Skip to main content

Why Are Microsoft-Reported Emails Not Appearing in the Right-Hand Cybersecurity Portal?

K
Written by Karthek S

Overview

When users report emails through the Microsoft Reporting Button, those reports should appear in the Right-Hand Cybersecurity portal.

Reported emails may include:

  • Simulated phishing emails sent through Right-Hand Cybersecurity

  • Genuine suspicious emails reported by users

  • User-reported activity used for campaign tracking and reporting

If reported emails do not appear in the portal, reporting data may look incomplete. This can affect campaign results, user activity tracking, and security team review workflows.

This article explains what to check when emails reported through the Microsoft Reporting Button are missing, delayed, or not processed as expected, and how to resolve the most common cause using Microsoft's supported configuration methods.


When should you use this article?

Use this article if you notice any of the following:

  • Reported simulated phishing emails are not marked correctly in the campaign

  • User reporting activity is missing or incomplete

  • Genuine reported emails do not appear in the portal

  • Reporting views do not reflect user activity

  • Automated responses are not sent after a simulated phishing email is reported


Why does this happen?

Emails reported through the Microsoft Reporting Button may not appear in the portal if the reported email format is changed or wrapped before it reaches Right-Hand Cybersecurity.

The most common cause is Transport Neutral Encapsulation Format (TNEF) being enabled for the phisharm.com remote domain in Exchange Online. TNEF is a Microsoft email formatting method. When it is enabled, reported messages may not be delivered in a format that Right-Hand Cybersecurity can process reliably.

The expected configuration for the phisharm.com remote domain is:

TNEFEnabled : False

The steps below confirm where reported emails are being sent, then check and correct the TNEF setting.

Before you begin, confirm the following:

Requirement

Details

Microsoft 365 admin access

You have Microsoft Exchange Online admin access and permission to run Exchange Online PowerShell commands.

Exchange Online PowerShell

The Exchange Online PowerShell module is installed and available on your device.

Defender/security settings

You have access to the Microsoft Defender portal or Microsoft 365 security settings.

Right-Hand portal access

You have access to the Right-Hand Cybersecurity portal.

Reporting Button configured

The Microsoft Reporting Button is configured for your organization.


Step-by-Step Instructions

Step 1 - Confirm the Reporting Destination in Microsoft Defender

Before changing any Exchange settings, confirm that emails reported through the Microsoft Reporting Button are being sent to the correct destination.

  • Open the Microsoft Defender portal

    Go to <https://security.microsoft.com> and sign in with an account that has access to security settings.
  • Navigate to User reported settings

    **Settings**›**Email & collaboration**›**User reported settings**
  • Confirm the reporting configuration

    Confirm that **Monitor reported messages in Outlook** is enabled, that the reported item destination is configured correctly, and that the reporting mailbox or forwarding destination used for Right-Hand Cybersecurity is active.

Step 2 - Check Whether TNEF Is Enabled for phisharm.com

Run the following command in Exchange Online PowerShell:

powershell

Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" }

Review the output. If a remote domain entry exists for phisharm.com, note the value of TNEFEnabled. The expected value is False. If the value is True or the entry is not configured, continue to Step 3.

Step 3 - Disable TNEF for phisharm.com

  • Connect to Exchange Online

    Open PowerShell and run the following, replacing `[email protected]` with your Exchange Online admin account:

      Connect-ExchangeOnline -UserPrincipalName [email protected]
  • Check whether a remote domain entry already exists

      Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" }

If an entry already exists, note its identity name and use it in the disable step below. If no entry exists, create one in the next step.

  • Create a remote domain entry (only if one does not already exist)

      New-RemoteDomain -Name "PhishArm" -DomainName "phisharm.com"
  • Disable TNEF for the remote domain

      Set-RemoteDomain -Identity "PhishArm" -TNEFEnabled $false

If your existing remote domain entry uses a different identity name, replace `PhishArm` with that identity.

  • Verify the change

      Get-RemoteDomain -Identity "PhishArm" | Format-List Name,DomainName,TNEFEnabled
  The expected result is `TNEFEnabled : False`.

Important: Allow time for Microsoft 365 and Exchange Online configuration changes to apply across your tenant before testing. Keep TNEF disabled for the phisharm.com remote domain going forward, and re-check this setting after any major Microsoft 365 or Exchange Online configuration change.


Validation and Expected Outcome

After TNEF is disabled, reported emails should be processed in a compatible format. Confirm the fix before relying on reporting data.

  • Send a test simulated phishing email

    Send a test simulation to a test user from the Right-Hand Cybersecurity platform.

  • Report the email using the Microsoft Reporting Button

    Ask the test user to report the email using the Microsoft Reporting Button — not forward it manually.

  • Confirm the report appears in the portal

    Open the Right-Hand Cybersecurity portal, go to the relevant campaign or reporting view, and confirm that the reported email appears correctly and that the user's reporting activity is reflected in the campaign results.

    Expected result: Simulated phishing reports appear in campaign reporting, genuine reported emails appear in the portal, user reporting activity is tracked correctly, and reporting views reflect reported messages accurately.


Common issues and troubleshooting

Q1) TNEFEnabled still shows as True after running the command

Confirm the following, then run the verification command again:

  • You are connected with the correct Exchange Online admin account.

  • You used the correct remote domain identity.

  • The command completed without errors.

  • You are checking the same remote domain entry that matches phisharm.com.

powershell

Get-RemoteDomain | Where-Object { $_.DomainName -like "*phisharm.com*" } | Format-List Name,DomainName,TNEFEnabled

Q2) Reported emails are still not appearing after confirming TNEFEnabled : False

If reported emails still do not appear, check the following:

  • Confirm the Microsoft Reporting Button is enabled.

  • Confirm reported messages are being sent to the correct destination (Step 1).

  • Confirm the reporting mailbox or connector is active.

  • Confirm that mail-flow rules are not blocking, modifying, or redirecting the reported message.

  • Confirm the test email was reported by the user and not only forwarded manually.

  • Confirm the campaign or reporting view in the portal matches the test message.

If the issue continues, contact Right-Hand Cybersecurity support with the following details:

  • Date and time of the reported email

  • Sender and recipient email address

  • Subject line of the reported email

  • Whether the email was a simulation or a genuine reported email

  • Screenshot of the Microsoft-reported message configuration

  • Output of the TNEF verification command


Best practices

  • Keep TNEF disabled for the phisharm.com remote domain.

  • Validate Microsoft Reporting Button behavior after major Microsoft 365 or Exchange Online configuration changes.

  • Test reporting with both simulated phishing emails and safe genuine test emails.

  • Review mail flow rules if reported emails are routed through a mailbox, connector, or external destination.

  • Use a dedicated reporting mailbox or approved reporting path for security submissions.


Did this answer your question?