Reporting phishing does two things at once: it trains Microsoft’s filters to catch similar attacks for every Microsoft 365 user, and it alerts your organization’s security team so they can purge copies from other mailboxes before someone clicks. The Report button is built into new Outlook, Outlook on the web, and Outlook mobile. Classic Outlook for Windows and classic Outlook for Mac need a free Microsoft add-in.

Here’s how to report suspicious messages from every version.

---

1. New Outlook Desktop & Outlook on the Web

The Report button is built directly into the ribbon and message toolbar in new Outlook for Windows and Outlook on the web. No add-in required.

Report a single message

1. Open new Outlook or go to outlook.office.com.
2. Select the suspicious email (or open it in the reading pane).
3. On the Home tab of the ribbon, click Report.
4. Choose one of:
   • Report phishing — for messages that try to steal credentials, impersonate a person or brand, or trick you into clicking a malicious link.
   • Report junk — for spam, marketing, or other unwanted but non-malicious email.
   • Not junk — to move a legitimate message out of the Junk Email folder.
5. In the confirmation dialog, click Report.

The message is immediately moved to the Junk Email folder (or deleted, depending on your admin’s policy), a copy is sent to Microsoft for analysis, and — if your admin has enabled it — the report is also routed to your organization’s security team.

Report from an open message

If you’ve already opened the email, the Report button appears on the message toolbar near the top of the reading pane. Click it and choose Phishing.

Report button missing?

If you don’t see a Report button, your admin may have disabled user reporting, or you’re on a personal Outlook.com account where the wording is slightly different (the equivalent is Junk > Phishing on the toolbar).

---

2. Classic Outlook for Windows (Report Message Add-in)

Classic Outlook for Windows does not have a built-in Report button. You install one of two free Microsoft-built add-ins: Report Message (lets users report both phishing and junk) or Report Phishing (phishing only, slimmer interface).

Install the add-in

1. In classic Outlook, go to the Home tab.
2. Click Get Add-ins (or Store).
3. In the search box, type Report Message and press Enter.
4. Select Report Message (publisher: Microsoft Corporation).
5. Toggle the switch to On and accept the permissions.
6. Close the add-ins window. A Report Message button now appears on the Home tab of the ribbon.

You can install Report Phishing instead if you only want the phishing-specific option. Admins can also push either add-in centrally through the Microsoft 365 admin center so every user has it automatically.

Report a suspicious email

1. Select the email in your inbox.
2. On the Home tab, click Report Message.
3. Choose Phishing (or Junk / Not Junk as appropriate).
4. In the confirmation dialog, click Report.

The email is removed from your inbox, a copy is sent to Microsoft’s Security Intelligence team (junk@office365.microsoft.com or phish@office365.microsoft.com depending on what you chose), and — if configured — to your org’s reporting mailbox.

Note: The standalone Report Message and Report Phishing add-ins are now in maintenance mode. Microsoft is steering admins and users to the built-in Report button (already in new Outlook, web, Mac, and mobile). If you’re setting up reporting for a team today, configure the built-in button via Defender (see section 9) rather than rolling out the add-ins.

---

3. Outlook for Mac

New Outlook for Mac

The Report button is built in, just like on Windows and the web.

1. Select the suspicious message.
2. On the Home tab, click Report — or right-click the message and choose Report.
3. Choose Phishing or Junk.
4. Confirm.

Classic Outlook for Mac

Classic Outlook for Mac needs the Report Message add-in.

1. Go to Home > Get Add-ins (or click the Store icon on the ribbon).
2. Search for Report Message and click Add.
3. After installation, the Report Message button appears on the Home tab.
4. Select a suspicious message, click Report Message, and choose Phishing.

---

4. Outlook Mobile (iOS and Android)

The Report button is built into the Outlook mobile app on both iOS and Android.

1. Open the suspicious email in the Outlook app.
2. Tap the three-dot menu in the top-right corner of the message.
3. Tap Report Junk.
4. Choose Phishing (for credential theft, malicious links, impersonation) or Junk (for spam).
5. Tap Report.

The email moves to Junk Email, syncs across your devices, and is submitted to Microsoft.

From the message list

You can also swipe on a message in the inbox list and tap the more options icon, then choose Report Junk > Phishing.

---

5. Manually Forward to Microsoft or APWG

If you can’t install an add-in (unmanaged device, third-party email client, IMAP account) or the Report button is missing, you can forward the suspicious message manually. To preserve the message headers — which Microsoft needs to analyze the attack — always forward as an attachment, not as a normal forward.

Forward as attachment in new Outlook or the web

1. Select the suspicious email (don’t open any links or attachments).
2. Click the three-dot menu (More actions) on the message toolbar.
3. Choose Forward as attachment.
4. In the To field, enter one or more of:
   • phish@office365.microsoft.com — Microsoft’s phishing analysis inbox (Microsoft 365 and Outlook.com).
   • reportphishing@apwg.org — the Anti-Phishing Working Group, which shares data with browsers, ISPs, and law enforcement.
   • Your organization’s security or abuse address (e.g., security@yourcompany.com).
5. Leave the body blank or add a short note.
6. Click Send, then delete the original message.

Forward as attachment in classic Outlook for Windows

1. Select the message in the inbox.
2. Go to Home > More > Forward as Attachment (or press Ctrl+Alt+F).
3. Address it to the same inboxes above and send.

