Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Microsoft 365 organizations that have Microsoft Defender for Office 365 included in their subscription or purchased as an add-on have Explorer (also known as Threat Explorer) or Real-time detections. These features are powerful, near real-time tools to help Security Operations (SecOps) teams investigate and respond to threats. For more information, see About Threat Explorer and Real-time detections in Microsoft Defender for Office 365.

This article explains how to view and investigate detected malware and phishing attempts in email using Threat Explorer or Real-time Detections.

Tip

For other email scenarios using Threat Explorer and Real-time detections, see the following articles:

What do you need to know before you begin?

View phishing email sent to impersonated users and domains

For more information about user and domain impersonation protection in anti-phishing policies in Defender for Office 365, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365.

In the default or custom anti-phishing policies, you need to specify the users and domains to protect from impersonation, including domains you own (accepted domains). In the Standard or Strict preset security policies, domains that you own automatically receive impersonation protection, but you need to specify any users or custom domains for impersonation protection. For instructions, see the following articles:

Use the following steps to review phishing messages and search for impersonated users or domains.

  1. Use one of the following steps to open Threat Explorer or Real-time detections:

  2. On the Explorer or Real-time detections page, select the Phish view. For more information about the Phish view, see Phish view in Threat Explorer and Real-time detections.

  3. Select the date/time range. The default is yesterday and today.

  4. Do any of the following steps:

    • Find any user or domain impersonation attempts:

      • Select the Sender address (property) box, and then select Detection technology in the Basic section of the drop down list.
      • Verify Equal any of is selected as the filter operator.
      • In the property value box, select Impersonation domain and Impersonation user
    • Find specific impersonated user attempts:

      • Select the Sender address (property) box, and then select Impersonated user in the Basic section of the drop down list.
      • Verify Equal any of is selected as the filter operator.
      • In the property value box, enter the full email address of the recipient. Separate multiple recipient values by commas.
    • Find specific impersonated domain attempts:

      • Select the Sender address (property) box, and then select Impersonated domain in the Basic section of the drop down list.
      • Verify Equal any of is selected as the filter operator.
      • In the property value box, enter the domain (for example, contoso.com). Separate multiple domain values by commas.
  5. Enter more conditions using other filterable properties as required. For instructions, see Property filters in Threat Explorer and Real-time detections.

  6. When you're finished creating the filter conditions, select Refresh.

  7. In the details area below the chart, verify the Email tab (view) is selected.

    You can sort the entries and show more columns as described in Email view for the details area of the Phish view in Threat Explorer and Real-time detections.

Export URL click data

You can export URL click data to a CSV file to view the Network Message ID and Click verdict values, which help explain where your URL click traffic came from.

  1. Use one of the following steps to open Threat Explorer or Real-time detections:

  2. On the Explorer or Real-time detections page, select the Phish view. For more information about the Phish view, see Phish view in Threat Explorer and Real-time detections.

  3. Select the date/time range, and then select Refresh. The default is yesterday and today.

  4. In the details area, select the Top URLs or Top clicks tab (view).

  5. In the Top URLs or Top clicks view, select one or more entries from the table by selecting the check box next to the first column, and then select Export. Explorer > Phish > Clicks > Top URLs or URL Top Clicks > select any record to open the URL flyout.

You can use the Network Message ID value to search for specific messages in Threat Explorer or Real-time detections or external tools. These searches identify the email message that's associated with a click result. Having the correlated Network Message ID makes for quicker and more powerful analysis.

View malware detected in email

Use the following steps in Threat Explorer or Real-time detections to see the malware detected in email by Microsoft 365.

  1. Use one of the following steps to open Threat Explorer or Real-time detections:

  2. On the Explorer or Real-time detections page, select the Malware view. For more information about the Phish view, see Malware view in Threat Explorer and Real-time detections.

  3. Select the date/time range. The default is yesterday and today.

  4. Select the Sender address (property) box, and then select Detection technology in the Basic section of the drop down list.

    • Verify Equal any of is selected as the filter operator.
    • In the property value box, select one or more of the following values:
      • Anti-malware protection
      • File detonation
      • File detonation reputation
      • File reputation
      • Fingerprint matching
  5. Enter more conditions using other filterable properties as required. For instructions, see Property filters in Threat Explorer and Real-time detections.

