Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq 'Phish'} | Select-Object Date, Subject, SenderAddress, RecipientAddress, MessageId | Format-Table -AutoSize
Detect Microsoft 365 Phishing Emails Using PowerShell

List Phishing Emails Using PowerShell Script

Microsoft 365 Permission Required
View-Only Recipients role Least Privilege
Global Admin Most Privilege
  • The above cmdlet is useful for retrieving phishing emails in Microsoft 365. However, obtaining the desired reports requires additional processing, which can be tedious and time-consuming.
  • Thus, we’ve developed a PowerShell script to easily export phishing reports in Microsoft 365.

  • Please note that the script is designed to generate 9 different email protection reports. To generate phishing email protection reports, use the script by providing a specific parameter, such as PhishEmailsReceived, PhishEmailsSent, and IntraOrgPhishMails in the below format.

    ./MailProtectionReport.ps1 -parameter
List Phishing Emails Using PowerShell Script
MailProtectionReport.ps1
AdminDroid Exchange Online Reporter

Effortless Monitoring of Microsoft 365 Phishing Reports

AdminDroid's Microsoft 365 phishing detection tool delivers granular details into phishing emails, making it easy to monitor and audit sent & received emails, and all phishing-related activities. This powerful tracking capability is essential for admins to enforce organizational policies, block phishing emails, and prevent data breaches.

Discover Phish Filter Configurations to Maximize Protection

Optimize email security settings for effective phishing detection and prevention with AdminDroid's phish filter configuration changes report.

Keep Tabs on Highly Active Phishing Senders and Receivers

Identify the top phishing senders and receivers to pinpoint the users damaging your domain's reputation and the victims who have fallen for spear phishing.

Identify Incoming and Outgoing Phishing Emails

Keep a close watch on incoming and outgoing phishing emails to understand their impact on your email flow and to block suspicious users sending phishing emails.

Gain Insights into Phishing Detection Statistics

Watch phishing detection stats in Microsoft 365 for insights on failed DMARC, spoofed domains, and more. This helps to identify root causes and implement solutions to stop phishing.

Stay Alert to Phishing Policy Changes

Get instant alerts for anti-phishing policy changes or creations, along with default alert phishing policy, using AdminDroid's real-time alerting feature.

Ensure Compliance through Phishing Report Monitoring

Monitor Microsoft 365 compliance reports related to phishing to find vulnerable users, provide targeted training, and strengthen your overall security.

In conclusion, AdminDroid's Exchange Online auditing tool provides a sophisticated solution for monitoring phishing in your organization. With real-time insights, customizable reports, and engaging dashboards, it boosts your security by effectively identifying and tackling phishing threats in Microsoft 365 emails.

Explore a full range of reporting options
Download Live Demo

Important Tips

Configure Microsoft 365 company branding to help users spot phishing pages and protect your organization from malicious credential phishing attacks.

Use external email tagging to protect your organization from Outlook phishing attacks and enhance overall Office 365 phishing protection.

Implement zero-hour auto purge in Exchange Online to detect and eliminate spam & phishing messages, even if they become harmful after delivery.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while exporting Microsoft 365 phishing reports.

Error Exiting. Choose one report to generate. Please try again.

This error occurs when you don't specify the report to be generated when running the PowerShell script.

Fix Specify the report you want to generate when executing the script to avoid this error as shown below. 
./MailProtectionReport.ps1 -PhishEmailsReceived

Error Couldn't find object "Research Department".

This error occurs when the ‘SentToMemberOf’ parameter of the new anti-phish rule is not correctly mentioned.

Fix Please make sure that it was spelled correctly or specify a different object.

Error The operation couldn't be performed because object 'Monitor Policy' couldn't be found on 'MA0P287A04DC003.INDP287A004.PROD.OUTLOOK.COM'.

This error occurs when you specify an incorrect anti-phish rule name or a rule name that doesn't exist.

