Find and investigate malicious email that was delivered (Office 365 Threat Intelligence)

Office 365 Threat Intelligence enables you to investigate activities that put your users at risk and take action to protect your organization. For example, if you are part of your organization's security team, you can find and investigate suspicious email messages that were delivered to your users. You can do this by using Threat Explorer.


Office 365 Threat Intelligence is available in Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Office 365 Threat Intelligence can be purchased as an add-on. (As a global administrator, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information, see Office 365 Platform Service Description: Office 365 Security & Compliance Center and Buy or edit an add-on for Office 365 for business.

Before you begin...

Make sure that the following requirements are met:

Dealing with suspicious emails

Malicious attackers may be sending mail to your users to try and phish their credentials and gain access to your corporate secrets! In order to prevent this, you should use the threat protection services offered by Office 365, including Exchange Online Protection and Advanced Threat Protection. However, there are times when an attacker could send mail to your users containing a URL and only later on make that URL point to malicious content (malware, etc.). Alternatively, you may realize too late that a user in your organization has been compromised, and while that user was compromised, an attacker used that account to send email to other users in your company. As part of cleaning up both of these scenarios, you may want to remove email messages from user inboxes. In situations like these, you can leverage Threat Explorer to find and remove those email messages!

Find and delete suspicious email that was delivered


Threat Explorer (also referred to as Explorer), is a powerful report that can serve multiple purposes, such as finding and deleting messages, identifying the IP address of a malicious email sender, or starting an incident for further investigation. The following procedure focuses on using Explorer to find and delete malicious email from recipients mailboxes.

  1. Go to and sign in using your work or school account for Office 365. This takes you to the Security & Compliance Center.

  2. In the left navigation, choose Threat management > Explorer.

  3. In the View menu, choose All email.
    Use the View menu to choose between Email and Content reports

  4. Notice the labels that appear in the report, such as Delivered, Unknown, or Delivered to junk.
    Threat Explorer showing data for all email
    (Depending on the actions that were taken on email messages for your organization, you might see additional labels, such as Blocked or Replaced.)

  5. In the report, choose Delivered to view only emails that ended up in users' inboxes.
    Clicking "Delivered to junk" removes that data from view

  6. Below the chart, review the Email list below the chart.
    Below the chart, view a list of email messages that were detected

  7. In the list, choose an item to view more details about that email message. For example, you can click the subject line to view information about the sender, recipients, attachments, and other similar email messages.
    You can view additional information about an item, including details and any attachments

  8. After viewing information about email messages, select one or more items in the list to activate + Actions.

  9. Use the + Actions list to apply an action, such as Move to deleted items. This will delete the selected messages from the recipients' mailboxes.
    When you select one or more email messages, you can choose from several available actions

Office 365 Threat Intelligence

Protect against threats in Office 365

View reports for Office 365 Advanced Threat Protection