# Forward phishing emails from Microsoft 365

In this article, you configure Microsoft 365 to automatically forward user-reported phishing emails to Radiant Security. Radiant needs access to the original reported message for analysis, which is done by forwarding emails from your dedicated in-house phishing reporting mailbox to a Radiant-managed mailbox for triage and investigation.

This is the recommended path for Microsoft 365 customers using Microsoft's built-in Report Phishing button.

<figure><img src="/files/pEOnn0dfMrThU3s6TZF0" alt=""><figcaption></figcaption></figure>

The setup has six phases. Complete them in order. When all six phases are complete, [report a test email](#report-a-test-email) to confirm the integration is working.

### Prerequisites

* [ ] Admin access to Microsoft 365, including the Exchange admin center and Microsoft Defender portal
* [ ] You have completed the steps in the [phishing email forwarding overview](/radiant-connectors/connectors-and-data-ingestion/phishing-email-forwarding-overview.md), including enabling your monitored domains.

### Create a dedicated phishing reporting mailbox

{% hint style="info" %}
**Note:** If your organization already has a phishing reporting mailbox, skip to [Enable the Report Phishing button](#enable-the-report-phishing-button).
{% endhint %}

In this phase, you create a dedicated phishing reporting mailbox for your organization.

1. Sign in to the [Exchange admin center](https://admin.exchange.microsoft.com/) and go to **Recipients > Mailboxes**.

<div align="left"><figure><img src="/files/maaciojlRi24CnjXMJPk" alt="" width="277"><figcaption></figcaption></figure></div>

2. Click **+ Add a shared mailbox**.
3. Set the following:
   * **Display name:** `Phishing Mailbox`
   * **Email address:** `phishing`
   * **Select domain:** select your domain.
4. Click **Create** to save the new mailbox.

### Add Radiant Security as a remote domain

In this phase, you enable forwarding emails from your domain to Radiant's external domain.

1. In the [Exchange admin center](https://admin.exchange.microsoft.com/#/remotedomains), go to **Mail flow > Remote domains**.
2. Click **+ Add a remote domain** and configure:

   * **Name:** `Radiant Security`
   * **Remote domain:** `report.radiantsecurity.ai`

   Click **Next**.
3. On the **Email reply types** page, confirm that **Allow automatic forwarding** is enabled.

<div align="left"><figure><img src="/files/L65B34vI2qc7wGV5V0uT" alt="" width="271"><figcaption></figcaption></figure></div>

4. Keep all default settings unchanged and click **Next**. Click **Next** again to skip the **Message reporting** and **Text and character set** pages, leaving them with the default settings. Click **Save** to add the external domain, then click **Done**.

### Add Radiant Security as a contact

In this phase, you add Radiant Security as a contact so that Radiant receives the forwarded phishing emails to a mailbox on its side.

1. In the [Exchange admin center](https://admin.exchange.microsoft.com/#/contacts), go to **Recipients > Contacts**.
2. Click **Add a mail contact**.
3. Set the following contact details:
   * **Display name:** `Radiant Security Alerts`
   * **Alias:** `radiant-security-alerts`
   * **Email address:** `alerts@report.radiantsecurity.ai`
4. Leave the remaining fields blank and click **Next**. Skip the optional information page and click **Create** to finish the process.

### Configure auto-forwarding from the phishing reporting mailbox

In this phase, you configure Microsoft 365 to automatically forward all suspected phishing emails to the Radiant Security Alerts contact created in the previous phase.

1. In the [Exchange admin center](https://admin.exchange.microsoft.com/#/mailboxes), go to **Recipients > Mailboxes**. Locate the **Phishing Mailbox** you created in the first phase and click its row.
2. In the pop-out menu, click the **Mailbox** tab, then click **Manage email forwarding**.

<div align="left"><figure><img src="/files/fPyWY8SnjrkBxQN84A4l" alt="" width="375"><figcaption></figcaption></figure></div>

3. Enable the **Forward all emails sent to this mailbox** option, then click **Forward to an internal email address > Search email**.

<div align="left"><figure><img src="/files/lLfW78dyOQYUGL7759ji" alt="" width="375"><figcaption></figcaption></figure></div>

4. Search for and select the **Radiant Security Alerts** contact created in the previous phase, click **Add**, then click **Save**.
5. On the mailbox configuration menu, click **Manage message size restriction** and set:
   * **Sent messages maximum size (KB):** `153600`
   * **Received messages maximum size (KB):** `153600`
6. Click **Save**.

### Allow external forwarding through the anti-spam outbound policy

In this phase, you create an outbound anti-spam policy for the phishing reporting mailbox so that messages from that mailbox can be forwarded externally.

