Threat Trackers - New and Noteworthy


Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

Office 365 Threat Investigation and Response capabilities enable your organization's security team to discover and take action against cybersecurity threats. Office 365 Threat Investigation and Response capabilities include Threat Tracker features, including Noteworthy trackers. Read this article to get an overview of these new features and next steps.


Office 365 Threat Intelligence is now Microsoft Defender for Office 365 Plan 2, along with additional threat protection capabilities. To learn more, see Microsoft Defender for Office 365 plans and pricing and the Microsoft Defender for Office 365 Service Description.

What are Threat Trackers?

Threat Trackers are informative widgets and views that provide you with intelligence on different cybersecurity issues that might impact your company. For example, you can view information about trending malware campaigns using Threat Trackers.

Trackers are just a few of the many great features you get with Microsoft Defender for Office 365 Plan 2. Threat Trackers include Noteworthy trackers, Trending trackers, Tracked queries, and Saved queries.

To view and use your Threat Trackers for your organization, open the Microsoft Defender portal at, and go to Email & collaboration > Threat tracker. To go directly to the Threat tracker page, use


To use Threat Trackers, you must be a global administrator, security administrator, or security reader. See Permissions in the Microsoft Defender portal.

Noteworthy trackers

Noteworthy trackers are where you'll find big and smaller threats and risks that we think you should know about. Noteworthy trackers help you find whether these issues exist in your Microsoft 365 environment, plus link to articles (like this one) that give you more details on what is happening, and how they'll impact your organization's use of Office 365. Whether it's a big new threat (e.g. Wannacry, Petya) or an existing threat that might create some new challenges (like our other inaugural Noteworthy item - Nemucod), this is where you'll find important new items you and your security team should review and examine periodically.

Typically Noteworthy trackers will be posted for just a couple of weeks when we identify new threats and think you might need the extra visibility that this feature provides. Once the biggest risk for a threat has passed, we'll remove that Noteworthy item. This way, we can keep the list fresh and up to date with other relevant new items.

Trending trackers (formerly called Campaigns) highlight new threats received in your organization's email in the past week. The Trending trackers view provides dynamic assessments of email threats impacting your organization's Office 365 environment. This view shows tenant level malware trends, identifying malware families on the rise, flat, or declining, giving admins greater insight into which threats require further attention.

Screenshot that shows the example of trending malware campaigns widget

Trending trackers give you an idea of new threats you should review to ensure your broader corporate environment is prepared against attacks.

Tracked queries

Tracked queries leverage your saved queries to periodically assess Microsoft 365 activity in your organization. This gives you event trending, with more to come in the coming months. Tracked queries run automatically, giving you up-to-date information without having to remember to re-run your queries.

Screenshot that shows the example of tracked queries with one selected

Saved queries

Saved queries are also found in the Trackers section. You can use Saved queries to store the common Explorer searches that you want to get back to quicker and repeatedly, without having to re-create the search every time.

Screenshot that shows the list of tracked queries with one selected

You can always save a Noteworthy tracker query or any of your own Explorer queries using the Save query button at the top of the Explorer page. Anything saved there will show up in the Saved queries list on the Tracker page.

Trackers and Explorer

Whether you're reviewing email, content, or Office activities (coming soon), Explorer and Trackers work together to help you investigate and track security risks and threats. All together, Trackers provide you with information to protect your users by highlighting new, notable, and frequently searched issues - ensuring your business is better protected as it moves to the cloud.

And remember that you can always provide us with feedback on this or other Microsoft 365 security features by clicking on the Feedback button in the lower-right corner.

Screenshot that shows the Microsoft Defender portal

Trackers and Microsoft Defender for Office 365

With our inaugural Noteworthy threat, we're highlighting advanced malware threats detected by Safe Attachments. If you're an Office 365 Enterprise E5 customer and you're not using Microsoft Defender for Office 365, you should be - it's included in your subscription. Defender for Office 365 provides value even if you have other security tools filtering email flow with your Office 365 services. However, anti-spam and Safe Links features work best when your main email security solution is through Office 365.

Screenshot that shows the Microsoft Defender for Office 365 in the Microsoft Defender portal

In today's threat-riddled world, running only traditional anti-malware scans means you are not protected well enough against attacks. Today's more sophisticated attackers use commonly available tools to create new, obfuscated, or delayed attacks that won't be recognized by traditional signature-based anti-malware engines. The Safe Attachments feature takes email attachments and detonates them in a virtual environment to determine whether they're safe or malicious. This detonation process opens each file in a virtual computer environment, then watches what happens after the file is opened. Whether it's a PDF, and compressed file, or an Office document, malicious code can be hidden in a file, activating only once the victim opens it on their computer. By detonating and analyzing the file in the email flow, Defender for Office 365 capabilities finds these threats based on behaviors, file reputation, and a number of heuristic rules.

The new Noteworthy threat filter highlights items that were recently detected through Safe Attachments. These detections represent items that are new malicious files, not previously found by Microsoft 365 in either your email flow or other customers' email. Pay attention to the items in the Noteworthy Threat Tracker, see who was targeted by them, and review the detonation details shown on the Advanced Analysis tab (found by clicking on the subject of the email in Explorer). Note you'll only find this tab on emails detected by the Safe Attachments capability - this Noteworthy tracker includes that filter, but you can also use that filter for other searches in Explorer.

Next steps