- Reports in the new Microsoft 365 Defender portal
- Reports in the old security center
- Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
- Data loss prevention policies (DLP) in Microsoft Teams - Mon, Jul 11 2022
- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
Reports in the new Microsoft 365 Defender portal
The new security center, also called the M365 Defender portal, also contains email-related reports. We will cover these in this section. The email reports are found on the Reports tab under the Email & Collaboration Reports section.
Mail flow status summary
As an Exchange admin, you'll appreciate a bird's-eye view of the overall situation with regard to emails in your tenant. This report does so in several ways. In the screenshot here, you see a representation of email flow divided by type, such as malware, good email, spam, and others.
If, for instance, you want to know the trend of spam emails in your tenant over the past 7 days, you can get the statistics here.
URL threat protection
URL threat protection is a feature of Defender for Office 365. This report tracks all suspicious URLs in emails. Some users, despite the Defender warning, may still continue to a site that may be malicious if safe links are configured to allow that. Such instances are also captured in this report.
This report would prove pivotal in giving you a deep understanding of the following:
- Which type of malicious URLs are being sent to your tenant.
- How do your users interact with such URLs?
- Which URLs can be blocked directly?
You can export this data to Excel; however, Microsoft supports detailed data export for the duration of only one day. Hopefully, this limitation will be removed in the future.
Top malware report
This report displays the types of malware encountered the most in your tenant. You get a pie chart representation of this information as well as the option to export the same to Excel.
The following are the reasons for looking at this report:
- Once you know the major types of malware attacking your tenant, you can take action to block them.
- You can also create related attack simulations to train your users against malware or email.
- Engage the Security Operations Center (SOC) team to delve deeper into the impact of such malware on email accounts and their devices, such as laptops.
This report is critical in terms of security. It lists instances of spoofed emails from various domains.
The main purposes of this report are as follows:
- Identify the domains that are being spoofed to send emails to your users.
- Understand the nature of spoofed emails.
- Create attack simulations to train your users against spoof emails.
The report divides the emails into sections depending on the results of the SPF check, namely, pass, fail, softpass, and others.
Let's break down this report further to understand the meaning of each heading.
- Date: Every spoofed domain is recorded daily.
- Spoofed user: The domain that the sender spoofed or tried to spoof.
- Sending Infrastructure: The environment used by the sender to spoof a domain. For example, maybe you receive an email trying to spoof a domain, such as abc.com; however, the email was sent from an Outlook.com address. So, in effect, the sending infrastructure here would be outlook.com.
- Spoof Type: Indicates whether Exchange Online Protection detected the email as external or internal.
- Result: Microsoft uses composite authentication as an aggregate of the results of the SPF, DMARC, and DKIM tests on an email. You can refer to this article for more information.
- Result Code: The code of the composite authentication result.
- SPF/DMARC/DKIM: Results of each of these checks.
- Message Count: Number of emails for a spoofed domain on specific days
The report displays the names of accounts that are potentially compromised. It can be useful to:
- Detect compromised accounts
- Identify compromised accounts in the initial phase to limit or stop the attack
There could be various reasons for an account to be marked as suspicious or to restrict it. If an account sends a few malicious emails, it could be marked as suspicious. The account can still be accessed; however, it's at risk of being suspended or restricted. As an admin, you can initiate your checks at this stage to prevent any major damage.
If an account's email sending behavior shows any abnormalities, such as a high number of potentially malicious emails, then it could be restricted from sending any further emails. Do note that Microsoft 365 has its own throttling limits; however, this feature may come into effect much before that to limit the scope of the damage.
You can schedule alerts to be sent for such instances via the Policies and Rules tab in the M365 Defender portal. The alert name is User restricted from sending email.
Exchange transport rule
Microsoft 365 tenants can have several transport rules. This may raise the question of how many emails are being processed by which rule. This report shows precisely this information and can prove useful in more ways, as summarized below:
- Understand which rules are redundant
- Identify rules that are not working or are obsolete
Here, the rules can be further categorized based on the direction of the emails: inbound or outbound. You can also scope your report to display emails from specific senders, recipients, and dates. The report can be exported or even scheduled.
