電子郵件實體頁面The Email entity page

本文內容:In this article:

Microsoft Defender for Office 365 (或 MDO) E5,而 MDO P1 和 P2 具有使用 電子郵件實體頁面 的電子郵件360度的觀點。Admins of Microsoft Defender for Office 365 (or MDO) E5, and MDO P1 and P2 have a 360-degree view of email using the Email entity page. 已建立此「送出電子郵件」頁面,以加強 威脅瀏覽器「電子郵件詳細資料」飛出所提供的資訊。This go-to email page was created to enhance information delivered on the Threat Explorer 'email details' fly-out.

到達電子郵件實體頁面Reach the email entity page

任何現有的 Office 安全性與合規性中心 (protection.office.com) 或新的 Microsoft 365 安全性中心 (security.microsoft.com) 都會讓您查看和使用 [電子郵件實體] 頁面。Either of the existing Office Security and Compliance center (protection.office.com) or new Microsoft 365 Security center (security.microsoft.com) will let you see and use the email entity page..

置中Center URLURL 導覽Navigation
安全性與合規性Security & Compliance protection.office.comprotection.office.com > Explorer 的威脅管理Threat Management > Explorer
Microsoft 365 安全性中心Microsoft 365 security center security.microsoft.comsecurity.microsoft.com 電子郵件 & 協同 > ExplorerEmail & Collaboration > Explorer

在 [威脅瀏覽器] 中,選取您要調查之電子郵件的主旨。In Threat Explorer, select the subject of an email you're investigating. 黃金線會顯示在該郵件的電子郵件飛出的頂端。A gold bar will display at the top of the email fly-out for that mail. 這個新的頁面邀請會閱讀「嘗試使用豐富資料的新電子郵件實體頁面 ...」。This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. 選取以查看新的頁面。Select to view the new page.

您會看到一個黃金旗標,其中包含文字 * 試用我們的新電子郵件實體頁面與豐富的資料 *,以流覽至新的經驗。

[電子郵件實體] 頁面的圖形著重于您將看到的標題。附注電子郵件標題會顯示在這裡。


查看和使用此頁面所需的許可權與查看威脅瀏覽器的許可權相同。The permissions needed to view and use this page are the same as to view Threat Explorer. 管理員必須是全域系統管理員或全域讀取者的成員,或是安全性管理員或安全性讀者。The admin must be a member of Global admin or global reader, or Security admin or security reader.

讀取電子郵件實體頁面Read the email entity page

結構設計為便於閱讀和流覽流覽。The structure is designed to be easy to read and navigate through at a glance. 沿著頁面頂端的不同索引標籤可讓您更詳細地進行調查。Various tabs along the top of the page allow you to investigate in more detail. 版面配置的運作方式如下:Here's how the layout works:

  1. 最需要的欄位位於飛出的左側。這些詳細資料是「粘滯」的,也就是說,不論您流覽至其餘的漫遊,都是將它們錨定。The most required fields are on the left side of the fly-out. These details are 'sticky', meaning they're anchored to the left no matter the tab you navigate to in the rest of the fly-out.


  2. 在右上角是可對電子郵件採取的動作。On the top-right corner are the actions that can be taken on an email. 透過瀏覽器可以採取的任何動作也會透過電子郵件實體頁面獲得。Any actions that can be taken through Explorer will also be available through email entity page.

    [電子郵件實體] 頁面(此為 [右 *])的圖形會高亮顯示。在這裡輸入「電子郵件預覽」和「移至隔離」等動作。

  3. 更深入的分析可以透過排序頁面的其餘部分進行。Deeper analysis can be done by sorting through the rest of the page. 檢查電子郵件偵測詳細資料、電子郵件驗證狀態和標頭。Check the email detection details, email authentication status, and header. 應依案例查看此區域,但這些索引標籤中的資訊可供任何電子郵件使用。This area should be looked on a case-by-case basis, but the info in these tabs is available for any email.