Spam vs phishing addresses

• phish@office365.microsoft.com — phishing attempts.
• junk@office365.microsoft.com — spam / unwanted bulk mail.
• not_junk@office365.microsoft.com — legitimate mail that got caught in Junk.

---

What Happens After You Report

• The message moves to Junk Email (or gets soft-deleted) in your mailbox, so you stop seeing it.
• A copy is submitted to Microsoft for analysis by automated systems and, for higher-risk samples, human reviewers. Repeat offenders get added to filters that protect every Microsoft 365 tenant.
• Your admin sees it in the Microsoft Defender portal under Email & collaboration > Exchange message trace and Submissions. If your org uses Defender for Office 365, admins can launch Automated Investigation and Response (AIR) to find and remove copies from other mailboxes.
• Your org’s security mailbox gets a copy if the admin configured user reporting settings to send reports internally.
• Filters learn — both Microsoft’s global filters and, if configured, your tenant-level filters update based on what users report as phishing vs junk.

---

How to Spot a Phishing Email

• Mismatched sender address — display name says “Microsoft Support” but the actual address is something like support@microsft-security.xyz.
• Urgent or threatening tone — “Your account will be locked in 24 hours,” “Unusual sign-in detected, verify now.”
• Unexpected attachments or links — especially .zip, .html, .htm, or password-protected docs from someone you didn’t email first.
• Hover-to-check URLs — hover over any link (on mobile, long-press) and confirm the domain matches what the message claims.
• Generic greetings — “Dear Customer” or “Dear User” from a company that normally uses your name.
• Typos, odd grammar, inconsistent branding — legitimate corporate email goes through review.
• Requests for credentials, MFA codes, gift cards, or wire transfers — Microsoft, your bank, and your CEO will not ask for these over email.

When in doubt, don’t click. Report it, then verify through a known channel (a phone number from your own records, not one in the email).

---

Phishing vs Junk — Which Should You Pick?

• Phishing — the message is trying to trick you or steal something: fake login pages, impersonation, malware links, invoice fraud, MFA fatigue.
• Junk — the message is unwanted but not malicious: marketing spam, bulk newsletters you didn’t sign up for, repeated promotional emails.

Picking the right label matters because Microsoft routes phishing reports to a different team and weights them more heavily in filter training.

---

Admins: Configure the Built-in Report Button

Admins control what the Report button does through Microsoft Defender for Office 365.

1. Sign in to the Microsoft Defender portal.
2. Go to Email & collaboration > Policies & rules > Threat policies.
3. Under Others, open User reported settings.
4. Configure:
   • Monitor reported messages in Outlook — turn on to enable the built-in Report button across new Outlook, OWA, and mobile.
   • Send reported messages to — choose Microsoft and my reporting mailbox, Microsoft only, or My reporting mailbox only.
   • Reporting mailbox — enter the shared mailbox your security team monitors (e.g., phish@yourcompany.com).
   • User reporting experience — customize the before-report confirmation dialog and the after-report notification.
5. Save.

For classic Outlook users, deploy the Report Message or Report Phishing add-in centrally from Microsoft 365 admin center > Settings > Integrated apps > Get apps.

---

Quick Reference

Version	Report button built in?	Add-in needed?	Manual forward works?
New Outlook for Windows	Yes	No	Yes
Outlook on the Web	Yes	No	Yes
Classic Outlook for Windows	No	Yes (Report Message or Report Phishing)	Yes
New Outlook for Mac	Yes	No	Yes
Classic Outlook for Mac	No	Yes (Report Message)	Yes
Outlook Mobile (iOS/Android)	Yes	No	Yes (forward as attachment)
Outlook.com (personal)	Yes (Junk > Phishing)	No	Yes

---

Which Method Should You Use?

• On a managed work device with new Outlook, OWA, or mobile? Use the built-in Report button. It’s one click, your security team sees it, and Microsoft’s filters learn.
• Stuck on classic Outlook for Windows or Mac? Install the Report Message add-in. Admins can deploy it centrally so every user has it.
• Third-party client, IMAP, or Report button missing? Forward as attachment to phish@office365.microsoft.com and reportphishing@apwg.org, then delete.
• Just unwanted marketing? Use Report Junk — not Phishing. Mis-labeling dilutes the phishing signal.
• Targeted attack against your company (spear phishing, BEC, wire fraud)? Report through Outlook and email or call your security team directly so they can act immediately.

---

Stop Reacting to Your Inbox

Reporting phishing is reactive — by the time you see the message, it’s already in your inbox. Carly is an AI assistant that connects to 200+ apps and handles inbox triage, scheduling, and follow-ups for you so you spend less time in Outlook in the first place.

More on Outlook: How to block emails in Outlook · How to create rules in Outlook · How to archive emails in Outlook · How to set up email forwarding in Outlook · How to recover deleted emails in Outlook · How to create folders in Outlook · How to use Quick Steps in Outlook · How to fix Outlook search not working

Related Articles

Guides

How to Back Up Outlook Emails to PST (2026)

Apr 15, 2026

Guides

How to Mark an Email as Unread in Outlook (2026 Guide)

Apr 15, 2026

Guides

How to Request a Read Receipt in Outlook (2026 Guide)

Apr 15, 2026