Automated end-user feedback response feature is now GA. The user submission automatic feedback response capability in Microsoft Defender for Office 365 enables organizations to automatically respond to end user submissions of phish based on the verdict from the automated investigation.
This feature saves SecOps time by converting the process of sending manual responses back to end users on reported messages to be automated. This layers additional value to the automated investigation and response (AIR) feature for SecOps teams and also helps encourage end users to contribute to the security posture of the organization by providing acknowledgment and feedback on those user reports of phish automatically.
Configuration
The ability to automatically respond to end user submissions of phish is configurable and can be turned on from the user reported settings page (Settings > Email & collaboration > User reported settings) and configured to send based on the AIR verdict.
User submission automatic feedback response configuration found in settings > email & collaboration > user reported settings > automatically email users the results of the investigation:
- Phishing or Malware: Selecting this box indicates that the organization would like end users to receive an automatic response email on email submissions of phish when the associated user submission investigation identifies a threat of normal phish, high confidence phish or malware.
- Spam: Selecting this box indicates that the organization would like end users to receive an automatic response email on email submissions of phish when the associated user submission investigation shows the threat of spam.
- No threats found: Selecting this box indicates that the organization would like end users to receive an automatic response email on email submissions of phish when the associated user submission investigation finds no threats.
Response Timing
The automated end user feedback response is sent at the conclusion of the investigation when the investigation hits a final status. This means investigations in pending approval status must be approved before the response will be sent.
Email Template
The email that is sent to the end users utilizes the same email template as the organization’s Mark & Notify email template and allows the customization of the email body for the respective threats of Phishing, Junk and No threats found (corresponding to the Phishing or Malware, Spam, and No threats found settings above respectively). Learn more about Mark & Notify on this page: Admin review for reported messages - Office 365 | Microsoft Learn.
User submission automatic feedback response configuration of email message using customize admin review email notification:
Function
Once enabled, Microsoft Defender for Office 365 will automatically respond to end user submissions based on the investigation verdict and the configured settings. For example, if an organization has enabled the user feedback response for emails with no threats found, if a user reported a message as phish it would trigger automated investigation and response (AIR) and begin an investigation on the user reported message. If that investigation concludes with no threats found and the organization had enabled the automatic feedback response for no threats found, then the end user who submitted the message would receive an email stating there were no threats found on the submitted message. The message would resemble the below, but the body of the message and footers would contain what the organization has put in for admin review for reported messages for the no threats found option.
Sample user submission automatic feedback response for no threats found:
If an organization has enabled the user feedback response for emails with Phishing or Malware, if a user reported a message as phish it would begin an investigation on the user reported message. If that investigation discovers high confidence phish or malware the investigation would be looking for these to be remediated either with the approval of recommend actions, shown as pending actions in the investigation, incident and action center, or remediation through other means such as explorer. Once the high confidence phish or malware threats found in the investigation have been remediated, the investigation would close as “Remediated” or “Partially Remediated” at which point the user submission feedback email would automatically be sent to the user who reported the message. If only a threat of normal phish was identified for a message, the investigation would not produce pending actions however the end user would still receive a response indicating the message was phish. The message would resemble the below, but the body of the message and footers would contain what the organization has put in for admin review for reported messages for the phishing option.
Sample user submission automatic feedback response for high confidence phish or malware:
Note: The response is not sent to end users until any discovered high confidence phish or malware threats are remediated, meaning responses will not be sent when the investigation is pending action. The investigation must reach “Remediated” or “Partially Remediated” status in order for the response to be triggered.
Display
When users receive an automatic feedback response, this will be reflected in the submission queue as “Marked as” similar to other submissions that may have manually received a response.
User submission automatic feedback response reflected on submissions queue marked as:
Learn More
To learn more about the automated end user feedback response feature visit Automatic user notifications for user reported phishing results in AIR - Microsoft Defender for Offi....