Threat hunting in Threat Explorer for Microsoft Defender for Office 365


Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to:

In this article:


This is part of a 3-article series on Threat Explorer (Explorer), email security, and Explorer and Real-time detections (such as differences between the tools, and permissions needed to operate them). The other two articles in this series are Email security with Threat Explorer and Threat Explorer and Real-time detections.

Applies to

If your organization has Microsoft Defender for Office 365, and you have the permissions, you can use Explorer or Real-time detections to detect and remediate threats.

In the Microsoft 365 Defender portal at, go to Email & collaboration, and then choose Explorer or Real-time detections. To go directly to the page, use or

With these tools, you can:

  • See malware detected by Microsoft 365 security features
  • View phishing URL and click verdict data
  • Start an automated investigation and response process from a view in Explorer
  • Investigate malicious email, and more

For more information, see Email security with Threat Explorer.

Watch this short video to learn how to hunt and investigate email and collaboration-based threats using Microsoft Defender for Office 365.

Threat Explorer walk-through

In Microsoft Defender for Office 365, there are two subscription plans—Plan 1 and Plan 2. Manually operated Threat hunting tools exist in both plans, under different names and with different capabilities.

Defender for Office 365 Plan 1 uses Real-time detections, which is a subset of the Threat Explorer (also called Explorer) hunting tool in Plan 2. In this series of articles, most of the examples were created using the full Threat Explorer. Admins should test any steps in Real-time detections to see where they apply.

After you go to Explorer, by default, you'll arrive on the All email page, but use the tabs to navigate to the available views. If you're hunting phish or digging into a threat campaign, choose those views.

Once a security operations (Sec Ops) person selects the data they want to see, they can further narrow down the data by applying filters such as Sender, Recipient, and Subject, or select an appropriate date range to get the desired results. Remember to select Refresh to complete your filtering actions.

The Sender button in Threat Explorer

Refining focus in Explorer or Real-time detection can be thought of in layers. The first is View. The second can be thought of as a filtered focus. For example, you can retrace the steps you took in finding a threat by recording your decisions like this: To find the issue in Explorer, I chose the Malware View with a Recipient filter focus. This makes retracing your steps easier.


If Sec Ops uses Tags to mark accounts they consider high valued targets, they can make selections like Phish View with a Tags filter focus (include a date range if used). This will show them any phishing attempts directed at their high value user targets during a time-range (like dates when certain phishing attacks are happening a lot for their industry).

With the new version of Threat Explorer, users can use the following new dropdown options with four new operators on the filters:

  • Equals any of – returns values matching the exact user input.
  • Equals none of – returns values not matching the exact user input.
  • Contains any of – returns values partially matching user input.
  • Contains none of – returns values not partially matching user input.

Note that these filter conditions are available based on filter types and input types.

Use the Column options button to get the kind of information on the table that would be most helpful:

The Column options button highlighted

The available options in Columns

In the same mien, make sure to test your display options. Different audiences will react well to different presentations of the same data. For some viewers, the Email Origins map can show that a threat is widespread or discreet more quickly than the Campaign display option right next to it. Sec Ops can make use of these displays to best make points that underscore the need for security and protection, or for later comparison, to demonstrate the effectiveness of their actions.

The Email Origins map

The Campaign display options

Email investigation

When you see a suspicious email, click the name to expand the flyout on the right. Here, the banner that lets Sec Ops see the email entity page is available.

The email entity page pulls together contents that can be found under Details, Attachments, Devices, but includes more organized data. This includes things like DMARC results, plain text display of the email header with a copy option, verdict information on attachments that were securely detonated, and files those detonations dropped (can include IP addresses that were contacted and screenshots of pages or files). URLs and their verdicts are also listed with similar details reported.

When you reach this stage, the email entity page will be critical to the final step—remediation.

The email entity page


To learn more about the rich email entity page (seen below on the Analysis tab), including the results of detonated Attachments, findings for included URLs, and safe Email preview, click here.

The Analysis tab of the email entity page

Email remediation

Once a Sec Ops person determines that an email is a threat, the next Explorer or Real-time detection step is dealing with the threat and remediating it. This can be done by returning to Threat Explorer, selecting the checkbox for the problem email, and using the Actions button.

The Actions button in the Threat Explorer

Here, the analyst can take actions like reporting the mail as Spam, Phishing, or Malware, contacting recipients, or further investigations that can include triggering Automated Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the mail can also be reported as clean.

The Actions drop down

Improvements to threat hunting experience

Alert ID

When navigating from an alert into Threat Explorer, the View will be filtered by Alert ID. This also applies in Real-time detection. Messages relevant to the specific alert, and an email total (a count) are shown. You will be able to see if a message was part of an alert, as well as navigate from that message to the related alert.

