Mail flow reports in the Microsoft 365 Defender portal

• Author
• Recent Posts

Vignesh Mudliar

Vignesh has been working in the IT industry for the past 10 years. His main areas of focus are Microsoft 365, Exchange Online, PowerShell, Teams, SharePoint, Microsoft 365 Security, and GoLang. Follow his weblog.

Latest posts by Vignesh Mudliar (see all)

• Configure Quarantine Policies in Microsoft 365 - Fri, Aug 12 2022
• Data loss prevention policies (DLP) in Microsoft Teams - Mon, Jul 11 2022
• Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021

Reports in the new Microsoft 365 Defender portal

The new security center, also called the M365 Defender portal, also contains email-related reports. We will cover these in this section. The email reports are found on the Reports tab under the Email & Collaboration Reports section.

Mail flow status summary

As an Exchange admin, you'll appreciate a bird's-eye view of the overall situation with regard to emails in your tenant. This report does so in several ways. In the screenshot here, you see a representation of email flow divided by type, such as malware, good email, spam, and others.

If, for instance, you want to know the trend of spam emails in your tenant over the past 7 days, you can get the statistics here.

Example of a mailflow summary report with the various types of email

URL threat protection

URL threat protection is a feature of Defender for Office 365. This report tracks all suspicious URLs in emails. Some users, despite the Defender warning, may still continue to a site that may be malicious if safe links are configured to allow that. Such instances are also captured in this report.

This report would prove pivotal in giving you a deep understanding of the following:

• Which type of malicious URLs are being sent to your tenant.
• How do your users interact with such URLs?
• Which URLs can be blocked directly?

URL threat protection graph showing the various threats it encountered each day

You can export this data to Excel; however, Microsoft supports detailed data export for the duration of only one day. Hopefully, this limitation will be removed in the future.

Example of a mailflow summary report with the various types of email 1

Top malware report

This report displays the types of malware encountered the most in your tenant. You get a pie chart representation of this information as well as the option to export the same to Excel.

The following are the reasons for looking at this report:

• Once you know the major types of malware attacking your tenant, you can take action to block them.
• You can also create related attack simulations to train your users against malware or email.
• Engage the Security Operations Center (SOC) team to delve deeper into the impact of such malware on email accounts and their devices, such as laptops.

Different types of malware and their counts

Spoof detection

This report is critical in terms of security. It lists instances of spoofed emails from various domains.

The main purposes of this report are as follows:

• Identify the domains that are being spoofed to send emails to your users.
• Understand the nature of spoofed emails.
• Create attack simulations to train your users against spoof emails.

The report divides the emails into sections depending on the results of the SPF check, namely, pass, fail, softpass, and others.

Let's break down this report further to understand the meaning of each heading.

• Date: Every spoofed domain is recorded daily.
• Spoofed user: The domain that the sender spoofed or tried to spoof.
• Sending Infrastructure: The environment used by the sender to spoof a domain. For example, maybe you receive an email trying to spoof a domain, such as abc.com; however, the email was sent from an Outlook.com address. So, in effect, the sending infrastructure here would be outlook.com.
• Spoof Type: Indicates whether Exchange Online Protection detected the email as external or internal.
• Result: Microsoft uses composite authentication as an aggregate of the results of the SPF, DMARC, and DKIM tests on an email. You can refer to this article for more information.
• Result Code: The code of the composite authentication result.
• SPF/DMARC/DKIM: Results of each of these checks.
• Message Count: Number of emails for a spoofed domain on specific days

The domains used to send spoofed emails to a Microsoft 365 tenant

Compromised users

The report displays the names of accounts that are potentially compromised. It can be useful to:

• Detect compromised accounts
• Identify compromised accounts in the initial phase to limit or stop the attack

The report states that two accounts are suspicious and one has been restricted

There could be various reasons for an account to be marked as suspicious or to restrict it. If an account sends a few malicious emails, it could be marked as suspicious. The account can still be accessed; however, it's at risk of being suspended or restricted. As an admin, you can initiate your checks at this stage to prevent any major damage.

If an account's email sending behavior shows any abnormalities, such as a high number of potentially malicious emails, then it could be restricted from sending any further emails. Do note that Microsoft 365 has its own throttling limits; however, this feature may come into effect much before that to limit the scope of the damage.

You can schedule alerts to be sent for such instances via the Policies and Rules tab in the M365 Defender portal. The alert name is User restricted from sending email.

