Contact us: +45 32 67 26 26
English
Back to blog
4 min read

How to handle and spot phishing mails with Microsoft Defender

Anders Bryde Thornild
By: Anders Bryde Thornild Cyber Security | 7 May

In the previous blog post, we went through how Microsoft Defender can strengthen your email security. If you haven't read it, you might want to start there.

In this blog post, we go deep into how you can handle phishing emails in Microsoft Defender, which will make your life as an IT manager way easier. Let's go. 

This blog is part of 3 chapters

We are diving into Microsoft Defender and reporting of phishing. This blog is the second part of the trilogy. 

Here's the posts if you want to read them all:

  1. Use Microsoft Defender to strengthen your email security
  2. How to handle and spot phishing mails with Microsoft Defender
  3. How our new phishing report button integrates directly with Microsoft Defender

 

I hope you enjoy.

Phishing reporting is messy in most companies

Take a good look around your company. How do your colleagues report phishing emails to IT when they spot one?

Chances are, they do it in lots of ways:

  • They write you in Teams "Hey, I just got this email and it's weird. Can you look at it?"
  • They forward the mail to you "See below, is it phishing?"
  • They come to your desk: "Is this phishing?"

And that's all good scenarios, because they actually reach out. Worst case, they ignore the email or even click it.

The problem is:

It's impossible for you in IT to get a good overview of the reporting in your company. You have to piece it all together.

Plus, your employees clearly don't know the best way if they are all doing it in different ways. It's inconsistent.

This might be you trying to figure out how many phishingmails your company faces:

always sunny in philly

The solution: Microsoft Defender.

Reporting, handling, and deleting of phishing emails

In Microsoft Defender, you have one place to do it all.

You can discover phishing emails, block malicious links and delete them for all your employees. You can see emails that your colleagues report as phishing, investigate them, and handle them in an efficient way.

Some of the features does require a special license, though

All in one place. 

What you can do in Microsoft Defender

It all starts when your colleagues report phishing mails or if your email setup and spam filter blocks emails for being potential phishing mails.

image-png-Apr-11-2025-09-41-52-9513-AM

Because when either of those two things happen, you can see it and take action.

Here's how. 

Actions and submissions in Defender is a pot of gold

The magic happens under the actions and submissions tab.

Here you can see all the emails your colleagues report as phishing.

This means you can look through them and take action. 

You can:

  • Release them again if it wasn't phishing
  • You can investigate them further - preview the emails
  • You can extract the URL and block it for all users.
  • You can block the sender
  • You can block the URL.
  • You can delete the email for all users in your organization if it is in fact phishing.

Submission user reported

This is key. The fact that you can block a URL, sender, IP or delete the phishing email for all users greatly increases your security.

What does it mean to investigate the emails?

When you investigate the emails, it means that you can preview the email that your colleague has reported. You can check out the links, the domain, the IP, the text - well, everything - all the metadata.

Review phishing email

Based on that information, you can take action.

  • You can delete the email from all.
  • You can deactivate the links, so no one can click the link.
  • You can move the mail e.g., in quarantine to make sure users can't see the mail before you've investigated it further.
  • You can report it to Microsoft, so they can investigate and potentially remove it from other companies as well.
And of course, if there's no harm, you can release it again so everybody can access it. 

Way more benefits than that

When you get started, you will see way more benefits than just being able to handle and delete phishing emails easily:

    ✅ Centralized Reporting: Emails go to the right people instantly — no more time on collecting data from all over the place. 

    ✅ Faster Triage: Get the metadata and original message you need to investigate properly in the environment where you can actually take action. 

    ✅ Better Visibility: See who else received the same phishing attempt. 

    ✅ Improved Response Time: Act on threats before they spread. 

    ✅ Training Insights: Identify which users report, and who needs more awareness. 

    ✅ Threat Intelligence: Spot trends and update security policies proactively. 

And maybe most important: 

   ✅ Collaboration between employees and IT: It helps you get direct collaboration and communication with all employees. They know what to do, and they help you create better security.

