What is the latest in the MSRC Report Abuse Portal and API | MSRC Blog

Share it

The forefront of tackling cyber threats, privacy concerns, and misuse stemming from Microsoft Online Services is the Microsoft Security Response Center (MSRC). In line with our dedication, significant updates have been introduced to the Report Misuse Portal and API, aimed at enhancing the management and response to misuse reports.

Alerting Suspicious OAuth Application

In response to the recent surge in malicious applications, attacker behaviors, and customer input, it was recognized the importance of allowing the reporting of malicious OAuth applications. A new functionality has been unveiled in the MSRC Reporting Portal and the accompanying API, facilitating the reporting of dubious OAuth applications registered in Entra ID. This advancement seeks to streamline the investigative process, leading to faster and more accurate responses to customer reports, including enhancing the detection of malicious applications. Detailed instructions for reporting applications are provided later in this post.

Notifying Multiple IPs and URLs within a Single Event

A frequent grievance from the community has been the inability to report multiple associated IPs or URLs in a singular abuse report, necessitating multiple submissions for the same event. This concern has been addressed by enhancing the Abuse Portal to permit the reporting of up to 10 IPs and URLs for the same abusive category in a single report. The API has also been adjusted to support this capability with no limitations on the quantity, particularly beneficial in scenarios like DDoS attacks. A step-by-step guide for this is available later in this post.

Summary of the various types of incidents that can be reported through the Portal and the API:

  • IP Address Threats

    • Forceful Entry
    • Service Denial
    • Unlawful
    • Malware
    • Junk Mail
  • URL-Associated Threats

    • Unlawful
    • Malware
    • AI Responsibility
    • Deceptive Website
  • Safety Threats

    • Weakness
  • OAuth Applications (new)

    • Fraudulent Publisher
    • Dubious Applications
    • Data Misuse
  • Community Gallery

    • Malicious Object
    • Malicious Text or Web Address
  • Other

    • CSEAI
    • Outlook Junk
    • Technical Assistance
    • Court Order
    • Unsafe Website or Web Address
    • Violation
    • Bing Robot
    • Confidentiality

Steps to Report Suspicious OAuth Applications

There are three categories of incident types available here:

  1. Fraudulent Publisher – where an OAuth App’s publisher or developer appears fraudulent or impersonating a legitimate publisher.
  2. Suspicious App – an OAuth App that misrepresents its identity for fraudulent activities, including posing as a legitimate app to deceive users or being used abusively.
  3. Misuse of Data – a genuine OAuth App from a legitimate publisher abusing access to data in violation of service agreements.

Complete the associated form with the incident details:

  1. Application ID (or client ID, GUID identifying the app globally in Entra ID)
  2. Incident Date (when the suspicious app was encountered)
  3. Reason for reporting (from the aforementioned categories)
  4. Additional information aiding in understanding the issue better (be as descriptive as possible, specify where the app was encountered and reasons for suspicion)

Suspicious Apps Report page

Incorporating Multiple IPs and URLs into One Report

This feature is useful when reporting multiple entities linked to the same incident or type of incident. It should not be used for reporting various types of incidents in one report, as this can lead to an inaccurate report which may not be actionable.

Choose the incident type to report. This feature is available for the following incident types:

Multiple IP and URL reports

The remainder of the form remains unchanged; however, the option to add more IPs and URLs to the report based on the incident type will be visible. You can add up to 10 at once using the portal. For more than 10, the API should be utilized.

Example of Multiple IP and URL reports and the button to add more

A screenshot of a computer Description automatically generated

Report Misuse API Endpoint

The API can be accessed at

Looking Forward

The substantial investment by the MSRC engineering team in the Abuse Report Portal and API demonstrates our ongoing commitment to security and customer satisfaction. We are dedicated to continual enhancement and are already exploring further improvements to ensure the MSRC remains a leading responder to online threats.

We urge our community to utilize these new features and provide feedback, which is invaluable in our mission to protect Microsoft Online Services.

Queries or Comments?

For any inquiries or feedback, please reach out to us at [email protected] or share your opinions at

Neha Arora, Senior Product Manager, Microsoft Security Response Center

🤞 Don’t miss these tips!

🤞 Don’t miss these tips!

Solverwp- WordPress Theme and Plugin