The Microsoft 365 Threat protection status report is an amalgamation of several Exchange Online security reports that contain information about malicious messages detected by Exchange Online Protection (EOP) and Office 365 ATP. This article gives an overview of the Threat protection status report.

Notice that Microsoft Defender for Office 365 has other reports, such as Safe attachment file types, Safe attachment message disposition, and Malware detected in email. These three reports will be retired in July 2021 and will only be available as part of the Threat protection status report.

Exploring reports and views ^

The Threat protection status report has four different views. Each view represents a set of data that can be utilized in various investigations. The screenshot shows the default view that's loaded when the report is opened.

Overview of the Microsoft 365 Threat protection status report

Overview of the Microsoft 365 Threat protection status report

The maximum timeframe for which this report can pull information is 90 days. Color codes differentiate emails containing email malware, phishing attempts, and content malware. The bubbles represent the days, and hovering your mouse over each of them shows the total number of malware and phishing emails detected on that specific day.

You can filter the results to display information for a specific timeframe and based on the suspicious content detected.

Filters for the Threat protection status report

Filters for the Threat protection status report

This view also includes a special section called Top insights & recommendations. These are marked with a red triangle, which indicates a major incident on that day. Click it to view additional details.

Malware insights

Malware insights

Top insights recommendations

Top insights recommendations

This window shows the users who were most targeted by malware campaigns (not shown in the screenshot).

You should take protective measures here by checking whether these accounts use multifactor authentication. You should also review the corresponding antimalware policies.

Malware campaign insight

Malware campaign insight

Email Phishing

This view shows us the emails that were detected as phishing attempts. I cover their classifications in the following subsections.

Detection technology

Both Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MDO) use different techniques and algorithms to scan and detect malicious emails and content. In this view of Email > Phish, the detected emails are further grouped by the technology that found them.

Detection technology

Detection technology

You can see several MDO detection techniques, such as URL detonation reputation, file detonation, impersonation of user and domain, and campaigns, among others. In addition, EOP detection techniques, such as URL malicious reputation, spoofing intra-org and external domains, file reputation, and spoofing DMARC are shown. You can get detailed information here.

You can filter the view by clicking the Filters option and choosing between the EOP and MDO detection techniques, the timeframe for the data, and recipients (if any).

Filtering by EOP and MDO

Filtering by EOP and MDO

Policy type

Microsoft 365 provides a set of security policies that can be defined to suit your organization's requirements. These policies are also responsible for the actions taken on emails deemed malicious.

Policy type

Policy type

As seen in the screenshot here, you can determine the applied policies and hence decide on the actions if you want to change them. Each policy has a purpose, and several factors are associated with it. You can read about the policies here.

Delivery status

The delivery status view is the sum of all the actions configured in the policies. It shows the location where the email was delivered. Depending on your policies, emails could be delivered to Junk folders or quarantined; alternatively, the delivery of the email can fail. Some emails may also be delivered to the Inbox folders.

Delivery Status

Delivery Status

On-premise Server: Delivered denotes the emails that originated from your local Exchange servers. These delivery statuses can help you investigate certain scenarios. For example, why are so many emails delivered to the Inbox despite being detected as malicious? You can go to the View details table option, check for these emails, and start your investigation.

Email malware

This view shows you all the emails that contain malicious attachments.

Email malware by detection policy

Email malware by detection policy

The report is further organized based on detection technology, policy type, and delivery status. See the previous sections in this article for a description of these views.

If you notice a user being sent several malicious attachments, you can investigate it further. You must check whether these emails were delivered to the user's mailbox or to the quarantine. You will get this information from the delivery status view. Next, you can click the View details table option in this report, and then select the email in question. This provides you with the message ID, which can then be used to trace the email from Explorer.

System override

The system override view was added only recently. It provides a pivotal piece of information about your tenant. All the emails that were detected by Microsoft 365 as malicious but were still allowed to be delivered to the users' mailboxes due to a policy in your tenant are displayed here. That is, if the sender address has been whitelisted (allowed) by you in EOP or by the end user in the user-level Junk email settings, then the email will bypass all the security mechanisms and be delivered to the user's mailbox.

As you can imagine, this is a dangerous situation and might even lead to a bigger attack if one of the whitelisted domains is used to send spam emails. This may even spur you to remove the email address or domain from the whitelist and launch an investigation.

System override

System override

As seen in the screenshot here, there could be multiple reasons for an email to bypass the tenant's security measures, such as IP allow, organization allowed senders and domains, user safe sender and domain, among others. You can get the list of these emails by clicking the View details table option.

The fact that this information is not provided in the message trace or even in Threat Explorer searches makes it critical for you to check this report regularly to plug the loopholes.

Extracting reports ^

Let's see how to explore the reports that we have discussed in the article. In every view of this report except Overview, you will notice the option View details table, as shown below.

Extracting reports

Extracting reports

This will display a detailed report.

Viewing a report

Viewing a report

You can export the entire report for further investigation in Excel by clicking the Export option. There are two options for exporting a report like this.

The first is the aggregate report type. This is useful if you only want the count of emails based on specific criteria.

 

Export conditions

Export conditions

An example of the aggregate report type.

Aggregate report type

Aggregate report type

However, if you want to look at all the details, choose the detailed report type. The only catch with this report is that it will display information for only one day. So, if you want to get a detailed report for a week, you will have to run this seven times, one for each day. Microsoft could have done better here and made life easier for administrators by allowing them to extract information for multiple days at the same time.

The screenshot below shows a daily report with a lot of information that might point you in the right direction in your investigations or simply educate you about how malicious emails are being handled in the tenant.

Subscribe to 4sysops newsletter!

Detailed report type

Detailed report type

Apart from this, you can also use the Request report option for a customized report. However, these can be run only when you have a specific network message ID. If you want to schedule the reports, you can do so by clicking Create schedule.

+4
0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account