This is all pretty cool and something we see a lot of companies missing.

Setup your Defender to match your security

You might sit and think: "Do I then have to sit and update Microsoft Defender all the time to spot it when something gets reported?".

No, don't worry.

Under "Incidents and Alerts" you can setup what need to happen if someone clicks the phishing button.

You can:

  • Set up who should get alerted and notified when something is reported as phishing
  • You can setup rules that create different actions on different scenarios - e.g., if a domain equals X it automatically deletes all the emails from everyone's inboxes. 
  • You can create automatic "Thank you messages" for the employee who reports the phishing to motivate them to keep doing it in the future.

You can do quite a lot here that makes sure you can react fast and some time even automated when a phishing email is reported.

And you can do it for all your employees in one place. 

But why do it in Microsoft Defender?

There are a bunch of services making third-party buttons to report phishing. A lot of our competitors have their own "report phishing" buttons. 

You can probably get a lot of the same information from these buttons in the apps these services provide. 

The problem with it is that even though you might get a lot of cool insights and features from this, you have to go back to Microsoft Defender when you actually have to take action on these emails. 

That's why we recommend just using Microsoft Defenders own button.

Then you have everything in ONE place.

That's also why we haven't developed our own button. Instead, we've integrated our app with Microsofts button

Meaning that you can see how many people report phishing simulations from us in our app - but you can also see it and take action in Microsoft Defender. It's the same button for real attacks and phishing simulations.

It's a win win.

You can read way more about the feature right here.

How to get started with Microsoft Defender?

The features are cool, but the first step to use them is to set up what should happen when people report an email, and then to get people to start reporting phishing.

It might sound like a tedious task and probably won't be easy as people need to learn new habits. It's worth it, though.

The steps are simple:

  1. Decide who should receive phishing reports and set up the routing accordingly. 
  2. Educate your users — share internal guides, run quick lunch sessions, post reminders, and use phishing simulations.
  3. Track adoption — monitor who’s using the button, and follow up with teams that need a refresher. 

The hard part is to get people to start reporting.  Luckily, this should be rather easy for them. 

They simply click "Report" in Outlook:

 

  • Show them how in all-hands meetings.
  • Write a small guide.
  • Show them why it matters. Show them what it means to you and how you benefit from it.

Most people probably think Microsoft will get notified when they report a phishing email, but it can also go straight to you and help you. People need to understand that. 

When they start reporting you can track the adoption and use it to motivate even further. It's a marathon, not a sprint. We wish you luck ;) 

Use phishing training to get started

Another smart way to train people to use the button is to run phishing simulations. This trains your employees in spotting phishing emails, but it also trains your company in following your "Emergency plan". 

The goals is:

  • Don't click the phishing link
  • Click the report button

And you can do this in a safe environment by doing phishing training.

If you don't know how, then we are ready to help.

Free phishing campaign Your first one is on us!    Book 15 minutes with Benjamin, our product owner, and we’ll create a custom campaign to give you clear insights into your security level.   We’ll run the campaign and send you a detailed report. All it takes is a quick chat and a little bit of your time.  

 
Back to blog
Recent articles
Cyber Security, Phishing Training Big Data Study: What the data from +200.000 phishing emails learns us

We've sent more than 200.000 phishing emails. Here's what we've learned from them and what you can do to avoid becoming a victim of them.

Anders Bryde Thornild 6 min read - By Anders Bryde Thornild
Awareness training, CyberPilot Platform Here's our new CyberPilot platform!

Our new platform is here! Here's what we've done and how we made it easier and better for you to do Awareness Training!

Anders Bryde Thornild 2 min read - By Anders Bryde Thornild
Awareness training, CyberPilot Platform How We Improved Our Awareness Training Over the Past Year

We improve our courses all the time, but sometimes we forget to tell people how. Here's what we've been working on for the last year.

Sarah Hofmann 7 min read - By Sarah Hofmann