Manage appointments, plans, budgets — it’s easy with Microsoft 365.​

Review and unblock forms or users detected and blocked for potential phishing

Review and unblock forms or users detected and blocked for potential phishing

Microsoft Forms enables automated machine reviews to proactively detect the malicious collection of sensitive data in forms and temporary block those forms from collecting responses. Learn more about Microsoft Forms and proactive phishing prevention.

If you're a global and/or security administrator, you'll receive daily notifications of any form created within your tenant that has been detected and blocked for potential phishing. You'll see these notifications in the Message center. You'll also receive alerts about potential phishing forms in the Office 365 Security and Compliance Center.

Review alerts in the Message center and take action

  1. Sign in to the Microsoft 365 admin center at admin.microsoft.com.

  2. Go to the Message center and look for the notification, Prevent/Fix: Microsoft Forms Detected Potential Phishing.

    Message in Microsoft 365 admin center about Microsoft Forms phishing detection

    Note: If you don't see this notification in the All active messages tab/view, you may find it in the Dismissed messages tab/view.

    This notification contains a daily summary of any and all blocked forms created in your tenant.

  3. Click on the Forms admin review URL link in the notification to review blocked forms.

    Pointing to Forms admin review URL hyperlink in Microsoft 365 admin center post about Microsoft Forms and phishing detection
  4. For each form you review, go to the upper right corner of the page and select whether to unblock it or confirm its phishing attempt.

    Note: If the form has already been blocked for confirmed phishing, select Delete form to remove it from your tenant.

    • Unblock - Select this option if you don't believe a form has malicious intent.

      Note: If someone in your tenant requests you to unblock their form, we suggest you ask for specific form information (e.g. date and time of block, title) in order to more efficiently identify the notification in the admin center. Since notifications are sent on a daily basis and include all detected forms in the last 24 hours, identifiable information for the form will be helpful.

    • Confirm phishing - Select this option if you believe a form has malicious intent. The form will be blocked permanently and its owner will no longer be able to edit or delete it.

      Note: We're gradually rolling out the Confirm phishing option, which will be available soon. Your selection of Confirm phishing helps Microsoft Forms improve its detection accuracy. 

      Once you've selected Confirm phishing, click or tap Delete form to permanently delete the form from your tenant. We strongly suggest immediate password reset for an account in your tenant that you believe has been compromised.

    If you believe a form has malicious intent, no further action from you is required. The form will stay blocked until its owner removes the content flagged for the malicious collection of sensitive data.

    Notes: 

    • Upon review, you may see a block for a form has already been lifted. This means that in between the time a form was blocked and the time you reviewed it, the form owner removed keywords that were flagged for potential phishing. In this scenario, no further action from you is required.

    • If you choose to not take action (either unblock a form or confirm its phishing intent), the form will stay blocked. The form owner can still edit the form and remove keywords that were flagged for potential phishing.

    • If you prefer to edit and/or delete the blocked content, you can generate a co-authoring page and manage the form as a co-author. To do this, click on the open a co-authoring page link located in the messaging above the form you're reviewing.

Review alerts in the Office 365 Security and Compliance Center and take action

  1. Sign in to the Office 365 Security and Compliance Center.

  2. Select Alerts > View alerts.

  3. You may see one or all of the following alerts for Forms:

    • User restricted from sharing forms and collecting responses

    • Form flagged and confirmed as phishing

    • Form blocked due to potential phishing attempt

Select each alert to review details and actionable steps. Learn more about alert policies in the Security and Compliance Center.

Remove restrictions for blocked Microsoft Forms users

Microsoft Forms blocks users who have repeatedly attempted to collect personal or sensitive information from distributing forms and collecting responses. Global and security admins will be notified of these blocked users via Message center. If you believe a blocked user serves no malicious intent and their account is secure, you can take the following steps to unblock them.

  1. Sign in to the Microsoft 365 admin center at admin.microsoft.com.

  2. Go to the Message center and look for the notification, Prevent/Fix: Microsoft Forms Detected Potential Phishing.

    Note: If you don't see this notification in the All active messages tab/view, you may find it in the Dismissed messages tab/view.

    This notification contains a list of users in your tenant that are blocked from sharing forms and collecting responses.

  3. Click on the link provided in the notification to review blocked users.

  4. For each user you believe has no malicious intent, you can choose to click the Unblock link in the Actions column that is associated with that user.

    Note: If you believe a user has malicious intent, no further action from you is required.

Note: It may take 30 minutes or more before restrictions are removed.

See Also

Administrator settings for Microsoft Forms 

Microsoft Forms and proactive phishing prevention

Admin center overview

Need more help?

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×