Fix Verify the existence of the specified anti-phish rule using the following cmdlet. 
Get-AntiPhishRule

Error The specified rule priority is invalid. Use a value between '0' (highest priority), and '1' (lowest priority).

This error occurs when the priority value is not properly set up while configuring the anti-phish rule in Microsoft 365.

Fix When setting the priority value for an anti-phish rule, remember that the highest priority value is 0. The lowest value depends on the number of rules you have. For example, if you have five rules, set their priorities from 0 to 4. Changing a rule's priority affects others. For instance, if you change a rule to priority 2, the current rule with priority 2 shifts to 3, and so on.

Error Cannot bind parameter 'PhishThresholdLevel' to the target. Exception setting "PhishThresholdLevel": The property (PhishThresholdLevel (System.Int32)) is out of range.

This error occurs when you mention the threshold value incorrectly while setting it in Exchange Online PowerShell.

Fix Make sure to input the correct threshold value between 1 and 4.
Exchange Online
Frequently Asked Questions

Block Phishing Messages to Defend Your Microsoft 365

How to recognize and avoid phishing scams in Microsoft 365?
How to report a phishing message in Microsoft 365?
What happens when you report a message as phishing in Microsoft 365?
What is anti-phishing in Microsoft 365?
How to configure anti-phishing policies in Microsoft 365?
How to set the phishing email threshold in Microsoft 365?
What is attack simulation training in Microsoft 365?

1. How to recognize and avoid phishing scams in Microsoft 365?

Recognizing and avoiding phishing scams in Microsoft 365 is crucial for maintaining security. As an admin, it's essential to train users effectively to identify phishing emails.

Identify phishing emails in Microsoft 365

Here are steps to identify phishing emails in Microsoft 365:

  • Urgent messages: Phishing messages often convey a sense of urgency, prompting you to take immediate action without considering the consequences.
  • Spelling and grammar: Legitimate companies typically hire professionals for their advertisements and email communications to maintain a good reputation. Attackers, however, often make spelling and grammar mistakes, especially those from foreign languages.
  • Caution against generic greetings: Be cautious when you receive emails with generic greetings like "Dear Sir/Madam," as attackers often use these in phishing attempts. They may not have your specific information and could be trying to deceive you into revealing sensitive information.

Avoid phishing scams in Microsoft 365

Here are some best practices to enhance Microsoft 365 email phishing protection and safeguard your organization from attacks.

  • Do not open or download any file attached to a suspicious email.
  • Never reply to an email that asks you to send personal or account information.
  • Avoid clicking links in suspicious emails that direct you to a company site.
  • Ensure emails are legitimate by contacting the company through their official channels like phone or website.
  • Search the web for the email subject line followed by "hoax" to check if others have reported it as a scam.
  • Implement phishing-resistant MFA to strengthen user authentication and block advanced phishing scams.
  • Use Advanced Threat Protection for an additional layer of security against Office 365 phishing attacks. In addition, regularly monitor Microsoft 365 Defender configuration changes to maintain strong defenses against phishing and ensure security settings remain optimized.

2. How to report a phishing message in Microsoft 365?

In addition to the mentioned practices, users can report any phishing messages to Microsoft if they seem like an attempt to trick you into sharing sensitive information. Reporting these messages not only safeguards users but also enhances Microsoft's ability to identify and prevent phishing attempts.

How to report an email as phishing in Outlook?

Reporting a phishing email in Outlook is a straightforward process that helps protect your account and organization from potential threats.

  • Log in to the Microsoft Outlook account.
  • Select the phishing message in your inbox.
  • Under the ‘Report’ drop-down, select the 'Report phishing' option.
  • On the confirmation prompt, select the Report button to flag phishing in Microsoft Outlook.
report-phishing-message-in-outlook

How to report a phishing message in Microsoft Teams?

