How to Report Phishing in Outlook: 2026 Step-by-Step Guide

Reporting a phishing email in Outlook takes fewer than five seconds — but most employees either skip it or do not know the option exists. Knowing How to Report Phishing in Outlook helps protect your inbox — select the suspicious email, click the Report button in the toolbar, and choose Report Phishing from the dropdown. Outlook removes the message from your inbox and sends a copy directly to Microsoft for analysis. That single action protects your account, improves your organization's email filters, and helps stop the same attack from reaching your colleagues.

Why Phishing Reports Actually Matter

Phishing is not declining — it is getting faster and more convincing. According to the FBI’s latest Internet Crime Report, phishing remains the top reported crime by victim count. While 2021 saw 323,972 complaints, 2025 estimates indicate that number has surpassed 900,000 annually. Financial losses associated with business email compromise (BEC) and sophisticated phishing now exceed $2.9 billion annually, driven by AI-powered campaigns that generate targeted, grammatically perfect lures. 

The Anti-Phishing Working Group (APWG) reported a record-breaking volume of attacks in 2025, continuing a trend where annual totals consistently exceed 4 million unique phishing sites discovered, with SaaS and webmail platforms remaining the primary targets. 

Every report you submit in Outlook feeds Microsoft's threat intelligence system. The more employees report, the faster Microsoft identifies new attack patterns and updates filters across all Microsoft 365 tenants. Your report does not just protect you — it protects every inbox connected to that network.

What Regulators Require From Organizations

Organizations in regulated industries are not simply encouraged to have phishing reporting procedures — they are required to. The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0, published in 2024, explicitly includes phishing detection and user-reported incident mechanisms under its "Detect" and "Respond" functions. CISA’s phishing guidance recommends that organizations establish automated or manual response workflows that acknowledge and triage user reports within hours to mitigate the spread of a campaign. 

Under HIPAA, covered entities must have documented incident response procedures that include a mechanism for staff to report suspected phishing — and those procedures must be tested. The GDPR's Article 33 requires organizations to notify supervisory authorities of data breaches within 72 hours of becoming aware. A phishing email that goes unreported — and leads to a credential compromise — can trigger that 72-hour clock without anyone in the organization knowing it has started.

The consequence of non-compliance is not abstract. In 2023, a US healthcare network paid $4.75 million in HIPAA settlements following a phishing attack that compromised over 300,000 patient records — with investigators citing inadequate incident reporting procedures as a contributing factor.

Understanding the risk is a useful first step. But knowing a risk exists and knowing how to respond to it under real workplace pressure are two different things. Our Data Privacy and Cybersecurity Compliance course gives professionals the practical framework to identify, report, and escalate phishing attempts correctly — in the situations they actually face, not just the scenarios described in a policy document.

How to Report Phishing in Outlook — Platform-by-Platform

Microsoft's built-in Report button is the fastest and most reliable way to flag a suspicious message. It is available across virtually every current version of Outlook. Here is exactly how to use it on each platform.

Outlook on the Web (OWA)

• Open your browser and sign into Outlook.
  
• Select the suspicious email from your inbox.
  
• In the top toolbar, click the Report button (located near the Archive button).
  
• From the dropdown, select Report Phishing.
  
• The email is deleted from your inbox, and the report is sent to Microsoft automatically.

You can also report multiple emails at once by holding Ctrl (Windows) or Cmd (Mac) while selecting messages before clicking Report.

New Outlook for Windows (Microsoft 365)

• Select the suspicious email.

• Click Report in the Home tab toolbar.

• Choose Report Phishing from the dropdown menu.

• Outlook moves the message to your deleted items and submits it to Microsoft.

The built-in Report button is available in Outlook for Microsoft 365 on current channel version 16.0.17827.15010 or later. If you are on the semi-annual channel, you need to build 16.0.18526.20024 or later.

Classic Outlook for Windows (Older Desktop App)

The built-in Report button may not be present in older desktop versions. If it is missing, install the Report Phishing add-in directly from Microsoft:

• Open Outlook and click "Get Add-ins" in the Home toolbar.
• Search for "Report Phishing" in the add-in search bar.
• Click Add to install it.
• Once installed, the Report Phishing button will appear in your home toolbar.
• Select the suspicious email and click Report Phishing.

Outlook for Mac (Version 16.89 or Later)

• Select the suspicious email.
• Click Report in the toolbar.
• Choose Report Phishing.

