[tatersolid]

We had this happen to one of our apps which redirected to a third-party identity provider which used a different domain name. Basically the app looked like a phishing site to those who clicked on the email links and ended up on a login page on a domain they didn’t recognize. So these users reported the email as phishing in outlook. Microsoft confirmed these user reports were the source of the blocking.

The fix was our own MSFT support case opened via our own E5 subscription which took two weeks to get the app unblocked. To prevent future reports we put a custom hostname on the IdP. So app.example.com now redirects to login.app.example.com

[joaopbnogueira]

We don't even have any sort of login on our main page, the redirects we have are mostly around apex domain to www.25friday.com, http to https and the likes.... This is a pure company landing page with the typical business description, career application page, articles etc.

We do have subdomains for internal tools of course, but those should not even be publicly accessible (behind an auth proxy).

[tatersolid]

Outlook also recently changed the default “report message” action in the UI to be “report phishing/malware” instead of “report spam”. This was a terrible design choice; phishing reports from my org’s own user base has increased 4x since the change which is a lot of false positives.

So maybe folks mean to “report spam” on your emails but “report phishing” instead…

[joaopbnogueira]

Could be the reason, but even so, we have really low volume campaigns and mostly to people we actually interact / have a history with. I would assume it would take more than a few accidental hits to trigger this issue.