Phishing attacks are now targeting popular communication tools like Microsoft Teams. To help users, Microsoft introduced a feature for reporting suspicious messages. Here’s how to do it:

  • To report a suspicious message in Teams, select the message and click 'More options' (ellipses).
  • Next, select 'More actions' and choose the 'Report this message' option.
  • Select "Security risk – Spam, phishing, malicious content" from the drop-down menu.
  • Click the Report button to submit the message.
report-phishing-message-in-teams

Before users can report suspicious messages in Teams, an admin must enable this feature in the Teams admin center. Here’s how:

  • Go to the Messaging policies in the Teams admin center.
  • Under 'Manage policies', select the 'Global (Org-wide default)' policy.
  • Toggle the switches for 'Report inappropriate content' and 'Report a security concern' to On and click 'Save'.

With these settings enabled, users can now easily report suspicious messages in Microsoft Teams, ensuring enhanced security and prompt action against phishing threats.

3. What happens when you report a message as phishing in Microsoft 365?

When you report a message as phishing in Microsoft 365, the process differs slightly depending on whether the messages are reported from Outlook or Teams.

Reporting phishing messages in Microsoft Outlook

  • The reported message is sent to the configured reporting mailbox, to Microsoft, or both, depending on your organization's settings.
  • The message is then deleted from the user's inbox.

Reporting suspicious phishing messages in Microsoft Teams

  • The reported messages are not deleted in MS Teams, allowing users to report a message multiple times.
  • An email notification is sent to the user who reported the message, stating, "You have successfully reported a Teams message as a security risk."
  • The reported message is sent to the configured reporting mailbox, to Microsoft, or both, based on your organization's settings.

Admins can view user-reported messages under the ‘User reported’ tab on the Submissions page in the Microsoft 365 Defender. Monitoring these messages is essential for identifying legitimate senders and potential phishing attempts. If admins have not configured direct submission to Microsoft, they can submit these identified phishing attempts for analysis through this page.

4. What is anti-phishing in Microsoft 365?

Anti-phishing protection in Microsoft 365 involves several key components and practices to protect users and organizations from phishing attacks. Here's a breakdown of the key elements of Microsoft 365 anti-phishing:

  • Spoof IntelligenceMicrosoft 365 uses spoof intelligence to detect spoofed senders, both from external and internal domains. This feature allows admins to manually allow or block these spoofed senders, enhancing protection against spoofing attacks.

  • Anti-phishing Policies in Exchange Online Protection (EOP)These policies allow admins to fine-tune control over Office 365 phishing protection mechanisms. Admins can enable spoof intelligence, enable first contact safety tip, and manage messages that fail explicit DMARC checks, etc., using these policies.

  • Tenant Allow/Block ListAdministrators can manage spoofed senders by manually allowing or blocking them through the Tenant Allow/Block List. This list contains entries for spoofed senders that have been overridden in the spoof intelligence settings.

  • Implicit Email AuthenticationMicrosoft 365 includes implicit email authentication mechanisms like SPF, DKIM, and DMARC to verify the authenticity of incoming emails and prevent phishing.

  • Anti-phishing Policies in Microsoft Defender for Office 365These policies provide additional layers of protection to prevent phishing in Microsoft 365. They include features such as Safe Links, which checks and prevents malicious URLs in emails, and Safe Attachments, which scans for malware attachments in emails.

  • Campaign ViewsMicrosoft 365 provides campaign views that allow admins to see detailed information about phishing campaigns targeting their organization. This visibility helps to understand attacks and take appropriate action.

  • Attack Simulation TrainingMicrosoft 365 offers attack simulation training to educate users about phishing threats.

Overall, Microsoft 365 uses a combination of technology, policies, and training to provide robust protection against phishing attacks. Admins should use these key features as part of their Office 365 security best practices.

5. How to configure anti-phishing policies in Microsoft 365?

Microsoft 365 Defender allows you to customize anti-phishing policies to match your organization's needs. This flexibility ensures security without compromising productivity. Let's see how to create these Microsoft 365 anti-phishing policies.