Reports in the old security center
At present, there are two security centers in the Microsoft 365 portal. The existing security center, called the Security & Compliance Center, can be accessed via this link. Let's explore the mail flow reports available here.
Mail flow map
This is, as the name suggests, a map of the entire mailflow in your tenant. This can be particularly useful in providing people with a bird's eye view of the mail flow in your Microsoft 365 space. In the screenshot here, you can see the breakdown of the emails sent and received by this tenant. If you hover your mouse over the individual sections, you will see the email count.
Things get more graphical when you select the Detail view in the Show Data for dropdown. The part of the graph to the left of O365 shows the emails originating from external sources and hitting your Microsoft 365 tenant. External sources could be from your partners, your on-premises Exchange servers, and the internet in general.
Details to the right of O365 are the emails that were sent from your Microsoft 365 tenant to external recipients. This view of the report is a bit more granular compared to the Overview.
Apart from the pictorial representation, you can also view all of this in tabular format. Click View details table to change the data mode.
The tabular view of the data appears, as shown below. It shows the direction of the email and the count of that type. Click View Report to go back to the graphical mode of display.
It is always good to have such information in Excel for further analysis. To export the data to Excel, click Request Report.
Top domain mailflow status insight
All the accepted domains in your tenant are listed here. It displays domain name, existing and previous MX records, domain status, and whether the domain received any emails in the last two hours. This is supposed to be a summary. However, the fact that it doesn't allow you to export the details to Excel makes it ineffective.
In addition, it does not display the information in tabular form; hence, you cannot view all the details in one go.
A far better alternative to this is the Top domain mailflow status report in the Exchange Admin Center. Check this link for more details.
Outbound and inbound mailflow
This report showcases the percentage of emails sent and received by your tenant using TLS encryption. This report can be particularly useful for understanding the usage of TLS in your tenant.
The report is displayed as follows:
The TLS 1.0 and 1.1 versions have been deprecated in Microsoft 365; hence, this report comes in handy when you start working on reducing and eventually stopping the use of these deprecated TLS versions. Please refer to this link to read more about the deprecation of TLS 1.0 and 1.1 in Microsoft 365. Click here to learn more about preparing your environment for TLS 1.2.
There is also another report investigating the use of these protocols. We will look at this in the next section.
Apart from Microsoft 365, TLS will be used in the emails sent and received between your on-premises Exchange servers and your cloud tenant. This can be tracked by looking at the connectors. And that's where the Connector report proves insightful.
Here, you will see a graphical representation of TLS email traffic.
You can export the report in an Excel file as an aggregate; it appears as follows:
Alternatively, you can request a detailed report by clicking Export and selecting the detailed type report. Here, you will see which connectors are sending emails with the TLS protocol versions each day. The same information can be viewed in the GUI by clicking View details table.
This is one of the lesser-known reports in Microsoft 365. It displays the number of emails queued up in your tenant. If you see more than 100 or 200 emails queued up here, it may indicate a mail flow issue.
You can click on the number of emails queued and get more details, as seen below.
In the screenshot above, you can further click on the number of queued messages number to get the list of emails in question. The list is displayed as follows:
Again, you can select each email to investigate why it is queued up. In this example, you can see that the external recipient's organization does not have a valid certificate, which is causing the email to be queued up in Microsoft 365.
The external organization's certificate is invalid, causing the email to be queued up in the sender's Microsoft 365 tenant
Subscribe to 4sysops newsletter!
The revamp of the security center in the Microsoft 365 Defender portal serves administrators well. Effective use of these reports will result in a better understanding of the email traffic in your tenant.
Want to write for 4sysops? We are looking for new authors.
Thanks for the good info. Microsoft’s ever-changing nature presents a challenge (and a rabbit-hole of searching).
In reviewing mail status, we trigger the stock monthly email & collaboration report. (Using Defender for O365 Plan 1 policy defaults). Most data is obvious (Edge Block Spam, Good Mail, Malicious URL etc.) but there’s a column labeled ‘others’ – in our case tallying as much as 10% of total volume.
Any idea what that is? (and are these messages delivered? quarantined? bit-bucketed? returned to sender?)
Your expertise appreciated.
This is indeed an ambiguous data field. I will check and let you know.