Investigate malicious email that was delivered in Microsoft 365

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

Microsoft 365 organizations that have Microsoft Defender for Office 365 included in their subscription or purchased as an add-on have Explorer (also known as Threat Explorer) or Real-time detections. These features are powerful, near real-time tools to help Security Operations (SecOps) teams investigate and respond to threats. For more information, see About Threat Explorer and Real-time detections in Microsoft Defender for Office 365.

Threat Explorer and Real-time detections allow you to investigate activities that put people in your organization at risk, and to take action to protect your organization. For example:

  • Find and delete messages.
  • Identify the IP address of a malicious email sender.
  • Start an incident for further investigation.

This article explains how to use Threat Explorer and Real-time detections to find malicious email in recipient mailboxes.

Tip

To go directly to the remediation procedures, see Remediate malicious email delivered in Office 365.

For other email scenarios using Threat Explorer and Real-time detections, see the following articles:

What do you need to know before you begin?

Find suspicious email that was delivered

  1. Use one of the following steps to open Threat Explorer or Real-time detections:

  2. On the Explorer or Real-time detections page, select an appropriate view:

  3. Select the date/time range. The default is yesterday and today.

    Screenshot of the date filter used in Threat Explorer and Real-time detections in the Defender portal.

  4. Create one or more filter conditions using some or all of the following targeted properties and values. For complete instructions, see Property filters in Threat Explorer and Real-time detections. For example:

    • Delivery action: The action taken on an email due to existing policies or detections. Useful values are:

      • Delivered: Email delivered to the user's Inbox or other folder where the user can access the message.
      • Junked: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message.
      • Blocked: Email messages that were quarantined, that failed delivery, or were dropped.
    • Original delivery location: Where email went before any automatic or manual post-delivery actions by the system or admins (for example, ZAP or moved to quarantine). Useful values are:

      • Deleted items folder
      • Dropped: The message was lost somewhere in mail flow.
      • Failed: The message failed to reach the mailbox.
      • Inbox/folder
      • Junk folder
      • On-prem/external: The mailbox doesn't exist in the Microsoft 365 organization.
      • Quarantine
      • Unknown: For example, after delivery, an Inbox rule moved the message to a default folder (for example, Draft or Archive) instead of to the Inbox or Junk Email folder.
    • Last delivery location: Where email ended-up after any automatic or manual post-delivery actions by the system or admins. The same values are available from Original delivery location.

    • Directionality: Valid values are:

      • Inbound
      • Intra-org
      • Outbound

      This information can help identify spoofing and impersonation. For example, messages from internal domain senders should be Intra-org, not Inbound.

    • Additional action: Valid values are:

    • Primary override: If organization or user settings allowed or blocked messages that would have otherwise been blocked or allowed. Values are:

      • Allowed by organization policy
      • Allowed by user policy
      • Blocked by organization policy
      • Blocked by user policy
      • None

      These categories are further refined by the Primary override source property.

    • Primary override source The type of organization policy or user setting that allowed or blocked messages that would have otherwise been blocked or allowed. Values are:

    • Override source: Same available values as Primary override source.

      Tip

      In the Email tab (view) in the details area of the All email, Malware, and Phish views, the corresponding override columns are named System overrides and System overrides source.

    • URL threat: Valid values are:

      • Malware
      • Phish
      • Spam
  5. When you're finished configuring date/time and property filters, select Refresh.

The Email tab (view) in the details area of the All email, Malware, or Phish views contains the details you need to investigate suspicious email.

For example, Use the Delivery Action, Original delivery location, and Last delivery location columns in the Email tab (view) to get a complete picture of where the affected messages went. The values were explained in Step 4.

Use Export to selectively export up to 200,000 filtered or unfiltered results to a CSV file.

Remediate malicious email that was delivered

After you identify the malicious email messages that were delivered, you can remove them from recipient mailboxes. For instructions, see Remediate malicious email delivered in Microsoft 365.

Remediate malicious email delivered in Office 365

Microsoft Defender for Office 365

View reports for Defender for Office 365