Get Started Free

1.3 Remediate Risks with Microsoft Defender for Office 365

10-14 hours · Module 1 · Free

Remediate Risks with Microsoft Defender for Office 365

SC-200 Exam Objective

Domain 3 — Manage Incident Response: "Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption."

Introduction

Email is the #1 initial access vector. Over 90% of successful cyberattacks begin with a phishing email, a malicious attachment, or a business email compromise message. Microsoft Defender for Office 365 is the product that stands between these attacks and your users’ inboxes.

This subsection teaches you to investigate and remediate email-based threats using Defender for Office 365. You will learn how the product detects threats (Safe Links, Safe Attachments, anti-phishing policies), how to use Threat Explorer for email investigation, how to take remediation actions (purge emails, block senders, submit for analysis), and how Automated Investigation and Response (AIR) handles email threats.

Module 8 (not yet built) will cover the detailed configuration of these protection policies. This subsection focuses on investigation and response — what you do when a phishing email gets through.

EMAIL PROTECTION LAYERS — DEFENDER FOR OFFICE 365Anti-SpamEOPAnti-MalwareEOPAnti-PhishingImpersonation + MLSafe LinksURL scanningSafe AttachSandboxInboxZAP

Figure 1.5: Every inbound email passes through these protection layers sequentially. Orange-bordered layers are Defender for Office 365 features (P1+). Grey-bordered layers are included in EOP (all plans). ZAP acts post-delivery if the verdict changes.

How Defender for Office 365 detects threats

Defender for Office 365 evaluates every inbound email through multiple detection layers:

LayerWhat it checksWhat it catches
Anti-phishing (impersonation)Display name similarity to protected users/domains, mailbox intelligence patternsExecutive impersonation, vendor impersonation, domain lookalikes
Safe LinksURLs rewritten and scanned at time of clickMalicious URLs, delayed-activation phishing pages
Safe AttachmentsAttachment detonated in sandbox VMZero-day malware, macro-based malware
Anti-spam / anti-malwareSender reputation, content patterns, known malware signaturesBulk spam, known malware families
Zero-Hour Auto Purge (ZAP)Post-delivery re-evaluation when verdict updatesThreats that passed initial scanning but were later identified

When detection fires, it generates an alert that flows into the Defender XDR incident queue. A phishing campaign targeting multiple users may generate multiple email alerts that XDR correlates into a single incident.

THREAT EXPLORER — EMAIL INVESTIGATION INTERFACEAll emailMalwarePhishCampaignsURL clicks00:0004:0008:0012:0016:0020:00DeliveredBlockedJunkedSenderRecipientSubjectDeliveryDetectionsupport@northgate-voicemail.comj.morrison@northgateeng.comNew voicemail from +44...DeliveredURL reputationsupport@northgate-voicemail.coms.patel@northgateeng.comNew voicemail from +44...BlockedAnti-phishing23,459 items
Figure: Threat Explorer (Email & collaboration → Explorer) showing the All Email view. The histogram shows email volume by delivery action over time. The table below shows individual emails with sender, recipient, subject, delivery action, and detection technology. Use this interface to scope phishing campaigns and take bulk remediation actions.

Threat Explorer — the email investigation interface

Threat Explorer (Email & collaboration → Explorer) is the primary tool for email investigation. It provides:

  • All Email view: Every email processed by the tenant, with delivery action, threat verdict, and detection details
  • Phish view: Emails classified as phishing, with sender analysis and campaign clustering
  • Malware view: Emails with malicious attachments
  • URL clicks view: Which users clicked which URLs, with Safe Links verdict

Using Threat Explorer for a phishing investigation

Scenario: An incident contains a phishing alert. You need to determine the campaign scope — how many users received the email, how many were delivered, and how many clicked.

Step 1: In Threat Explorer, filter by sender domain (e.g., northgate-voicemail.com) and time range.