使用電子郵件實體頁面索引標籤Use email entity page tabs

沿著實體頁面頂端的索引標籤可讓您有效地調查電子郵件。The tabs along the top of the entity page will allow you to investigate email efficiently.

  1. 時程表:每個威脅瀏覽器時程表的電子郵件 (的時程表視圖) 會顯示對電子郵件所發生的傳遞後事件的原始傳遞。Timeline: The timeline view for an email (per the Threat Explorer timeline) shows the original delivery to post-delivery events that happen on an email. 對於沒有傳遞後動作的電子郵件,此 view 會在時程表視圖中顯示原始傳遞列。For emails that have no post-delivery actions, the view shows the original delivery row in timeline view. 類似如下的事件:零小時自動清除 (ZAP) 、修正、URL 按一下等,來源如下:「系統」、「系統」、「系統」、「系統」、「系統」、「系統」、「系統」、「系統管理員」及「使用者Events like: Zero-hour auto purge (ZAP), Remediate, URL clicks, et cetera, from sources like: system, admin, and user, show up here, in the order in which they occurred.
  2. Analysis:分析顯示可協助系統管理員分析深入電子郵件的欄位。Analysis: Analysis shows fields that help admins analyze an email in depth. 在管理員需要深入瞭解偵測、寄件者/收件者及電子郵件驗證詳細資料的情況下,他們應該使用 [分析] 索引標籤。在此頁面上的 [相關實體] 底下也會找到附件和 URLs 的連結。For cases where admins need to understand more about detection, sender / recipient, and email authentication details, they should use the Analysis tab. Links for Attachments and URLs are also found on this page, under 'Related Entities'. 附件和識別的威脅都會在這裡進行編號,然後按一下即可直接帶您直接前往附件和 URL 頁面。Both attachments and identified threats are numbered here, and clicking will take you straight to the Attachments and URL pages. 此索引標籤也有 [View header] 選項,以 顯示電子郵件頭This tab also has a View header option to show the email header. 為了清楚起見,系統管理員可以將電子郵件標題的任何細節與主要面板上的資訊進行比較。Admins can compare any detail from email headers, side by side with information on the main panel, for clarity.
  3. 附件:這會檢查電子郵件中找到的附件,以及其他在附件上找到的詳細資料。Attachments: This examines attachments found in the email with other details found on attachments. 顯示的附件數目目前限制為10。The number of attachments shown is currently limited to 10. 請注意,在下列情況中,發現惡意附件的引爆詳細資料也會顯示在這裡。Notice that detonation details for attachments found to be malicious is also shown here.
  4. URLs:此索引標籤會列出電子郵件中所找到 URLs URLs 的其他詳細資料。URLs: This tab lists URLs found in the email with other details about the URLs. 目前的 URLs 數目限制為10個,但這10個優先順序優先于先顯示 惡意 URLsThe number of URLs is limited to 10 right now, but these 10 are prioritized to show malicious URLs first. 優先順序可節約您的時間和推測。Prioritization saves you time and guess-work. 找到惡意和引爆的 URLs 也會顯示在這裡。The URLs which were found to be malicious and detonated will also be shown here.
  5. 類似的電子郵件:此索引標籤會列出與此電子郵件特有之 網路郵件識別碼 + 收件 者組合類似的所有電子郵件。Similar emails: This tab lists all emails similar to the network message id + recipient combination specific to this email. 相似性是以郵件本文的 主體 為基礎。Similarity is based on the body of the message, only. 在郵件上進行的決定將其分類為「類似」,不包含 附件 的考慮。The determinations made on mails to categorize them as 'similar' don't include a consideration of attachments.

電子郵件實體頁面的新增New to the email entity page

使用此電子郵件實體頁面隨附的新功能。There are new capabilities that come with this email entity page. 以下是清單。Here's the list.

