1) From your admin portal login to the Submissions page, by accessing to https://security.microsoft.com/reportsubmission
2) On the Submissions page, verify that the Emails tab is selected.
3) On the Emails tab, click + Submit to Microsoft for analysis icon. Submit to Microsoft for analysis.
4) In the Submit to Microsoft for analysis flyout that appears, enter the following information:
Select the submission type: Verify the value Email is selected.
Add the network message ID or upload the email file: Select one of the following options:
Add the email network message ID: This is a GUID value that's available in the X-MS-Exchange-Organization-Network-Message-Id header in the message or in the X-MS-Office365-Filtering-Correlation-Id header in quarantined messages.
Upload the email file (.msg or .eml): Click Browse files. In the dialog that opens, find and select the .eml or .msg file, and then click Open.
Choose a recipient who had an issue: Specify the recipient(s) that you would like to run a policy check against. The policy check will determine if the email was blocked due to user or organization policies or overrides.
Select a reason for submitting to Microsoft: Select Should not have been blocked (False positive), and then configure the following settings:
Allow emails with similar attributes (URL, sender, etc.): Turn on this setting .
Remove allow entry after: The default value is 30 days, but you can select from the following values:
- 1 day
- 7 days
- 30 days
- Specific date: The maximum value is 30 days from today.
For spoofed senders, this value is meaningless, because entries for spoofed senders never expire.
Allow entry note: EEnter optional information about why you're allowing and submitting this email message.
For spoofed senders, any value you enter here is not shown in the allow entry on the Spoofed senders tab on the Tenant Allow/Block List.
5) When you're finished, click Submit, and then click Done.