How to report phishing to Microsoft
Phishing emails, fake Microsoft sign-in pages, and malicious attachments are designed to steal credentials, install malware, or trick users into sending money.
This guide explains how to report phishing to Microsoft from Outlook, Microsoft 365, and other Microsoft services so suspicious messages can be reviewed and blocked faster.
If you use Outlook, Microsoft 365, OneDrive, or Windows, reporting suspicious content helps improve Microsoft’s anti-phishing systems and protects other users from the same threat.
What counts as phishing in Microsoft environments?
Phishing is a form of social engineering that impersonates trusted brands, coworkers, or Microsoft services to persuade you to act quickly.
In Microsoft ecosystems, common examples include fake Microsoft 365 login pages, fraudulent password reset prompts, email messages claiming your account is locked, and invoice scams sent through Outlook.
Typical warning signs include:
- Sender addresses that look similar to legitimate Microsoft or company domains
- Urgent language demanding immediate action
- Links that lead to unfamiliar domains or shortened URLs
- Unexpected attachments, especially HTML, ZIP, ISO, or Office files with macros
- Requests for passwords, multifactor authentication codes, or gift cards
How to report phishing to Microsoft in Outlook
Outlook provides built-in reporting options that make it easy to send suspicious messages directly to Microsoft.
The exact steps vary slightly between Outlook on the web, Outlook for Windows, Outlook for Mac, and mobile apps, but the process is similar.
Report a phishing email in Outlook on the web
- Open the suspicious email.
- Select the message actions menu, usually shown as three dots.
- Choose Report message or Report phishing.
- Confirm the report when prompted.
In some Microsoft 365 environments, your organization may also route the message to its security team.
That means the email can be reviewed both by Microsoft and by your internal administrators.
Report a phishing email in Outlook for Windows or Mac
- Select the suspicious message.
- Use the Report Message or Report Phishing add-in, if available.
- Choose Phishing and submit the message.
If your mailbox is managed by a business or school, the reporting add-in may be installed by default through Microsoft 365.
If you do not see it, your administrator may need to enable it.
Report phishing in Outlook mobile
- Open the suspicious email.
- Tap the menu icon or message actions.
- Select Report phishing if available.
- Follow the on-screen confirmation steps.
Mobile reporting is useful when you need to act quickly, but if possible, review the sender and links before interacting with the message in any way.
How to report phishing to Microsoft in Microsoft 365 Defender
Administrators and security teams often use Microsoft 365 Defender to investigate phishing campaigns at scale.
If you manage an organization, reporting suspicious messages through Defender can help protect mailboxes, users, and shared tenant resources.
In Microsoft 365 Defender, admins can typically:
- Submit an email, URL, or attachment for analysis
- Review threat intelligence details
- Check whether the message was part of a broader campaign
- Take remediation actions such as quarantine or tenant-wide blocking
For enterprise environments, Microsoft Defender for Office 365 includes message trace, impersonation protection, and automated investigation and response features that can help identify similar threats quickly.
How to report phishing websites or fake Microsoft login pages?
If you encounter a suspicious website pretending to be Microsoft, you can report it through Microsoft’s security channels and also through browser protections.
Fake login pages often imitate Microsoft 365, Outlook, OneDrive, Teams, or account.microsoft.com.
Before reporting, check the URL carefully.
Microsoft login pages should use official Microsoft domains, such as microsoft.com, live.com, office.com, or login.microsoftonline.com.
A single misspelling or unusual domain extension is often a sign of a spoofed site.
To report a fraudulent site:
- Copy the full URL without entering any personal data
- Report it through Microsoft’s security reporting tools if available
- Use your browser’s phishing or unsafe site reporting feature
- Notify your organization if the page targeted a work account
What information should you include when reporting?
When you report phishing to Microsoft, include enough detail for analysts to evaluate the threat.
Avoid editing the message beyond what the reporting tool asks for, because headers, sender data, and links can help investigators.
Useful details include:
- The original suspicious email or message
- Sender name and address
- Subject line
- Any embedded URLs or attachment names
- The time and date the message was received
- A brief note explaining why it looked suspicious
If you are reporting through a business tenant, your security team may also want the message ID, tenant name, or evidence of whether anyone clicked the link.
What happens after you report phishing to Microsoft?
After you submit a report, Microsoft may use the sample to improve spam and phishing detection models, update reputation data, and strengthen protection for other users.
In enterprise environments, reported items can also trigger security workflows in Microsoft Defender, including alerting, investigation, and quarantine decisions.
It is important to understand that reporting does not always mean the message will be removed immediately from every inbox.
However, the report contributes to broader detection systems and may help block similar attacks faster.
If the phishing attempt targeted your account, Microsoft may also recommend additional actions such as:
- Changing your password
- Reviewing sign-in activity
- Revoking suspicious sessions
- Enabling multifactor authentication
- Checking mailbox forwarding rules and inbox rules
Should you delete the phishing email after reporting it?
Yes, after you report the message, you can usually delete it or move it to junk, unless your organization asks you to retain it for investigation.
In some cases, security teams prefer users to leave the message in place until they complete a review.
If you are unsure, do not forward the message to colleagues.
Forwarding phishing emails can spread malicious links and create confusion.
Use the official reporting function instead.
How to protect your Microsoft account after a phishing attempt?
Reporting a phishing message is only one part of the response.
If you clicked a link, entered credentials, or opened an attachment, act immediately to reduce risk.
- Change your Microsoft account password from a trusted device
- Review recent sign-in activity in your account security page
- Turn on multifactor authentication if it is not already enabled
- Remove unknown devices or app passwords
- Check Outlook rules, forwarding settings, and connected apps
- Scan your device with Microsoft Defender Antivirus or another trusted endpoint tool
For business users, administrators should also inspect Entra ID sign-in logs, conditional access policies, and mailbox audit logs if compromise is suspected.
Best practices for Microsoft users to reduce phishing risk
Microsoft offers strong security features, but user habits still matter.
The most effective defense is a combination of technical controls and careful message review.
- Verify sender addresses, not display names alone
- Hover over links before clicking them
- Use passwordless sign-in or MFA where possible
- Keep Windows, Microsoft 365 apps, and browsers updated
- Trust alerts only when they appear inside official Microsoft apps or domains
- Report suspicious messages immediately instead of replying
In managed organizations, security teams can improve protection further by enabling Safe Links, Safe Attachments, spoof intelligence, and user-reported message settings in Microsoft Defender for Office 365.
How to report phishing to Microsoft if you use a non-Outlook email client?
Even if you use another email app, you can still report phishing to Microsoft when the message targets a Microsoft account, Microsoft 365 tenant, or Microsoft service.
Save the original email if possible, then use Microsoft’s reporting channels or forward the message to your organization’s security team if instructed by policy.
If the phishing attempt involves a Microsoft login page or service, reporting the URL and any associated email details can still help Microsoft correlate the campaign with other incidents.
When should you escalate beyond Microsoft?
Some phishing incidents require more than a Microsoft report.
If the scam includes financial fraud, stolen identity information, or account takeover, you may also need to contact your bank, local law enforcement, or your organization’s incident response team.
For corporate environments, suspected compromise may require password resets, device isolation, mailbox rule review, and user communication across the tenant.
Rapid escalation is especially important if the phishing email targeted executives, finance staff, or help desk personnel.