雲端信箱的電子郵件預覽Email preview for Cloud mailboxes

如果 郵件仍存在於雲端中,系統管理員可以預覽雲端信箱中的電子郵件。Admins can preview emails in Cloud mailboxes, if the mails are still present in the Cloud. 如果是由系統管理員或使用者) 或 ZAP (隔離) 所 (的虛刪除,則電子郵件就不會再出現在雲端位置。In case of a soft delete (by an admin, or user), or ZAP (to quarantine), emails are no longer present in the Cloud location. 在此情況下,系統管理員將無法預覽這些特定的郵件。In that case, admins won't be able to preview those specific mails. 已丟棄或傳送失敗的電子郵件,永遠不會真正成為信箱。Emails that were dropped, or where delivery failed, never actually made it into the mailbox. 因此,系統管理員將無法預覽這些電子郵件。As a result, admins won’t be able to preview those emails either.


預覽電子郵件需要指派給系統管理員的特殊角色(稱為「預覽」)。Previewing emails requires a special role called *Preview _ to be assigned to admins. 若要新增此角色,您可以移至 _ 許可權 & 角色* > Security.microsoft.com 中的 電子郵件 & 共同作業角色,或 protection.office.com 中的 許可權You can add this role by going to _ Permissions & roles* > Email & collaboration roles in security.microsoft.com, or Permissions in protection.office.com. 預覽 角色新增至任何角色群組,或是允許組織中的系統管理員在威脅 Explorer 中運作的角色群組副本。Add the Preview role to any of the role groups, or a copy of a role group that allows admins in your organization to work in Threat Explorer.

引爆詳細資料Detonation details

這些詳細資料是特殊的電子郵件附件和 URLs。These details are specific to email attachments and URLs.

使用者將會看到在其信箱中找到的已知惡意附件或超連結的豐富引爆詳細資料,包括引爆鏈、引爆摘要、螢幕擷取畫面和觀察到的行為詳細資料,以協助客戶瞭解附件或 URL 被視為惡意和引爆的原因。Users will see enriched detonation details for known malicious attachments or hyperlinks found in their mailboxes, including Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.

  • 引爆鏈:單一檔案或 URL 引爆可以觸發多個 detonations。Detonation chain: A single file or URL detonation can trigger multiple detonations. 引爆鏈追蹤 detonations 的路徑,包括導致判定的原始惡意檔案或 URL,以及引爆所影響的所有其他檔案或 URLs。The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs effected by the detonation. 這些 URLs 或附加的檔案可能無法直接顯示在電子郵件中,但包括這項分析對於判斷找到的檔案或 URL 為何為惡意。These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.
  • 引爆摘要:這會提供下列資訊:Detonation summary: This gives information on:
    • 引爆時間範圍。Detonation time range.
    • 附加檔案或 URL 的判定。Verdict of the attached file, or URL.
    • 相關資訊 (的檔案編號、URLs、IPs 或網域) ,也就是在引爆期間檢查的其他實體。Related info (file number, URLs, IPs, or Domains), which are other entities examined during detonation.
  • 引爆螢幕擷取畫面:這會顯示在引爆程式期間所進行的螢幕擷取畫面 () 。Detonation screenshot: This shows screenshot(s) taken during detonation process.
  • 引爆詳細資料:這些是在引爆期間發生之每個程式的確切行為細節。Detonation details: These are the exact behavior details of each process that took place during the detonation.

引爆摘要的螢幕擷取畫面,顯示「標題 * 深入分析 *」底下的鏈、摘要、引爆詳細資料及螢幕擷取畫面。

其他創新Other innovations

標記:這些是套用至使用者的標記。Tags: These are tags applied to users. 如果使用者是收件者,系統管理員會看到 [ 收件 者] 標記。If the user is a recipient, admins will see a recipient tag. 同樣地,如果使用者是 寄件者標記。Likewise, if the user is a sender, a sender tag. 這會出現在 [電子郵件實體] 頁面的左側 (,描述為 粘滯 的部分,因此會錨定至頁面) 。This will appear in the left side of the email entities page (in the part that's described as sticky and, thus, anchored to the page).