  • Log in to your Microsoft 365 Defender portal.
  • Navigate to 'Policies & Rules' under 'Email and collaboration'.
  • Select Threat policies»Anti-phishing policies available under 'Policies' section.
  • Click the ‘+Create’ button.
  • Policy Name:
    • Enter a name and description for your policy. Click ‘Next’.
  • Users, Groups, and Domains:
    • Specify the users, groups, and domains to include or exclude from the policy. Then, select ‘Next’.
  • Phishing Threshold & Protection:
    • Define phishing thresholds for identifying phishing emails.
    • Configure desired protection settings against impersonation and spoofing before proceeding to ‘Next’.
  • Actions:
    • Specify the actions the policy should take on emails and messages that meet the policy criteria. Click ‘Next’.
  • Review the configured settings and click 'Submit' to create the anti-phishing policy.

Managing multiple anti-phishing policies in Microsoft 365 can be time-consuming as you need to check each policy individually to view its configurations. While creating policies is straightforward with the Microsoft 365 Defender portal, there is no direct way to explicitly see changes made to an anti-phishing policy.

Tired of searching for anti-phishing policy changes in Microsoft 365? AdminDroid has you covered!

AdminDroid provides detailed tracking of any changes to anti-phishing policies and rules, documenting every event in the comprehensive Anti-Phish Policy/Rule Changes report.

  • To access this report, navigate to Audit»Exchange»Advanced Threat Protection»Anti-Phishing.
  • With this report, Microsoft 365 admins can access details, such as configured time, UPN, respective anti-phish policy, involved tenant, operation, modified properties, and more.
  • This proactive approach ensures that your phishing defense for Microsoft 365 remains strong and adaptive.
anti-phishing-policy-changes

Quick tip: Easily email the report directly from AdminDroid by clicking the Email 📧 button located in the top right corner.

6. How to set the phishing email threshold in Microsoft 365?

The phishing email threshold in Microsoft 365 Defender is a setting that determines the sensitivity level at which emails are classified as phishing attempts. By setting this threshold, you can control how aggressively Microsoft 365 Defender filters out potential phishing emails.

Phishing threshold values in Microsoft Defender

  • 1 - Standard: This is the default setting. It means the severity of the action taken on a suspicious email depends on the confidence level (low, medium, or high) in identifying it as a phishing attempt. For example, if it's very high, it takes strong action, but if it's low, the action is less severe.
  • 2 - Aggressive: With this setting, if an email is flagged as phishing with a high level of confidence, it's treated as a very clear phishing attempt, and strong measures are taken.
  • 3 - More aggressive: If an email is flagged as phishing with medium or high confidence, it's treated as a very clear phishing attempt, and strong action is taken.
  • 4 - Most aggressive: All emails flagged with low, medium, or high confidence are treated as clear phishing attempts, and strong action is taken with this setting.

Here's how to set the phishing email threshold in Office 365:

  • Sign in to the Microsoft 365 Defender portal.
  • Go to Email & collaboration»Policies & rules»Threat policies»Policies»Anti-phishing.
  • Select the 'Office365 AntiPhish Default (Default)' policy.
  • Under 'Phishing & threshold protection', choose 'Edit protection settings'.
  • Adjust the 'Phishing email threshold' slider to set the value.
set-phishing-threshold-value

Set phishing threshold value using PowerShell

To set the phishing threshold value using PowerShell, you can use the following cmdlet. This approach can help avoid the manual navigation of multiple admin portals.

Set-AntiPhishPolicy -Identity "Office365 AntiPhish Default" -PhishThresholdLevel "ThresholdValue"

Replace with your desired threshold value between 1 and 4. This command will update the phishing threshold level of the default anti-phishing policy.

