Updated November 27, 2023: We have updated the content below for clarity. Thank you for your feedback.
Microsoft will stop honoring the mail flow rule which helps you track end user reporting. To improve the availability and reduce the latency of the submission service so that you can respond to threats (false negatives) more quickly and efficiently, we moved the submission service ahead of the exchange transport rule agent. Now the mail flow rules (or exchange transport rules) which you have for the following addresses – phish@office365.microsoft.com, junk@office365.microsoft.com, not_junk@office365.microsoft.com won’t be honored as the agent won’t be receiving signals for these addresses.
Moreover, the message tracking logs will show that reports going to phish@office365.microsoft.com, junk@office365.microsoft.com and not_junk@office365.microsoft.com as deleted or failed.
For example: [{LED=550 4.3.2 QUEUE.TransportAgent; message deleted by transport agent};{MSG=};{FQDN=};{IP=};{LRT=}]. Please ignore it as it is by design while we look for a better way to address it.
[When this will happen:]
We’ll be gradually rolling this out to customers starting late December 2023 and the roll out will be completed by late January 2024.
[How this will affect your organization:]
You will no longer be able to track end user report using mail flow rules for the following addresses – phish@office365.microsoft.com, junk@office365.microsoft.com, not_junk@office365.microsoft.com once the change is implemented.
[What you need to do to prepare:]
If you are routing report messages to a mailbox, we recommend going to user reported settings and under “reported message destinations”, setting the “send reported messages” to “My reporting mailbox only” and then providing the mailbox address you are routing to. Distribution groups and routing to an external or on-premises mailbox aren’t allowed.
If you are routing report messages to a mailbox for a particular report type, take the above step and create rules in the mailbox using the outlook client. You can specify which report “phish” or “junk” or “not junk”, you want to be ignored and filtered from your view. The report type is specified in the subject of the notification email sent to the mailbox (1| for Junk, 2| for Not junk, 3| for Phishing).
If you are concerned that your phish simulations will get analyzed by Microsoft, please add the third party phish simulation tool as phish simulation under advanced delivery. With this change, the phish simulation will get delivered unfiltered and on user report, it won’t be analyzed by Microsoft. It will even show up as a phish simulation in the user report tab of submissions.
If you are using exchange transport rule to forward phish simulation from user report to third party tool, we recommend going to user reported settings and under “reported message destinations”, setting the “send reported messages” to “Microsoft and My reporting mailbox only” or “My reporting mailbox only”. Then provide a mailbox address you want the user report to route to (not the third party mailbox). Distribution groups and routing to an external or on-premises mailbox aren’t allowed for this address. Now you configure an exchange transport rule which forward phish simulation coming to this mailbox address to the third-party tool.
If you are routing report messages to Microsoft via a custom add-in or another mechanism, we recommend either using the report button in Outlook for web or the report message add-in or the report phish add-in as described here.