Step 2: The results show every email from that domain. Key columns:

  • Delivery action: Delivered, Blocked, Junked, Replaced (ZAP’d)
  • Detection technology: What caught it (URL reputation, impersonation, Safe Links, etc.)
  • Latest delivery location: Where the email currently sits (Inbox, Junk, Quarantine, Deleted)

Step 3: Click “Email count” to see the total scope. Click individual emails to see recipient, subject, URLs, attachments, and full headers.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

// KQL equivalent in Advanced Hunting
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain == "northgate-voicemail.com"
| summarize
    TotalEmails = count(),
    Delivered = countif(DeliveryAction == "Delivered"),
    Blocked = countif(DeliveryAction == "Blocked"),
    Recipients = dcount(RecipientEmailAddress)
| project TotalEmails, Delivered, Blocked, Recipients
Expected Output
TotalEmailsDeliveredBlockedRecipients
2319423
What to look for: 23 emails sent to 23 unique recipients. 19 were delivered to inboxes. 4 were blocked. Those 19 delivered emails are your exposure — each recipient may have clicked the phishing link. Check UrlClickEvents next to determine who actually clicked.

Remediation actions for email threats

ActionHow to performWhen to use
Soft deleteThreat Explorer → select emails → Move to Deleted ItemsDefault for confirmed phishing — removes from inbox, recoverable for 14 days
Hard deleteThreat Explorer → select emails → Hard deleteConfirmed malware or high-confidence phishing where recovery is not desired
Move to JunkThreat Explorer → select emails → Move to JunkLower-confidence spam/phishing — user can review if needed
Block senderTenant Allow/Block List → add sender domainOngoing campaign — prevents future delivery from this sender
Submit for analysisThreat Explorer → select email → Submit to MicrosoftWhen you believe an email was incorrectly classified (false positive or false negative)
Soft delete first, hard delete only when confirmed

Soft-deleted emails move to Deleted Items, then to Recoverable Items (14-day retention). Hard-deleted emails are permanently gone after the retention period. If you hard-delete 200 emails and one was a false positive, that business email is unrecoverable. Soft delete first, verify the classification, then hard delete if needed.

Email AIR — automated investigation for email threats

When Defender for Office 365 P2 detects a phishing campaign, Automated Investigation and Response (AIR) can:

  1. Identify all emails in the campaign (same sender, URL, or attachment hash)
  2. Determine which mailboxes received the campaign
  3. Check which users clicked URLs
  4. Recommend remediation (soft delete from all affected mailboxes)
  5. Execute remediation (with or without analyst approval, depending on your automation level)

The AIR investigation appears in the incident and in the Action center. Review the investigation findings, verify the scope is correct, and approve or reject the recommended actions.

Try it yourself

Navigate to Threat Explorer in your lab tenant (Email & collaboration → Explorer). Select the "All Email" view and look at any emails sent between your test users. Examine the columns available: sender, recipient, subject, delivery action, detection technology. Then switch to Advanced Hunting and run the EmailEvents query above (substituting a sender domain from your test emails). Compare what Threat Explorer shows visually with what the KQL query returns as raw data.

Threat Explorer and Advanced Hunting query the same underlying data. Explorer provides a visual interface with filtering and bulk actions. Advanced Hunting provides KQL flexibility for custom analysis. During a phishing investigation, use Explorer for campaign scoping and bulk remediation. Use Advanced Hunting when you need to correlate email data with sign-in or endpoint data (the cross-product join from Module 6.3).

Check your understanding

1. A phishing campaign delivered 19 of 23 emails to inboxes. What is your first remediation action?

Soft delete the 19 delivered emails from all affected mailboxes via Threat Explorer. This removes them from user access immediately while keeping them recoverable. Then check UrlClickEvents to determine which users clicked the phishing link — those users need account investigation (Module 1.2 containment sequence).
Block the sender domain first
Hard delete all 23 emails
Wait for ZAP to clean up
← 1.2 Mitigate Incidents Using Microsoft Defender XDR 1.4 Manage Microsoft Defender for Endpoint Investigations →