Update date and improve Mailflow status report details

chrisda · web-flow · commit c6b16ec44854 · 2025-04-02T17:36:17.000-07:00
diff --git a/defender-office-365/reports-email-security.md b/defender-office-365/reports-email-security.md
@@ -19,7 +19,7 @@ description: "Admins can learn how to find and use the email security reports th
 ms.custom: 
 - seo-marvel-apr2020
 ms.service: defender-office-365
-ms.date: 02/24/2025
+ms.date: 04/02/2025
 appliesto:
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a>
   - ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -112,11 +112,16 @@ On the **Compromised users** page, the :::image type="icon" source="media/m365-c
 The **Mailflow status report** is a smart report that shows information about incoming and outgoing email, spam detections, malware, email identified as "good", and information about email allowed or blocked on the edge. This is the only report that contains edge protection information. The report shows how much email is blocked before entering the service for examination by Exchange Online Protection (EOP) or Defender for Microsoft 365.
 
 > [!TIP]
-> If a message is sent to five recipients, we count it as five different messages, not one message.
+> - If a message is sent to five recipients, we count it as five different messages, not one message.
+>
+> - The Mailflow status report shows the **primary threat** responsible for blocking or quarantining messages. [Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) and [Advanced hunting in Defender for Office 365 Plan 2](/defender-xdr/advanced-hunting-overview) show **primary and secondary threats** responsible for blocking or quarantining messages. The increased message counts in these other reporting features aren't caused by a mismatch or counting the same item multiple times. The increased message counts are the result of showing all detected threats involved at the same time.
 >
-> The Mailflow status report shows the **primary threat** responsible for blocking or quarantining messages. [Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) and [Advanced hunting in Defender for Office 365 Plan 2](/defender-xdr/advanced-hunting-overview) show **primary and secondary threats** responsible for blocking or quarantining messages. The increased message counts in these other reporting features aren't caused by a mismatch or counting the same item multiple times. The increased message counts are the result of showing all detected threats involved at the same time.
+> - The aggregate message count in the Mailflow status report could also be more than the message count in the following locations due to [zero-hour autopurge (ZAP)](zero-hour-auto-purge.md) activity:
+>   - Threat Explorer or Real-time detections.
+>   - The details table of the Threat protection status report.
+>   - The output of the [Get-MailDetailATPReport](/powershell/module/exchange/get-maildetailatpreport) or [Get-MailTrafficATPReport](/powershell/module/exchange/get-mailtrafficatpreport) cmdlets in Exchange Online PowerShell.
 >
-> The aggregate message count in the Mailflow status report could also be more than the message count in Threat Explorer or Real-time detections(or the detail table/detail cmdlet of the Threat protection status report)  due to [zero-hour autopurge (ZAP)](zero-hour-auto-purge.md) activity. ZAP removes messages from mailboxes after delivery, so ZAP activity doesn't affect message counts in the Mailflow status report. ZAP activity does affect message counts in Threat Explorer or Real-time detections. In Defender for Office 365, use the [Post-delivery activities report](reports-defender-for-office-365.md#post-delivery-activities-report) to understand the lifecycle of ZAP on messages in the organization.
+>   ZAP removes messages from mailboxes after delivery, so ZAP activity doesn't affect message counts in the Mailflow status report. ZAP activity does affect message counts in Threat Explorer or Real-time detections. In Defender for Office 365, use the [Post-delivery activities report](reports-defender-for-office-365.md#post-delivery-activities-report) to understand the lifecycle of ZAP on messages in the organization.
 
 On the **Email & collaboration reports** page at <https://security.microsoft.com/emailandcollabreport>, find **Mailflow status summary**, and then select **View details**. Or, to go directly to the report, use <https://security.microsoft.com/reports/mailflowStatusReport>.
 