Outlook for Mac version 16.89 (24090815) and later includes full support for reporting from shared mailboxes — useful for teams managing shared inboxes.

Outlook for iOS and Android

• Open the suspicious email.
• Tap the three-dot menu (⋯) in the top-right corner.
• Select "Report Junk" or "Report Phishing" depending on the options shown.
• Confirm the report.

iOS support requires Outlook version 4.2511 or later. Android requires version 4.2446 or later.

If you handle phishing response in your organization, structured training is the most reliable way to reduce risk and build staff confidence. Our Data Privacy and Cybersecurity Compliance course walks staff through real situations and the correct responses — in a format built for busy professionals. 

Red Flags: How to Spot a Phishing Email Before You Report It

This is the section to save and share with your team. Every item below is a pattern observed in real phishing campaigns — not an abstract warning.

The sender's display name looks right, but the email address does not. Attackers frequently use a legitimate-sounding display name — such as "Microsoft Security Team" — while the actual sending address is something like [email protected]. Always expand the sender field and read the full email address, not just the name shown.

The email creates pressure to act immediately. Phrases like "your account will be suspended in 24 hours," "immediate action required," or "verify now to avoid losing access" are engineered to override your judgment. Legitimate services — banks, Microsoft, your HR system — do not ask you to click a link under time pressure.

The link URL does not match the destination it claims. Hover over any link before clicking. If the displayed text says microsoft.com but the URL in the status bar shows login-microsoft.verify-portal.com, that is a phishing link. Pay close attention to subdomain structures — attackers hide the real domain at the end of a long string.

The email asks for credentials, payment details, or personal information. No legitimate internal IT department, bank, or software vendor will ask you to enter your password by clicking a link in an email. If an email asks for credentials, it is either phishing or a training simulation.

Unexpected attachments arrive from known contacts. A Word document, Excel file, or ZIP attachment arriving unexpectedly — even from a colleague — can indicate a compromised account. If you were not expecting an attachment, contact the sender through a separate channel (call or message them directly) before opening it.

The email references an action you did not take. "You recently requested a password reset" or "Your order has shipped" — when you made no such request — is a classic lure. The attacker is banking on you clicking through to "cancel" the action.

Generic greetings replace your name. "Dear Customer," "Dear User," or "Dear Account Holder" in an email that should know who you are is a signal. Sophisticated campaigns now personalize lures using data from previous breaches, so the absence of your name is not the only indicator — but it remains a consistent flag.

Why the Report Phishing Button May Not Be Showing

If the Report button is not visible in your Outlook, it is almost always one of the following configuration issues — not a fundamental limitation of your version.

User reporting is turned off in your organization's admin settings. Microsoft 365 administrators control whether the built-in Report button is enabled. If your organization has disabled user reporting — or has not configured it — the button will not appear even in a fully updated version of Outlook. Contact your IT team to confirm the setting in the Microsoft Defender portal under User Reported Settings.

Your Outlook version is below the minimum required build. The built-in Report button requires specific minimum builds across channels. If you are on an older Outlook desktop client that has not been updated, the button may be absent. Check your version under File → Office Account → Update Options.

A third-party add-in has been configured instead. Some organizations deploy third-party phishing report buttons — such as KnowBe4's Phish Alert Button — in place of Microsoft's built-in option. If your toolbar shows a different reporting button, use that one. It routes reports to your organization's security team rather than directly to Microsoft.

You are using a shared or delegated mailbox without Send As permission. The built-in Report button in shared mailbox contexts requires Send As permissions. Without that permission, clicking Report will remove the email from the folder but will not submit a report to Microsoft.

What Happens After You Report a Phishing Email?

When you click Report Phishing in Outlook, the following sequence occurs automatically:

The email is deleted from your inbox immediately. Microsoft receives a copy of the message for analysis. Depending on how your organization's administrator has configured User Reported Settings in the Microsoft Defender portal, the report may also go to a dedicated security mailbox within your organization — allowing your IT or security team to investigate.

Microsoft's security team reviews submissions from across all tenants. If a new phishing campaign is identified, filters are updated to catch similar messages before they reach other inboxes. Over time, your reports — combined with those from millions of other users — contribute directly to the intelligence that protects Microsoft 365 globally.

If you believe you have already clicked a link or entered credentials in a phishing email, reporting alone is not enough. Take these additional steps immediately: change your password, notify your IT or security team, enable multi-factor authentication if not already active, and watch for any unauthorized activity in your accounts. Speed matters — credential theft can be exploited within minutes of a successful phishing attempt.