最新傳遞位置:最新的傳遞位置是進入後的電子郵件,或移動到刪除的專案等系統管理動作的位置。Latest delivery location: The latest delivery location is the location where an email landed after system actions like ZAP, or admin actions like Move to Deleted Items, finish. 最新的傳遞位置不是用來通知系統管理員郵件的 目前 位置。Latest delivery location is not intended to inform admins of the message's current location. 例如,如果使用者刪除郵件,或將郵件移至封存,將不會更新傳遞位置。For example, if a user deletes a message, or moves it to archive, the delivery location won't be updated. 不過,如果發生系統動作並更新位置 (例如 ZAP 產生的電子郵件移至隔離區) 這會更新隔離的最新傳遞位置。However, if a system action has taken place and updated the location (like a ZAP resulting in an email moving to Quarantine) this would update the Latest delivery location to Quarantine.

電子郵件詳細資料:深入瞭解 [ 分析 ] 索引標籤中提供的電子郵件所需的詳細資料。Email details: Details required for a deeper understanding of email available in the Analysis tab.

  • Exchange Transport rules (ETRs 或郵件流程規則):這些規則會套用至傳輸層上的郵件,並優先于網路釣魚和垃圾郵件 verdicts。Exchange Transport Rules (ETRs or Mailflow rules): These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. 它們只能在 Exchange 系統管理中心中建立及修改,但是如果有任何 ETR 套用至郵件,則 ETR 名稱及 GUID 將會顯示在這裡。These can be only created and modified in the Exchange admin center, but if any ETR applies to a message, the ETR name and GUID will be shown here. 用於追蹤用途的重要資訊。Valuable information for tracking purposes.

  • 系統覆寫:這是一種方法,可根據威脅及偵測技術) ,覆寫系統 (所指定的傳遞位置,以對郵件進行傳遞位置例外。System Overrides: This is a means of making exceptions to the delivery location intended for a message by overriding the delivery location given by system (as per the threat and detection tech).

  • 垃圾郵件規則:「垃圾郵件」是預設在每個信箱中啟用的隱藏收件匣規則。Junk Mailbox Rule: 'Junk' is hidden Inbox rule that's enabled by default in every mailbox.

    • 當信箱上啟用垃圾郵件規則時,Exchange Online Protection (EOP) 可以根據某些準則將郵件移至垃圾郵件。When the Junk email rule is enabled on the mailbox, Exchange Online Protection (EOP) is able to move messages to Junk according to some criteria. 移動可以以垃圾郵件篩選判定動作 將郵件移至 [垃圾郵件] 資料夾,或信箱上的 [封鎖寄件者] 清單中。The move can be based on spam filtering verdict action Move message to Junk Email folder, or on the Blocked Senders list on the mailbox. 停用垃圾郵件規則,可防止郵件傳遞至 [垃圾郵件] 資料夾(根據信箱上的 [ 安全寄件者 ] 清單)。Disabling the Junk email rule prevents the delivery of messages to the Junk email folder based on the Safe Senders list on the mailbox.
    • 當信箱上的垃圾郵件規則 停用 時,EOP 無法根據垃圾郵件篩選判定動作將郵件移至垃圾郵件資料夾。 將郵件移至垃圾郵件資料夾 或信箱上的安全清單集合。When the junk email rule is disabled on the mailbox, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action Move message to Junk Email folder, or the safe list collection on the mailbox.
  • 大量相容層級 (BCL):郵件的大量抱怨層級 (BCL) 。Bulk Compliant Level (BCL): The Bulk Complaint Level (BCL) of the message. 較高的 BCL 表示大宗郵件訊息,如果電子郵件可能是垃圾郵件) ,就很可能會產生意見 (自然結果。A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).

  • 垃圾郵件信賴等級 (SCL):郵件的垃圾郵件信賴等級 (SCL) 。Spam Confidence Level (SCL): The spam confidence level (SCL) of the message. 此值越高,表示郵件越有可能是垃圾郵件。A higher value indicates the message is more likely to be spam.

  • 功能變數名稱:是寄件者功能變數名稱。Domain Name: Is the sender domain name.

  • 網域擁有 者:指定傳送網域的擁有者。Domain Owner: Specifies the owner of the sending domain.