Exchange transport rule

Microsoft 365 tenants can have several transport rules. This may raise the question of how many emails are being processed by which rule. This report shows precisely this information and can prove useful in more ways, as summarized below:

• Understand which rules are redundant
• Identify rules that are not working or are obsolete

Number of emails sent and received via transport rules

Here, the rules can be further categorized based on the direction of the emails: inbound or outbound. You can also scope your report to display emails from specific senders, recipients, and dates. The report can be exported or even scheduled.

Reports in the old security center

At present, there are two security centers in the Microsoft 365 portal. The existing security center, called the Security & Compliance Center, can be accessed via this link. Let's explore the mail flow reports available here.

Mail flow map

This is, as the name suggests, a map of the entire mailflow in your tenant. This can be particularly useful in providing people with a bird's eye view of the mail flow in your Microsoft 365 space. In the screenshot here, you can see the breakdown of the emails sent and received by this tenant. If you hover your mouse over the individual sections, you will see the email count.

Overview of the flow of emails in the tenant in the mailflow map

Things get more graphical when you select the Detail view in the Show Data for dropdown. The part of the graph to the left of O365 shows the emails originating from external sources and hitting your Microsoft 365 tenant. External sources could be from your partners, your on-premises Exchange servers, and the internet in general.

Details to the right of O365 are the emails that were sent from your Microsoft 365 tenant to external recipients. This view of the report is a bit more granular compared to the Overview.

Detailed view of the mailflow map

Apart from the pictorial representation, you can also view all of this in tabular format. Click View details table to change the data mode.

The tabular view of the data appears, as shown below. It shows the direction of the email and the count of that type. Click View Report to go back to the graphical mode of display.

Tabular view of the mailflow map

It is always good to have such information in Excel for further analysis. To export the data to Excel, click Request Report.

Top domain mailflow status insight

All the accepted domains in your tenant are listed here. It displays domain name, existing and previous MX records, domain status, and whether the domain received any emails in the last two hours. This is supposed to be a summary. However, the fact that it doesn't allow you to export the details to Excel makes it ineffective.

In addition, it does not display the information in tabular form; hence, you cannot view all the details in one go.

Top domain mailflow status insight

A far better alternative to this is the Top domain mailflow status report in the Exchange Admin Center. Check this link for more details.

Outbound and inbound mailflow

This report showcases the percentage of emails sent and received by your tenant using TLS encryption. This report can be particularly useful for understanding the usage of TLS in your tenant.

The report is displayed as follows:

Percentage of emails sent using TLS 1.1 and TLS 1.2

The TLS 1.0 and 1.1 versions have been deprecated in Microsoft 365; hence, this report comes in handy when you start working on reducing and eventually stopping the use of these deprecated TLS versions. Please refer to this link to read more about the deprecation of TLS 1.0 and 1.1 in Microsoft 365. Click here to learn more about preparing your environment for TLS 1.2.

There is also another report investigating the use of these protocols. We will look at this in the next section.

Connector report

Apart from Microsoft 365, TLS will be used in the emails sent and received between your on-premises Exchange servers and your cloud tenant. This can be tracked by looking at the connectors. And that's where the Connector report proves insightful.

Here, you will see a graphical representation of TLS email traffic.

Connector report displays the share of emails sent using TLS versions

You can export the report in an Excel file as an aggregate; it appears as follows:

Excel view of the Connector report with dates and counts

Alternatively, you can request a detailed report by clicking Export and selecting the detailed type report. Here, you will see which connectors are sending emails with the TLS protocol versions each day. The same information can be viewed in the GUI by clicking View details table.

Extract of a detailed connector report in Excel format

Mail queues

This is one of the lesser-known reports in Microsoft 365. It displays the number of emails queued up in your tenant. If you see more than 100 or 200 emails queued up here, it may indicate a mail flow issue.

Five emails queued in Microsoft 365

You can click on the number of emails queued and get more details, as seen below.

The Mail Queue report is shown in detail here along with the connectors and errors

In the screenshot above, you can further click on the number of queued messages number to get the list of emails in question. The list is displayed as follows:

Use the Queued Email Trace report to check each email and the reasons it has not moved out of the queue

Again, you can select each email to investigate why it is queued up. In this example, you can see that the external recipient's organization does not have a valid certificate, which is causing the email to be queued up in Microsoft 365.

The external organizations certificate is invalid causing the email to be queued up in the senders Microsoft 365 tenant

The external organization's certificate is invalid, causing the email to be queued up in the sender's Microsoft 365 tenant

Conclusion

The revamp of the security center in the Microsoft 365 Defender portal serves administrators well. Effective use of these reports will result in a better understanding of the email traffic in your tenant.