Threat Explorer and Real-time detections allow you to investigate activities that put people in your organization at risk, and to take action to protect your organization. For example:
Find and delete messages.
Identify the IP address of a malicious email sender.
Start an incident for further investigation.
This article explains how to use Threat Explorer and Real-time detections to find malicious email in recipient mailboxes.
For filter properties that require you to select one or more available values, using the property in the filter condition with all values selected has the same result as not using the property in the filter condition.
Delivery action: The action taken on an email due to existing policies or detections. Useful values are:
Delivered: Email delivered to the user's Inbox or other folder where the user can access the message.
Junked: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message.
Blocked: Email messages that were quarantined, that failed delivery, or were dropped.
Original delivery location: Where email went before any automatic or manual post-delivery actions by the system or admins (for example, ZAP or moved to quarantine). Useful values are:
Deleted items folder
Dropped: The message was lost somewhere in mail flow.
Failed: The message failed to reach the mailbox.
Inbox/folder
Junk folder
On-prem/external: The mailbox doesn't exist in the Microsoft 365 organization.
Quarantine
Unknown: For example, after delivery, an Inbox rule moved the message to a default folder (for example, Draft or Archive) instead of to the Inbox or Junk Email folder.
Last delivery location: Where email ended-up after any automatic or manual post-delivery actions by the system or admins. The same values are available from Original delivery location.
Directionality: Valid values are:
Inbound
Intra-org
Outbound
This information can help identify spoofing and impersonation. For example, messages from internal domain senders should be Intra-org, not Inbound.
Additional action: Valid values are:
Automated remediation (Defender for Office 365 Plan 2)
Primary override: If organization or user settings allowed or blocked messages that would have otherwise been blocked or allowed. Values are:
Allowed by organization policy
Allowed by user policy
Blocked by organization policy
Blocked by user policy
None
These categories are further refined by the Primary override source property.
Primary override source The type of organization policy or user setting that allowed or blocked messages that would have otherwise been blocked or allowed. Values are:
Exclusive mode (User override): The Only trust email from addresses in my Safe senders and domains list and Safe mailing lists setting in the safelist collection on a mailbox.
Filtering skipped due to on-prem organization
IP region filter from policy: The From these countries filter in anti-spam policies.
Language filter from policy: The Contains specific languages filter in anti-spam policies.
Trusted recipient (User override): Recipient email addresses or domains in the Safe Recipients list in the safelist collection on a mailbox.
Trusted senders only (User override): The Safe Lists Only: Only mail from people or domains on your Safe Senders List or Safe Recipients List will be delivered to your Inbox setting in the safelist collection on a mailbox.
Override source: Same available values as Primary override source.
Savjet
In the Email tab (view) in the details area of the All email, Malware, and Phish views, the corresponding override columns are named System overrides and System overrides source.
URL threat: Valid values are:
Malware
Phish
Spam
When you're finished configuring date/time and property filters, select Refresh.
The Email tab (view) in the details area of the All email, Malware, or Phish views contains the details you need to investigate suspicious email.
For example, Use the Delivery Action, Original delivery location, and Last delivery location columns in the Email tab (view) to get a complete picture of where the affected messages went. The values were explained in Step 4.
Use Export to selectively export up to 200,000 filtered or unfiltered results to a CSV file.
This module examines how Microsoft Defender for Office 365 extends EOP protection through various tools, including Safe Attachments, Safe Links, spoofed intelligence, spam filtering policies, and the Tenant Allow/Block List.
Learn about threat hunting and remediation in Microsoft Defender for Office 365 using Threat Explorer or Real-time detections in the Microsoft Defender portal.
Admins can learn about the Email entity page in Microsoft Defender for Office 365. This page shows many details about email messages. For example, email headers, threat detection details, the latest and original delivery locations, delivery actions, and IDs (for example, the Network message ID and the associated Alert ID).
Admins can learn how to find and use the email security reports that are available in the Microsoft Defender portal. This article helps answer the question, 'What is the Threat protection status report in EOP and Microsoft Defender for Office 365?'
Zero-hour auto purge (ZAP) moves delivered messages in Microsoft 365 mailboxes to the Junk Email folder or quarantine if those messages are retroactively found to be spam, phishing, or contain malware.
Export to selectively export up to 200,000 filtered or unfiltered results to a CSV file.