  • 網域位置:指定傳送網域的位置。Domain Location: Specifies the location of the sending domain.

  • 網域建立日期:指定傳送網域的建立日期。Domain Created Date: Specifies the date of creation of the sending domain. 新建立的網域是您可以警惕其他信號是否指出某些可疑行為的問題。A newly created domain is something you could be cautious of if other signals indicate some suspicious behavior.

電子郵件驗證: Microsoft 365 使用的電子郵件驗證方法包括 SPF、DKIM 及 DMARC。Email Authentication: Email authentication methods used by Microsoft 365 include SPF, DKIM, and DMARC.

  • 寄件者原則框架 (SPF) :描述郵件之 SPF 檢查的結果。Sender Policy Framework (SPF): Describes results for SPF check for the message. 可能的值可能是:Possible values can be:

    • 傳遞 (IP 位址) :已傳遞郵件的 SPF 檢查,並包含寄件者的 IP 位址。Pass (IP address): The SPF check for the message passed and includes the sender's IP address. 用戶端獲得授權,可代表寄件者的網域傳送或轉送電子郵件。The client is authorized to send or relay email on behalf of the sender's domain.
    • 失敗 (IP 位址) :郵件的 SPF 檢查失敗,且包含寄件者的 IP 位址。Fail (IP address): The SPF check for the message failed and includes the sender's IP address. 這有時也稱為 hard fail。This is sometimes called hard fail.
    • Softfail (reason) : SPF 記錄指定主機為不允許傳送,但正在轉換中。Softfail (reason): The SPF record designated the host as not being allowed to send but is in transition.
    • 非特定: SPF 記錄會明確指出,它不會斷言 IP 位址是否有權傳送。Neutral: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.
    • 無:網域沒有 SPF 記錄,或 SPF 記錄未評估為結果。None: The domain doesn't have an SPF record, or the SPF record doesn't evaluate to a result.
    • Temperror:發生暫時的錯誤。Temperror: A temporary error has occurred. 例如,DNS 錯誤。For example, a DNS error. 相同檢查可能稍後會成功。The same check later might succeed.
    • Permerror:永久的錯誤發生。Permerror: A permanent error has occurred. 例如,網域有格式錯誤的 SPF 記錄時。For example, the domain has a badly formatted SPF record.
  • DomainKeys 識別的郵件 (DKIM) :DomainKeys Identified Mail (DKIM):

    • 通過:表示 DKIM 檢查是否已傳遞郵件。Pass: Indicates the DKIM check for the message passed.
    • 失敗 (原因) :表示郵件的 DKIM 檢查失敗及原因。Fail (reason): Indicates the DKIM check for the message failed and why. 例如,郵件未簽署或簽章未經過驗證。For example, if the message was not signed or the signature was not verified.
    • None:表示郵件未簽署。None: Indicates that the message was not signed. 這可能會也可能不會表示網域具有 DKIM 記錄或 DKIM 記錄未計算結果,僅表示此郵件未簽署。This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.
  • 以網域為基礎的郵件驗證、報告及規範 (DMARC) :Domain-based Message Authentication, Reporting and Conformance (DMARC):

    • 通過:表示 DMARC 檢查是否已傳遞郵件。Pass: Indicates the DMARC check for the message passed.
    • 失敗:表示郵件的 DMARC 檢查失敗。Fail: Indicates the DMARC check for the message failed.
    • Bestguesspass:表示網域沒有任何 DMARC TXT 記錄存在,但是如果有的話,則會傳遞該郵件的 DMARC 檢查。Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed.
    • None:表示 DNS 中的傳送網域不存在 DMARC TXT 記錄。None: Indicates that no DMARC TXT record exists for the sending domain in DNS.

複合驗證:這是 Microsoft 365 用來合併電子郵件驗證(如 SPF、DKIM 及 DMARC)的值,以判斷郵件是否可信。Composite Authentication: This is a value is used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. 它會使用郵件的「 寄件者 」網域做為評估的基礎。It uses the From: domain of the mail as the basis of evaluation.