Review and unblock forms or users detected and blocked for potential phishing

Review and unblock forms or users detected and blocked for potential phishing

In Microsoft Forms, we enable automated machine reviews to proactively detect the malicious collection of sensitive data in forms and temporary block those forms from collecting responses. Learn more about Microsoft Forms and proactive phishing prevention.

If you're a global and/or security administrator, we send you daily notifications of any form created within your tenant that has been detected and blocked for potential phishing. Here's how to review each form and unblock it if you believe it serves no malicious intent.

Review and unblock forms

  1. Log in to the Microsoft 365 admin center at admin.microsoft.com.

  2. Go to the Message center and look for a notification with Prevent/Fix: Microsoft Forms Detected Potential Phishing in the title.

    Message in Microsoft 365 admin center about Microsoft Forms phishing detection

    This notification contains a daily summary of any and all blocked forms created in your tenant.

    Note: If you don't see this notification in the All active messages tab/view, you may find it in the Dismissed messages tab/view.

  3. Click on the Forms admin review URL link in the notification to review blocked forms.

    Pointing to Forms admin review URL hyperlink in Microsoft 365 admin center post about Microsoft Forms and phishing detection
  4. For each form you determine serves no malicious intent, click the Unblock button in the upper right corner of the page.

    Notes: 

    • If you believe a form has malicious intent, no further action from you is required. The form will stay blocked until the form owner removes the content flagged for the malicious collection of sensitive data.

    • If you prefer to edit and/or delete the blocked content, you can generate a co-authoring page and manage the form as a co-author. To do this, click on the open a co-authoring page link located in the messaging above the form you're reviewing.

    • Upon review, you may see a block for a form has already been lifted. This means that in between the time a form was blocked and the time you reviewed it, the creator of the form removed keywords that were flagged for potential phishing. In this scenario, no further action from you is required.

Tips: 

  • We strongly suggest immediate password reset for an account in your tenant that you believe has been compromised.

  • If someone in your tenant requests for you to unblock their form, we suggest you ask for specific form information (e.g. date and time of block, title) in order to more efficiently identify the notification in the admin center. Since notifications are sent on a daily basis and include all detected forms in the last 24 hours, identifiable information for the form will be helpful.

Remove Restrictions for a blocked Microsoft Forms User

Note: We are gradually rolling out this feature in December 2019.

Microsoft Forms blocks users who have repeatedly attempted to collect personal or sensitive information from distributing forms and collecting responses. Global and security admins, notified of these blocked users via the Office 365 Security & Compliance Message center, can also view detailed information about restricted users on the Restricted User Portal (formerly known as the Action Center). If you believe a blocked user serves no malicious intent and their account is secure, you can take the following steps to unblock them.

  1. Sign in to the Office 365 Security & Compliance Center.

    Note: You must be in the Organization Management or a Security Administrator in order to access the Office 365 Security & Compliance Center. For more details about SCC role groups, see Permissions in the Security & Compliance Center.

  2. In the list on the left, expand Threat Management, and then select Review.

  3. Click Restricted Users.

  4. Find the user you wish to remove restrictions from and select Unblock.

    Note: You will see a fly-out message with details about the restricted account(s). Go through the recommendations to ensure there is no actual malicious intent behind user actions.

  5. Click Next.

  6. Click Unblock user.

  7. Click Yes to confirm the change.

Note: It may take 30 minutes or more before restrictions are removed.

See Also

Microsoft Forms and proactive phishing prevention

Admin center overview

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×