- Configuring data loss prevention for email from the Compliance Center in Microsoft 365 - Fri, Dec 3 2021
- Mail flow reports in the Microsoft 365 Defender portal - Wed, Nov 24 2021
- Microsoft 365 mail flow reports in the Exchange Admin Center - Tue, Jul 20 2021
Notice that Microsoft Defender for Office 365 has other reports, such as Safe attachment file types, Safe attachment message disposition, and Malware detected in email. These three reports will be retired in July 2021 and will only be available as part of the Threat protection status report.
Exploring reports and views ^
The Threat protection status report has four different views. Each view represents a set of data that can be utilized in various investigations. The screenshot shows the default view that's loaded when the report is opened.
The maximum timeframe for which this report can pull information is 90 days. Color codes differentiate emails containing email malware, phishing attempts, and content malware. The bubbles represent the days, and hovering your mouse over each of them shows the total number of malware and phishing emails detected on that specific day.
You can filter the results to display information for a specific timeframe and based on the suspicious content detected.
This view also includes a special section called Top insights & recommendations. These are marked with a red triangle, which indicates a major incident on that day. Click it to view additional details.
This window shows the users who were most targeted by malware campaigns (not shown in the screenshot).
You should take protective measures here by checking whether these accounts use multifactor authentication. You should also review the corresponding antimalware policies.
This view shows us the emails that were detected as phishing attempts. I cover their classifications in the following subsections.
Both Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) use different techniques and algorithms to scan and detect malicious emails and content. In this view of Email > Phish, the detected emails are further grouped by the technology that found them.
You can see several MDO detection techniques, such as URL detonation reputation, file detonation, impersonation of user and domain, and campaigns, among others. In addition, EOP detection techniques, such as URL malicious reputation, spoofing intra-org and external domains, file reputation, and spoofing DMARC are shown. You can get detailed information here.
You can filter the view by clicking the Filters option and choosing between the EOP and MDO detection techniques, the timeframe for the data, and recipients (if any).
Microsoft 365 provides a set of security policies that can be defined to suit your organization's requirements. These policies are also responsible for the actions taken on emails deemed malicious.
As seen in the screenshot here, you can determine the applied policies and hence decide on the actions if you want to change them. Each policy has a purpose, and several factors are associated with it. You can read about the policies here.
The delivery status view is the sum of all the actions configured in the policies. It shows the location where the email was delivered. Depending on your policies, emails could be delivered to Junk folders or quarantined; alternatively, the delivery of the email can fail. Some emails may also be delivered to the Inbox folders.
On-premise Server: Delivered denotes the emails that originated from your local Exchange servers. These delivery statuses can help you investigate certain scenarios. For example, why are so many emails delivered to the Inbox despite being detected as malicious? You can go to the View details table option, check for these emails, and start your investigation.
This view shows you all the emails that contain malicious attachments.
The report is further organized based on detection technology, policy type, and delivery status. See the previous sections in this article for a description of these views.
If you notice a user being sent several malicious attachments, you can investigate it further. You must check whether these emails were delivered to the user's mailbox or to the quarantine. You will get this information from the delivery status view. Next, you can click the View details table option in this report, and then select the email in question. This provides you with the message ID, which can then be used to trace the email from Explorer.
The system override view was added only recently. It provides a pivotal piece of information about your tenant. All the emails that were detected by Microsoft 365 as malicious but were still allowed to be delivered to the users' mailboxes due to a policy in your tenant are displayed here. That is, if the sender address has been whitelisted (allowed) by you in EOP or by the end user in the user-level Junk email settings, then the email will bypass all the security mechanisms and be delivered to the user's mailbox.
As you can imagine, this is a dangerous situation and might even lead to a bigger attack if one of the whitelisted domains is used to send spam emails. This may even spur you to remove the email address or domain from the whitelist and launch an investigation.
As seen in the screenshot here, there could be multiple reasons for an email to bypass the tenant's security measures, such as IP allow, organization allowed senders and domains, user safe sender and domain, among others. You can get the list of these emails by clicking the View details table option.
The fact that this information is not provided in the message trace or even in Threat Explorer searches makes it critical for you to check this report regularly to plug the loopholes.
Extracting reports ^
Let's see how to explore the reports that we have discussed in the article. In every view of this report except Overview, you will notice the option View details table, as shown below.
This will display a detailed report.
You can export the entire report for further investigation in Excel by clicking the Export option. There are two options for exporting a report like this.
The first is the aggregate report type. This is useful if you only want the count of emails based on specific criteria.
An example of the aggregate report type.
However, if you want to look at all the details, choose the detailed report type. The only catch with this report is that it will display information for only one day. So, if you want to get a detailed report for a week, you will have to run this seven times, one for each day. Microsoft could have done better here and made life easier for administrators by allowing them to extract information for multiple days at the same time.
The screenshot below shows a daily report with a lot of information that might point you in the right direction in your investigations or simply educate you about how malicious emails are being handled in the tenant.
Subscribe to 4sysops newsletter!
Apart from this, you can also use the Request report option for a customized report. However, these can be run only when you have a specific network message ID. If you want to schedule the reports, you can do so by clicking Create schedule.