Example of a phishing email attack


Want to experience Microsoft 365 Defender? Learn more about how you can evaluate and pilot Microsoft 365 Defender.

Applies to:

  • Microsoft 365 Defender

Microsoft 365 Defender can help detect malicious attachments delivered via email and security analysts can have visibility on threats coming in from Office 365, such as through email attachments.

For example, an analyst was assigned a multi-stage incident.

A multi-stage incident

In the Alerts tab of the incident, alerts from Defender for Office 365 and Microsoft Defender for Cloud Apps are displayed. The analyst can drill down into the Defender for Office 365 alerts by selecting the email messages alerts. The details of the alert are displayed on the side pane.

An email alert

By scrolling down further, more information is displayed, showing the malicious files and user that was impacted.

User and file impact of an email alert

Selecting Open alert page takes you to the specific alert where various information can be viewed in greater detail by selecting the link. The actual email message can be viewed by selecting View messages in Explorer toward the bottom of the panel.

The details of an alert

This takes the analyst to the Threat Management page where the email Subject, Recipient, Sender, and other information are displayed. ZAP under Special Actions tells the analyst that the Zero-hour auto purge feature was implemented. ZAP automatically detects and removes malicious and spam messages from mailboxes across the organization. For more information, see Zero-hour auto purge (ZAP) in Exchange Online.

Other actions can be taken on specific messages by selecting Actions.

The other actions that can be taken on email messages

Next step

See the identity-based attack investigation path.

See also