How to handle legitimate emails getting blocked (false positives) using Microsoft Defender for Office 365

Microsoft Defender for Office 365 helps deal with legitimate business emails that are mistakenly blocked as threats (known as false positives).

Defender for Office 365 can help admins understand why legitimate emails were blocked, how to quickly resolve the issue, and how to prevent similar issues from happening in the future.

What you need

• Microsoft Defender for Office 365 Plan 1 or Plan 2. Microsoft 365 A5/E5/G5 includes Plan 2.
• Sufficient permissions. For example, membership in the Security Administrator role in Microsoft Entra ID.
• 5-10 minutes to perform the following steps.

Handling legitimate emails in to Junk folder of end users

1. Ask end users to report the email as Not junk using the built-in Report button in supported versions of Outlook.
2. End users can also add senders to their Safe Sender List in Outlook to prevent messages from these senders landing in Junk folder.
3. Admins can triage the user-reported messages from the User reported tab on the Submission page.
4. From those reported messages admins can submit to Microsoft for analysis and understand why was that email blocked in the first place.
5. If needed, while submitting to Microsoft for analysis, admins can judiciously create an allow entry for the sender to mitigate the problem.
6. Once the results from the admin submission are available, read it to understand why emails were blocked and how your organization setup could be improved to prevent similar issues from happening in the future.

Handling legitimate emails that are in quarantine folder of end users

1. An end user receives an email digest about quarantined messages as per the settings enabled by security admins.
2. End users can preview the messages in quarantine, block the sender, release the messages, submit those messages to Microsoft for analysis, and request release of those emails from admins.

Handling legitimate emails in quarantine folder of an admin

1. Admins can view the quarantined emails (including the ones asking permission to request release) from the review page.
2. Admins can release the message from quarantine while submitting it to Microsoft for analysis. They can also create a temporary allow entry in the Tenant Allow/Block List during the submission to Microsoft to mitigate the issue.
3. Once the results for submissions are available, admins should read the verdict to understand the reason.
   • If false positives are due to organization configuration, admins can correct it to mitigate the issue.
   • If false positives are due to other factors, Microsoft learns from the submission and similar messages aren't quarantined anymore.