  6. When you're finished creating the filter conditions, select Refresh.

The report shows the results that malware detected in email, using the technology options you selected. From here, you can conduct further analysis.

Report messages as clean

You can use the Submissions page in the Defender portal at https://security.microsoft.com/reportsubmission to report messages as clean (false positives) to Microsoft. But you can also submit messages as clean to Microsoft from Take action in Threat Explorer or the Email entity page.

For instructions, see Threat hunting: The Take action wizard.

To summarize:

  • Select Take action using one of the following methods:

    • Select one or more messages from the details table in the Email tab (view) in the All email, Malware, or Phish views by selecting the check boxes for the entries.

    Or

    • In the details flyout after you select a message from the details table in the Email tab (view) in the All email, Malware, or Phish views by clicking on the Subject value.
  • In the Take action wizard, select Submit to Microsoft for review > I've confirmed it's clean.

View phishing URL and click verdict data

Safe Links protection tracks URLs that were allowed, blocked, and overridden. Safe Links protection is on by default, thanks to Built-in protection in preset security policies. Safe Links protection is on in the Standard and Strict preset security policies. You can also create and configure Safe Links protection in custom Safe Links policies. For more information about the Safe Links policy settings, see Safe Links policy settings.

Use the following steps to see phishing attempts using URLs in email messages.

  1. Use one of the following steps to open Threat Explorer or Real-time detections:

  2. On the Explorer or Real-time detections page, select the Phish view. For more information about the Phish view, see Phish view in Threat Explorer and Real-time detections.

  3. Select the date/time range. The default is yesterday and today.

  4. Select the Sender address (property) box, and then select Click verdict in the URLs section of the drop down list.

    • Verify Equal any of is selected as the filter operator.
    • In the property value box, select one or more of the following values:
      • Blocked
      • Blocked overridden

    For explanations of the Click verdict values, see Click verdict in Filterable properties in the All email view in Threat Explorer.

  5. Enter more conditions using other filterable properties as required. For instructions, see Property filters in Threat Explorer and Real-time detections.

  6. When you're finished creating the filter conditions, select Refresh.

The Top URLs tab (view) in the details area below the chart shows the count of Messages blocked, Messages junked, and Messages delivered for the top five URLs. For more information, see Top URLs view for the details area of the Phish view in Threat Explorer and Real-time detections.

The Top clicks tab (view) in the details area below the chart shows the top five clicked links that were wrapped by Safe Links. URL clicks on unwrapped links don't show up here. For more information, see Top clicks view for the details area of the Phish view in Threat Explorer and Real-time detections.

These URL tables show URLs that were blocked or visited despite a warning. This information shows the potential bad links that were presented to users. From here, you can conduct further analysis.

Select a URL from an entry in the view for details. For more information, see URL details for the Top URLs and Top clicks tabs in Phish view.

Tip

In the URL details flyout, the filtering on email messages is removed to show the full view of the URL's exposure in your environment. This behavior lets you filter for specific email messages, find specific URLs that are potential threats, and then expand your understanding of the URL exposure in your environment without having to add URL filters in the Phish view.

Interpretation of click verdicts

The Click verdict property results are visible in the following locations:

The verdict values are described in the following list:

  • Allowed: The user was allowed to open the URL.
  • Block overridden: The user was blocked from directly opening the URL, but they overrode the block to open the URL.
  • Blocked: The user was blocked from opening the URL.
  • Error: The user was presented with the error page, or an error occurred in capturing the verdict.
  • Failure: An unknown exception occurred while capturing the verdict. The user might have opened the URL.
  • None: Unable to capture the verdict for the URL. The user might have opened the URL.
  • Pending verdict: The user was presented with the detonation pending page.
  • Pending verdict bypassed: The user was presented with the detonation page, but they overrode the message to open the URL.

Start automated investigation and response in Threat Explorer

Automated investigation and response (AIR) in Defender for Office 365 Plan 2 can save time and effort as you investigate and mitigate cyberattacks. You can configure alerts that trigger a security playbook, and you can start AIR in Threat Explorer. For details, see Example: A security administrator triggers an investigation from Explorer.

Investigate email with the Email entity page