Taking action in Microsoft 365 Threat Explorer

Home Blog Taking action in Microsoft 365 Threat Explorer

4sysops - The online community for SysAdmins and DevOps

    , ,   2
In my last post, I outlined how you can identify malicious items in Microsoft 36 Threat Explorer. In today's post, we'll take a look at the possible actions you can take once you have found suspicious emails.
Contents
  1. Taking action on suspicious emails
  2. Move and delete
  3. Move to Junk Folder
  4. Soft deletion
  5. Hard deletion
  6. Move to Inbox
  7. Track and notify
  8. Trigger investigation
  9. Investigate sender
  10. Investigate recipient
  11. Add to remediation
  12. Contact recipients
  13. Start new submission
  14. Report clean
  15. Report phishing
  16. Report malware
  17. Report spam
  18. Tracking emails using different criteria
  19. URL traces
Latest posts by Vignesh Mudliar (see all)

Taking action on suspicious emails

Now that you have investigated all the aspects of spam emails, it's time to take action. The following actions are available for bulk email:

  • Move and Delete
  • Track and Notify
  • Start New Submission

Let's review them all.

Move and delete

This would be the most common path for you. Your initial investigation has led you to a conclusion. There are five different actions that you can take.

Move to Junk Folder

This is a less aggressive option. Here the selected emails will be moved to the user's Junk folder. The users won't be notified about this; however, they can still access it in the junk folder.

To do this, select all the emails and click Actions > Move to junk folder.

Move to Junk Folder

Move to Junk Folder

You are then prompted to enter a name for this remediation (as Microsoft calls it). Give it a name and click Next.

Name your remediation

Name your remediation

On the following screen, choose the severity. Selecting High may force Microsoft to prioritize your request.

Choose the severity

Choose the severity

On the final page, you can review your selections. The most important part of this page is the utility to export the list of users on which you are taking action. You can click Export to get an Excel sheet for future reference. It's always good to note these things in your tickets or emails.

Review settings

Review settings

Then click Start to initiate the action. The Microsoft servers process the request.

Move to Deleted Items

This option moves the selected emails to the Deleted Items folder. This is the course of action, depending on the severity of the issue and the policies in your organization.

Users can still view the emails in the Deleted Items folder.

Move to Deleted Items folder

Move to Deleted Items folder

Soft deletion

Here, you move emails to the Recover Deleted Items folder. The difference is that users do not get to see this folder directly. They must follow a few steps to access this folder, as explained in this link.

Soft delete

Soft delete

Hard deletion

This option deletes the email permanently, with no chance of recovery. This is an aggressive approach and must be employed only when you are certain that the emails in question aren't needed. This may also be the path in the event of a serious breach of security due to malicious emails.

Hard delete

Hard delete

Move to Inbox

Your investigation has led you to believe that the emails in question are legitimate. The Move to Inbox option helps you to legitimize such emails.

Move to Inbox

Move to Inbox

Track and notify

If your aim is to identify suspicious emails and then notify Microsoft, this path will help you.

Trigger investigation

You can select the email you want to be investigated by Microsoft, as shown here.

Trigger investigation 1

Trigger investigation 1

You can view the progress of the investigation on the Investigations tab, as seen here.

Investigation progress

Investigation progress

Automated investigation and response (AIR) in Defender for Office 365 is an interesting topic; see this link for more on it.

Investigate sender

If you want to investigate only the sender, this option is useful. Starting an investigation of the entire email means requesting Microsoft analyze several aspects of the email.

You can restrict the investigation to the sender only if you have reason to believe that the sender is malicious. Again, the results are displayed on the Investigations tab under Threat Management.

Investigate sender 1

Investigate sender 1

Investigate sender 2

Investigate sender 2

Investigate recipient

Just as the sender, you can also initiate an investigation on a recipient. The options to start the investigation and then view the results and recommendations remain the same.

Add to remediation

This option is useful when the admin does not have the necessary rights to perform action on the emails. The admin can add the emails to a remediation container. Another admin with the required rights can then approve or reject the actions.

Add to remediation 1

Add to remediation 1

Add to remediation 2

Add to remediation 2

Add to remediation 3

Add to remediation 3

Add to remediation 4

Add to remediation 4

Contact recipients

End users can be contacted using this method. However, its recommended to keep end-user communication to a minimum.

Contact recipients

Contact recipients

Start new submission

This section has four options, as shown in the screenshot here.

Start new submission

Start new submission

Report clean

This is used to report any false positives to Microsoft. Its status can be followed on the Submissions tab under Threat Management.

Report phishing

Emails that are clearly attempts at phishing and have not been identified by Exchange Online Protection (EOP) can be marked as phishing emails and reported to Microsoft.

Report malware

You can report emails as malware to Microsoft so they can be analyzed.

Report spam

Likewise, emails can be reported as spam to Microsoft.

Tracking emails using different criteria

We have already seen that you can track emails using the Sender email address. The other commonly used criteria for tracking emails in Explorer are:

  • Recipients
  • Sender domain
  • Subject
  • Exchange transport rule
  • Connector
  • Delivery action

Apart from this, you can also track emails using some advanced queries. These include the following:

  • Network message ID
  • Internet message ID
  • Sender IP
  • Alert ID
  • Campaign ID

URL traces

Defender for Office 365 has a feature called Safe Links. Safe Links provides a layer of security to end users against malicious URLs in emails and other areas. You often have to identify the users who clicked on a specific URL or received an email with that URL. Such situations can be handled using the URL trace criteria in Explorer.

The different options are as follows:

URL—Here, you can paste the URL and search for all the emails that were delivered and that contained that URL.

URL traces

URL traces

You can also search using URL domain, URL domain and path, and URL path.

The last option is to search using Click Verdict.

Here, you can search for emails with URLs that were blocked, blocked but overridden, or allowed, among others.

Subscribe to 4sysops newsletter!

Click Verdict

Click Verdict

Related Articles
2 Comments
  1. senthilkumar s 2 years ago

    how to migrate gmail to office 365 or pst upload migration any possible way is there kindly help me

    Reply
  2. Pavan 2 years ago

    Any idea about find version of windows

    Reply

Leave a reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account