Find and investigate malicious email that was delivered (Office 365 Threat Intelligence)
Office 365 Threat Intelligence enables you to investigate activities that put your users at risk and take action to protect your organization. For example, if you are part of your organization's security team, you can find and investigate suspicious email messages that were delivered to your users. You can do this by using Threat Explorer.
Office 365 Threat Intelligence is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Office 365 Threat Intelligence can be purchased as an add-on. (As a global administrator, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.
Before you begin...
Make sure that the following requirements are met:
Your organization has Office 365 Threat Intelligence and Assign licenses to users in Office 365 for business.
Office 365 audit logging is turned on for your organization.
Your organization has policies defined for anti-spam, anti-malware, anti-phishing, and so on. See Threat management in the Office 365 Security & Compliance Center.
You are an Office 365 global administrator, or you have either the Security Administrator or the Search and Purge role assigned in the Security & Compliance Center. See Permissions in the Office 365 Security & Compliance Center.
Dealing with suspicious emails
Malicious attackers may be sending mail to your users to try and phish their credentials and gain access to your corporate secrets! In order to prevent this, you should use the threat protection services offered by Office 365, including Exchange Online Protection and Advanced Threat Protection. However, there are times when an attacker could send mail to your users containing a URL and only later on make that URL point to malicious content (malware, etc.). Alternatively, you may realize too late that a user in your organization has been compromised, and while that user was compromised, an attacker used that account to send email to other users in your company. As part of cleaning up both of these scenarios, you may want to remove email messages from user inboxes. In situations like these, you can leverage Threat Explorer to find and remove those email messages!
Find and delete suspicious email that was delivered
Threat Explorer (also referred to as Explorer), is a powerful report that can serve multiple purposes, such as finding and deleting messages, identifying the IP address of a malicious email sender, or starting an incident for further investigation. The following procedure focuses on using Explorer to find and delete malicious email from recipients mailboxes.
Go to https://security.microsoft.com and sign in using your work or school account for Office 365. This takes you to the Security & Compliance Center.
In the left navigation, choose Threat management > Explorer.
In the View menu, choose All email.
Notice the labels that appear in the report, such as Delivered, Unknown, or Delivered to junk.
(Depending on the actions that were taken on email messages for your organization, you might see additional labels, such as Blocked or Replaced.)
In the report, choose Delivered to view only emails that ended up in users' inboxes.
Below the chart, review the Email list below the chart.
In the list, choose an item to view more details about that email message. For example, you can click the subject line to view information about the sender, recipients, attachments, and other similar email messages.
After viewing information about email messages, select one or more items in the list to activate + Actions.
Use the + Actions list to apply an action, such as Move to deleted items. This will delete the selected messages from the recipients' mailboxes.