Important: The threshold value is 1 for the default policy, 3 for the standard policy, and 4 for the strict preset security policy. Keep in mind that increasing this value raises the chances of Microsoft 365 high confidence phish false positives (good mail marked as phishing). Set the phishing email threshold level to 2 or higher to align with Microsoft Secure Score recommendations for phishing protection and enhance organizational security.

7. What is attack simulation training in Microsoft 365?

Attack simulation training is a cybersecurity training method used within Microsoft 365 organizations to improve security awareness and readiness among employees. It involves creating controlled, realistic cyber-attack scenarios that mimic various tactics used by attackers. These simulations train staff to recognize, respond to, and report potential security threats, such as phishing emails, malware attacks, or suspicious activities.

Here are key aspects of attack simulation training in Office 365:

  • Realism: Hackers often raise the trust level of a phishing message in Microsoft 365. Therefore, simulations are designed to be as realistic as possible, challenging participants to distinguish them from real attacks. This includes techniques like spoofed emails, creating fake web pages, and even social engineering calls.
  • Training and Awareness: The primary goal is to train employees on how to react properly to different types of cyber threats. This increases their level of security awareness and teaches them the best practices to minimize risks.
  • Evaluation and Feedback: After each simulation, Microsoft 365 users receive feedback on their actions. This helps them to learn from their mistakes and improve their response strategies. Organizations also gain insights into the overall security awareness of their workforce.
  • Continuous Improvement: Microsoft 365 attack simulation training is typically not a one-time event. It is conducted regularly to cover different types of cyber threats and to keep security on top of mind as part of an ongoing security education program.

This proactive approach is effective in reducing the risk of security breaches by ensuring that employees are better equipped to handle real-life phishing incidents.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Exchange Online
How to Audit Phishing Emails in Microsoft 365
Exchange Online Guides 41 Guides
1Export Mailbox Size Quota in Exchange2Check Non-owner Mailbox Access in Microsoft 3653Get Microsoft 365 Mail Traffic Statistics by User4Check if Forwarding Rules are Active in Microsoft 3655Get Shared Mailbox Permissions in Exchange Online6Get a List of Inactive Mailboxes in Exchange Online7Check External Auto Forwarding in Microsoft 3658Export List of Mailboxes in Exchange Online9Export Exchange Online Mailbox Permissions10Find Unused Distribution Lists in Microsoft 36511Get a List of Shared Mailboxes in Exchange Online12Audit Mailbox Permission Changes in Microsoft 36513Get Shared Mailbox Size Report in Microsoft 36514Get Send on Behalf Permissions in EXO15Check Who Deleted an Email in Microsoft 36516Monitor Mailbox Folder Permission Changes in Exchange Online17Monitor Spam Detection Reports in M36518Identify Phishing Attacks in Microsoft 36519View All Inbox Rules in Microsoft 36520Get Email App Usage Report in Microsoft 36521Export Distribution Groups in Microsoft 36522Identify Holds Applied on EXO Mailboxes23Audit Transport Rule Changes in EXO24Get Mailbox Auto Reply Configurations in M36525Audit Quarantined Messages in Exchange Online26Monitor the Dynamic Distribution Groups in Exchange Online27Track Undelivered Emails in Microsoft 36528List All Email Addresses and Aliases in M36529Get Accepted Domains in Exchange Online30Audit Outbound External Emails in Microsoft 36531Export Microsoft 365 Malware Emails Report32Get ActiveSync Enabled Mailboxes in Exchange33Get DLP Email Matches in Exchange Online34Track Licensed Shared Mailboxes in Microsoft 36535Check Mailbox Retention Policy in M36536Track Guest Access to User Mailboxes in Microsoft 36537Identify Non-Compliant Shared Mailboxes in M36538List Archive Enabled Mailboxes in M36539Monitor Microsoft 365 Defender Configuration Changes40Track Mailbox Audit Bypass Configuration Changes in EXO41Check Mailboxes That Exceed Warning Quota in Exchange Online
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering