Skip to main content
MSRC

What’s new in the MSRC Report Abuse Portal and API

The Microsoft Security Response Center (MSRC) has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several updates to the Report Abuse Portal and API, which will significantly improve the way we handle and respond to abuse reports.

Reporting Suspicious OAuth Application

Based on the recent rise in malicious apps, attacker trends, and customer feedback, we realized the need to provide the option to report malicious OAuth applications. We are excited to announce a new feature in the MSRC Reporting Portal and the supporting API that allows the reporting of suspicious OAuth applications registered in Entra ID. This enhancement is aimed at streamlining the investigation process and enabling a quicker and more precise response to customer reports, including improving our detections of malicious applications. The step-by-step guidance for reporting apps is provided later in this blog post.  

Reporting Multiple IPs and URLs in a Single Incident

A common concern from this community has been the inability to report multiple related IPs or URLs in a single abuse report, often resulting in the need to submit multiple reports for the same incident. We have addressed this issue by updating the Abuse Portal to allow reporting of up to 10 IPs and URLs for the same abuse type in one report. The API has also been updated to support this feature without any restrictions on the number, which is particularly beneficial in cases like DDoS attacks. The step-by-step guidance for this is provided later in this blog post.

Summary of incident types that can be reported via the Portal and the API

  1. IP Address Threats

    a. Brute Force

    b. Denial of Service

    c. Illegal

    d. Malware

    e. Spam

  2. URL-related threats

    a. Illegal

    b. Malware

    c. Responsible AI

    d. Phishing Website

  3. Security Threats

    a. Vulnerability

  4. OAuth Applications (new)

    a. Fraudulent Publisher

    b. Suspicious Apps

    c. Misuse of Data

  5. Community Gallery

    a. Malicious Artifact

    b. Malicious Text or URL

  6. Other

    a. CSEAI

    b. Outlook Spam

    c. Tech Support

    d. Subpoena

    e. Unsafe site or URL

    f. Infringement

    g. Bing Bot

    h. Privacy

List of reports on the CERT Abuse Portal

How to report Suspicious OAuth Applications

There are three categories of incident types available here:

  1. Fraudulent Publisher - an OAuth App’s publisher or developer appears to be fraudulent or seems to be impersonating an authentic publisher.
  2. Suspicious App - an OAuth App is misrepresenting its identity for fraudulent purposes, including impersonating a legitimate app to mislead users or being used in another abusive way.
  3. Misuse of Data - a legitimate OAuth App from a legitimate publisher is mishandling or abusing access to data in a way that violates the terms of a service agreement.

Fill in the associated form to provide the incident details:

  1. Application ID (or client ID, GUID that globally identifies the application in Entra ID)
  2. Incident Date (when you encountered the suspicious app)
  3. Reason for reporting (above three categories)
  4. Additional details that can help us understand the issue better (be as descriptive as possible, such as where you encountered the suspicious app and why you think it’s suspicious)

Suspicious Apps Report page

How to add multiple IPs and URLs to a single report

This option can be leveraged when you would like to report multiple entities associated with the same incident or incident type. This cannot be used to report multiple incident types in the same report. Doing so will result in an incorrect report which can be non-actionable.  

Select the incident type you would like to report. This option is available for the following incident types:

Multiple IP and URL reports

While the rest of the form remains the same, you will notice the option to add more IPs and URLs to the report depending on the incident type. You can add up to 10 at a time in a report using the portal. If you need to report more, please use the API.  

Example of Multiple IP and URL reports and the button to add more

A screenshot of a computer Description automatically generated

Report Abuse API Endpoint

The API can be reached at https://api.msrc.microsoft.com/report/v3.0/swagger/v2/swagger.json

Looking ahead

The MSRC engineering team’s significant investments in the Abuse Report Portal and API reflect our ongoing dedication to security and customer satisfaction. We are committed to continuous improvement and are already exploring further enhancements to ensure that MSRC remains a leader in responding to online threats.

We encourage our community to use these new features and provide feedback, which is invaluable in our quest to safeguard Microsoft Online Services.

Questions or feedback?

Share your thoughts at https://aka.ms/msrc-report-abuse-feedback.

Neha Arora, Senior Product Manager, Microsoft Security Response Center


Related Posts

How satisfied are you with the MSRC Blog?

Rating

Feedback * (required)

Your detailed feedback helps us improve your experience. Please enter between 10 and 2,000 characters.

Thank you for your feedback!

We'll review your input and work on improving the site.