1. Sign in to the [Microsoft Defender portal](https://security.microsoft.com/) and go to the [Anti-spam policies](https://security.microsoft.com/antispam) page. You can also navigate from the left menu: **Email & Collaboration > Policies & rules > Threat policies > Anti-spam policies**.
2. Click **+ Create policy** and select **Outbound**.
3. Set the following:

   * **Name:** `Forwarding alerts to Radiant Security`
   * **Description:** `Policy used to forward possible phishing mails from the internal phishing@<domain> mailbox to Radiant Security`

   Click **Next**.
4. Under **Users, groups, and domains**, in the **Users** field, select the `Phishing Mailbox` you created in the first phase. Leave **Groups** and **Domains** blank.
5. Under **Protection settings**, in the **Forwarding rules** field, set **Automatic forwarding rules** to **On - Forwarding is enabled**. Leave all other defaults unchanged.

<div align="left"><figure><img src="/files/gVGU8L2U8GS4NSHvhllJ" alt="" width="375"><figcaption></figcaption></figure></div>

6. Click **Next** to review the policy, then click **Create** to save the forward rule. Click **Done** to exit the page.

### Enable the Report Phishing button

In this phase, you enable the Microsoft 365 right-click action which allows a user to report suspected phishing emails to the dedicated phishing reporting mailbox you created in the previous phase.

1. In the [Microsoft Defender portal](https://security.microsoft.com/), go to the [User reported settings](https://security.microsoft.com/securitysettings/userSubmission) page. You can also navigate from the left menu: **Investigation & Response > Actions & Submissions > Submissions**, then click the gear icon.

<div align="left"><figure><img src="/files/XhENEtTL01NvHPHmCXVw" alt="" width="563"><figcaption></figcaption></figure></div>

2. Select the **Monitor reported messages in Outlook** checkbox.
3. For **Select an Outlook report button configuration**, select **Use the built-in Report button in Outlook**.
4. For **When a user reports an email**, select both:
   * **Ask the user to confirm before reporting**
   * **Show a success message after the message is reported**

<div align="left"><figure><img src="/files/Z0wmdk0zt82F1ZCBrpS4" alt="" width="563"><figcaption></figcaption></figure></div>

5. For **Reported message destinations**, select **Microsoft and my reporting mailbox** from the dropdown.

<div align="left"><figure><img src="/files/qaDVUof0i9IG8ugRuQid" alt="" width="375"><figcaption></figcaption></figure></div>

6. For **Add an Exchange Online mailbox to send reported messages to**, enter and select the mailbox you created in the [Create a dedicated phishing reporting mailbox](#create-a-dedicated-phishing-reporting-mailbox) phase. It should appear as a suggested contact.
7. Leave all other default settings unchanged and click **Save**.

### Manage Not Junk reports

Microsoft Defender enables the forwarding of "Not Junk" user reports by default. If your team does not want these specific reports to be triaged by Radiant, administrators can disable these notifications under **Email & collaboration > Policies & rules > Alert policy** in the [Microsoft Defender portal](https://security.microsoft.com/alertpoliciesv2).

{% hint style="info" %}
**Note:** You can also control whether Radiant triages junk and spam reports alongside phishing reports using the **Triage junk/spam emails** toggle on the Phishing Configuration page in Radiant. See [Configure phishing settings in Radiant](/radiant-connectors/connectors-and-data-ingestion/phishing-email-forwarding-overview.md#configure-phishing-settings-in-radiant) on the overview article.
{% endhint %}

### Report a test email

In this phase, you report an email to confirm the integration is working and verify there is organizational knowledge on how to report phishing emails end-to-end.

1. From any mailbox in your organization, send a test message to yourself, then click on that email message.
2. Report the test message as phishing:
   * If you have configured the Report Phishing button, use it to report the test message as phishing.
   * If you have not configured the Report Phishing button, click the `…` icon and choose **Other reply actions > Forward as attachment**. In the **To** field, enter the dedicated phishing reporting mailbox address within your organization and send the email.

<div align="left"><figure><img src="/files/OcU7UgMbYDDLbEAWNMCO" alt="" width="375"><figcaption></figcaption></figure></div>

3. Sign in to [Radiant Security](https://app.radiantsecurity.ai/) and check the **Alerts** and **Cases** tabs for the triaged report.

If the report does not appear, confirm the following:

* The remote domain `report.radiantsecurity.ai` has **Allow automatic forwarding** enabled.
* The auto-forwarding rule on the phishing reporting mailbox is set to forward to the **Radiant Security Alerts** contact.
* The anti-spam outbound policy is applied to the phishing reporting mailbox and has **Automatic forwarding rules** set to **On**.
* The Report Phishing button is configured to send reports to the phishing reporting mailbox.
* The reporter's domain is enabled in [Radiant's Monitored Domains](https://app.radiantsecurity.ai/settings/organization/phishing-configuration) tab.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/connectors-and-data-ingestion/phishing-email-forwarding-overview/forward-phishing-emails-from-microsoft-365.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.