Process: Email Analysis on O365 Defender Explorer

Explorer is a powerful, near real-time tool to help Security Operations teams investigate and respond to threats. https://security.microsoft.com/threatexplorer

We can Explore Emails within the organisation and the report can be generated based on:

With this report, you can:

See malware detected by Microsoft 365 security features
View phishing URL and click verdict data
Start an automated investigation and response process from a view in Explorer (Defender for Office 365 Plan 2 only)
Investigate malicious email, and more

In this KB, we will look into how we can investigate an email through Explorer once it has been reported to a phishing mailbox.

1. In the Microsoft 365 Defender portal at https://security.microsoft.com, go to Email & collaboration, and then choose Explorer.

2. Email can be searched here based on common characteristics of email (sender, subject, part of subject, attachment, URL, etc.)

2. Usually emails are searched based on sender email address or domain. For example, we have selected Sender and have provided sender email address and selected date of last 30 days in below re INC0334770 | Incident | ServiceNow (service-now.com):

3. With the sender address provided, we can see all the incoming emails from that email address to all MC users. We can widen the search just by searching through domain only.

4. To analyse the email, we can click on the subject of the email. This will open the below window with email details.

5. Once this window is open select “Open email entity” (highlighted). This will open email analysis page as shown below:

6. In this page, further analysis of the email can be done by clicking on different tabs at the top. If you look into top right corner, then you can see three … sign which will allow you to download the email. If email hasn’t been sent an attachment to phishing mailbox, then this comes handy as we can use this downloaded email in Anyrun sandbox.

7. Email Analysis can be done by clicking on Analysis tab on the top, which provides Threat Detection Details, Email detection details, Sender Recipient Details, Authentication (Email Authentication). Based on these details, it can be determined if the email was delivered due to MC mail flow rule, does sender email pass email authentication (SPF, DMARC, DKIM) etc. Base on these details potential threat can be determined.

8. On the left windowpane we can see Email Header in the plain text form which can be copied and analysed in email header analysis tools.

9. Based on above all the analysis in Explorer and using sandbox it can be determined a threat to MC or not. The explorer page can be used for soft deletion of the email too. Follow KB Cyber Security - Email Purge in O365 Security Centre | ServiceNow (service-now.com)

URL clicks

If we know the phishing URL then it can be added in the filter section to know if it has been clicked or not or check URL clicks while analysing the email above as well.

If the URL is clicked, it is displayed under "URL Clicks" tab in the table:

Click on URL tab, it will display more details (For example www.mariecurie.com/belfast has been used here):

When a link is clicked, then a detail pane will be displayed which shows the click time of the link and how many users clicked on the link.

Note: In above example we are using the MC URL as a test but in real case if we see any clicks for a phish link or bad link, the user's revoke Azure session, reset user’s password and run full AV scan on user’s machine.

Along with email analysis from phishing perspective, explorer can be used for other email analysis for other purposes i.e., if user can’t receive email from certain sender, remove emails from quarantine, check mail flow.

Microsoft KBs:

Views in Threat Explorer and real-time detections | Microsoft Learn

Microsoft Defender for Office 365 security documentation | Microsoft Learn

Safeguard your organization with Microsoft Defender for Office 365 (cloudguides.com) (Slightly outdated but functionality is same)