Overview
When users report emails through the Microsoft Reporting Button, those reports should appear in the Right-Hand Cybersecurity portal.
Reported emails may include:
Simulated phishing emails sent through Right-Hand Cybersecurity
Genuine suspicious emails reported by users
User-reported activity used for campaign tracking and reporting
If reported emails do not appear in the portal, reporting data may look incomplete. This can affect campaign results, user activity tracking, and security team review workflows.
This article explains what to check when emails reported through the Microsoft Reporting Button are missing, delayed, or not processed as expected, and how to resolve the most common cause using Microsoft's supported configuration methods.
When should you use this article?
Use this article if you notice any of the following:
Reported simulated phishing emails are not marked correctly in the campaign
User reporting activity is missing or incomplete
Genuine reported emails do not appear in the portal
Reporting views do not reflect user activity
Automated responses are not sent after a simulated phishing email is reported
Why does this happen?
Emails reported through the Microsoft Reporting Button may not appear in the portal if the reported email format is changed or wrapped before it reaches Right-Hand Cybersecurity.
The most common cause is Transport Neutral Encapsulation Format (TNEF) being enabled for the phisharm.com remote domain in Exchange Online. TNEF is a Microsoft email formatting method. When it is enabled, reported messages may not be delivered in a format that Right-Hand Cybersecurity can process reliably.
The expected configuration for the phisharm.com remote domain is:
TNEFEnabled : False
The steps below confirm where reported emails are being sent, then check and correct the TNEF setting.
Before you begin, confirm the following:
Requirement | Details |
Microsoft 365 admin access | You have Microsoft Exchange Online admin access and permission to run Exchange Online PowerShell commands. |
Exchange Online PowerShell | The Exchange Online PowerShell module is installed and available on your device. |
Defender/security settings | You have access to the Microsoft Defender portal or Microsoft 365 security settings. |
Right-Hand portal access | You have access to the Right-Hand Cybersecurity portal. |
Reporting Button configured | The Microsoft Reporting Button is configured for your organization. |
Step-by-Step Instructions
Step-by-Step Instructions
Step 1 - Confirm the Reporting Destination in Microsoft Defender
Before changing any Exchange settings, confirm that emails reported through the Microsoft Reporting Button are being sent to the correct destination.
Open the Microsoft Defender portal
Go to <https://security.microsoft.com> and sign in with an account that has access to security settings.
Navigate to User reported settings
**Settings**›**Email & collaboration**›**User reported settings**
Confirm the reporting configuration
Confirm that **Monitor reported messages in Outlook** is enabled, that the reported item destination is configured correctly, and that the reporting mailbox or forwarding destination used for Right-Hand Cybersecurity is active.
Step 2 - Check Whether TNEF Is Enabled for phisharm.com
Run the following command in Exchange Online PowerShell:
powershell
Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" }Review the output. If a remote domain entry exists for phisharm.com, note the value of TNEFEnabled. The expected value is False. If the value is True or the entry is not configured, continue to Step 3.
Step 3 - Disable TNEF for phisharm.com
Connect to Exchange Online
Open PowerShell and run the following, replacing `[email protected]` with your Exchange Online admin account:
Connect-ExchangeOnline -UserPrincipalName [email protected]
Check whether a remote domain entry already exists
Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" }If an entry already exists, note its identity name and use it in the disable step below. If no entry exists, create one in the next step.
Create a remote domain entry (only if one does not already exist)
New-RemoteDomain -Name "PhishArm" -DomainName "phisharm.com"
Disable TNEF for the remote domain
Set-RemoteDomain -Identity "PhishArm" -TNEFEnabled $false
If your existing remote domain entry uses a different identity name, replace `PhishArm` with that identity.
Verify the change
Get-RemoteDomain -Identity "PhishArm" | Format-List Name,DomainName,TNEFEnabled
The expected result is `TNEFEnabled : False`.
Important: Allow time for Microsoft 365 and Exchange Online configuration changes to apply across your tenant before testing. Keep TNEF disabled for the phisharm.com remote domain going forward, and re-check this setting after any major Microsoft 365 or Exchange Online configuration change.
Validation and Expected Outcome
Validation and Expected Outcome
After TNEF is disabled, reported emails should be processed in a compatible format. Confirm the fix before relying on reporting data.
Send a test simulated phishing email
Send a test simulation to a test user from the Right-Hand Cybersecurity platform.
Report the email using the Microsoft Reporting Button
Ask the test user to report the email using the Microsoft Reporting Button — not forward it manually.
Confirm the report appears in the portal
Open the Right-Hand Cybersecurity portal, go to the relevant campaign or reporting view, and confirm that the reported email appears correctly and that the user's reporting activity is reflected in the campaign results.
Expected result: Simulated phishing reports appear in campaign reporting, genuine reported emails appear in the portal, user reporting activity is tracked correctly, and reporting views reflect reported messages accurately.
Common issues and troubleshooting
Common issues and troubleshooting
Q1) TNEFEnabled still shows as True after running the command
Confirm the following, then run the verification command again:
You are connected with the correct Exchange Online admin account.
You used the correct remote domain identity.
The command completed without errors.
You are checking the same remote domain entry that matches
phisharm.com.
powershell
Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" } | Format-List Name,DomainName,TNEFEnabledQ2) Reported emails are still not appearing after confirming TNEFEnabled : False
If reported emails still do not appear, check the following:
Confirm the Microsoft Reporting Button is enabled.
Confirm reported messages are being sent to the correct destination (Step 1).
Confirm the reporting mailbox or connector is active.
Confirm that mail-flow rules are not blocking, modifying, or redirecting the reported message.
Confirm the test email was reported by the user and not only forwarded manually.
Confirm the campaign or reporting view in the portal matches the test message.
If the issue continues, contact Right-Hand Cybersecurity support with the following details:
Date and time of the reported email
Sender and recipient email address
Subject line of the reported email
Whether the email was a simulation or a genuine reported email
Screenshot of the Microsoft-reported message configuration
Output of the TNEF verification command
Best practices
Best practices
Keep TNEF disabled for the
phisharm.comremote domain.Validate Microsoft Reporting Button behavior after major Microsoft 365 or Exchange Online configuration changes.
Test reporting with both simulated phishing emails and safe genuine test emails.
Review mail flow rules if reported emails are routed through a mailbox, connector, or external destination.
Use a dedicated reporting mailbox or approved reporting path for security submissions.