Finally, alert ID is included in the URL, for example: https://

The Filter for Alert ID

Extending Explorer (and Real-time detections) data retention and search limit for trial tenants

As part of this change, analysts will be able to search for, and filter email data across 30 days (increased from seven days) in Threat Explorer and Real-time detections for both Defender for Office P1 and P2 trial tenants. This doesn't impact any production tenants for both P1 and P2 E5 customers, where the retention default is already 30 days.

Updated Export limit

The number of Emails records that can be exported from Threat Explorer is now 200,000 (was 9990). The set of columns that can be exported is unchanged.

Tags in Threat Explorer


The user tags feature is in Preview and may not be available to everyone. Also, Previews are subject to change. For information about the release schedule, check out the Microsoft 365 roadmap.

User tags identify specific groups of users in Microsoft Defender for Office 365. For more information about tags, including licensing and configuration, see User tags.

In Threat Explorer, you can see information about user tags in the following experiences.

Email grid view

When analysts look at the Tags column the email grid, they are seeing all tags that have been applied to sender or recipient mailboxes. By default, system tags like priority accounts are shown first.

The Filter tags in email grid view


Tags can be used as filters. Hunt among priority accounts only, or use specific user tags scenarios this way. You can also exclude results that have certain tags. Combine Tags with other filters and date ranges to narrow your scope of investigation.

Filter tags.

The tags that have not been filtered

Email detail flyout

To view the individual tags for sender and recipient, select an email to open the message details flyout. On the Summary tab, the sender and recipient tags are shown separately. The information about individual tags for sender and recipient can be exported as CSV data.

The Email Details tags

Tags information is also shown in the URL clicks flyout. To see it, go to Phish or All Email view > URLs or URL Clicks tab. Select an individual URL flyout to see additional details about clicks for that URL, including any Tags associated with that click.

Updated Timeline View

The URL tags

Learn more by watching this video.

Extended capabilities

Top targeted users

Top Malware Families shows the top targeted users in the Malware section. Top targeted users will be extended through Phish and All Email views too. Analysts will be able to see the top-five targeted users, along with the number of attempts for each user in each view.

Security operations people be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts made, for offline analysis for each email view. Also, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails, and threats for that user.

The users targeted the most

Exchange transport rules

The security operations team will be able to see all the Exchange transport rules (or Mail flow rules) applied to a message, in the Email grid view. Select Column options in the grid and then Add Exchange Transport Rule from the column options. The Exchange transport rules option is also visible on the Details flyout in the email.

Names and GUIDs of the transport rules applied to the message appear. Analysts will be able to search for messages by using the name of the transport rule. This is a CONTAINS search, which means you can do partial searches as well.


Exchange transport rule search and name availability depend on the specific role assigned to you. You need to have one of the following roles or permissions to view the transport rule names and search. However, even without the roles or permissions below, an analyst may see the transport rule label and GUID information in the Email Details. Other record-viewing experiences in Email Grids, Email flyouts, Filters, and Export are not affected.

  • Exchange Online Only - data loss prevention: All
  • Exchange Online Only - O365SupportViewConfig: All
  • Microsoft Azure Active Directory or Exchange Online - Security Admin: All
  • Azure Active Directory or Exchange Online - Security Reader: All
  • Exchange Online Only - Transport Rules: All
  • Exchange Online Only - View-Only Configuration: All

Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with a Name/GUID as shown below.

The rules in Exchange Transport

Inbound connectors

Connectors are a collection of instructions that customize how your email flows to and from your Microsoft 365 or Office 365 organization. They enable you to apply any security restrictions or controls. In Threat Explorer, you can view the connectors that are related to an email and search for emails using connector names.

The search for connectors is a CONTAINS query, which means partial keyword searches can work:

The Connector details

Required licenses and permissions

You must have Microsoft Defender for Office 365 to use Explorer or Real-time detections.

  • Explorer is included in Defender for Office 365 Plan 2.
  • The Real-time detections report is included in Defender for Office 365 Plan 1.
  • Plan to assign licenses for all users who should be protected by Defender for Office 365. Explorer and Real-time detections show detection data for licensed users.

To view and use Explorer or Real-time detections, you must have the following permissions:

  • In the Microsoft 365 Defender portal:
    • Organization Management
    • Security Administrator (this can be assigned in the Azure Active Directory admin center (
    • Security Reader
  • In Exchange Online:
    • Organization Management
    • View-Only Organization Management
    • View-Only Recipients
    • Compliance Management

To learn more about roles and permissions, see the following resources:

More information