In this module

1.3 Remediate Risks with Microsoft Defender for Office 365

10-14 hours · Module 1 · Free

Operational Objective

This subsection covers remediate risks with microsoft defender for office 365 — a core operational skill for security teams working in Microsoft 365 environments. Every concept is demonstrated through practical scenarios from the Northgate Engineering environment.

Deliverable: Working proficiency with the techniques and operational patterns covered in this subsection.

Estimated completion: 25 minutes

Remediate Risks with Microsoft Defender for Office 365

Introduction

Required role: Security Reader (minimum for portal navigation). Security Administrator for configuration changes.

Email is the #1 initial access vector. Over 90% of successful cyberattacks begin with a phishing email, a malicious attachment, or a business email compromise message. Microsoft Defender for Office 365 is the product that stands between these attacks and your users' inboxes.

// KQL equivalent in Advanced Hunting
EmailEvents
| where Timestamp > ago(7d)
| where SenderFromDomain == "northgate-voicemail.com"
| summarize
    TotalEmails = count(),
    Delivered = countif(DeliveryAction == "Delivered"),
    Blocked = countif(DeliveryAction == "Blocked"),
    Recipients = dcount(RecipientEmailAddress)
| project TotalEmails, Delivered, Blocked, Recipients

Expand for Deeper Context

This subsection teaches you to investigate and remediate email-based threats using Defender for Office 365. You will learn how the product detects threats (Safe Links, Safe Attachments, anti-phishing policies), how to use Threat Explorer for email investigation, how to take remediation actions (purge emails, block senders, submit for analysis), and how Automated Investigation and Response (AIR) handles email threats.

Module 8 (not yet built) will cover the detailed configuration of these protection policies. This subsection focuses on investigation and response — what you do when a phishing email gets through.

---

Figure 1.5: Every inbound email passes through these protection layers sequentially. Orange-bordered layers are Defender for Office 365 features (P1+). Gray-bordered layers are included in EOP (all plans). ZAP acts post-delivery if the verdict changes.

How Defender for Office 365 detects threats

Defender for Office 365 evaluates every inbound email through multiple detection layers:

Layer	What it checks	What it catches
Anti-phishing (impersonation)	Display name similarity to protected users/domains, mailbox intelligence patterns	Executive impersonation, vendor impersonation, domain lookalikes
Safe Links	URLs rewritten and scanned at time of click	Malicious URLs, delayed-activation phishing pages
Safe Attachments	Attachment detonated in sandbox VM	Zero-day malware, macro-based malware
Anti-spam / anti-malware	Sender reputation, content patterns, known malware signatures	Bulk spam, known malware families
Zero-Hour Auto Purge (ZAP)	Post-delivery re-evaluation when verdict updates	Threats that passed initial scanning but were later identified

When detection fires, it generates an alert that flows into the Defender XDR incident queue. A phishing campaign targeting multiple users may generate multiple email alerts that XDR correlates into a single incident.

Figure: Threat Explorer (Email & collaboration → Explorer) showing the All Email view. The histogram shows email volume by delivery action over time. The table below shows individual emails with sender, recipient, subject, delivery action, and detection technology. Use this interface to scope phishing campaigns and take bulk remediation actions.

Threat Explorer — the email investigation interface

Threat Explorer (Email & collaboration → Explorer) is the primary tool for email investigation. It provides:

- All Email view: Every email processed by the tenant, with delivery action, threat verdict, and detection details - Phish view: Emails classified as phishing, with sender analysis and campaign clustering - Malware view: Emails with malicious attachments - URL clicks view: Which users clicked which URLs, with Safe Links verdict

Using Threat Explorer for a phishing investigation

Scenario: An incident contains a phishing alert. You need to determine the campaign scope — how many users received the email, how many were delivered, and how many clicked.

Step 1: In Threat Explorer, filter by sender domain (e.g., northgate-voicemail.com) and time range.

Step 2: The results show every email from that domain. Key columns: - Delivery action: Delivered, Blocked, Junked, Replaced (ZAP'd) - Detection technology: What caught it (URL reputation, impersonation, Safe Links, etc.) - Latest delivery location: Where the email currently sits (Inbox, Junk, Quarantine, Deleted)

Step 3: Click "Email count" to see the total scope. Click individual emails to see recipient, subject, URLs, attachments, and full headers.

Expected Output

TotalEmails	Delivered	Blocked	Recipients
23	19	4	23

What to look for: 23 emails sent to 23 unique recipients. 19 were delivered to inboxes. 4 were blocked. Those 19 delivered emails are your exposure — each recipient may have clicked the phishing link. Check UrlClickEvents next to determine who actually clicked.

Remediation actions for email threats

Action	How to perform	When to use
Soft delete	Threat Explorer → select emails → Move to Deleted Items	Default for confirmed phishing — removes from inbox, recoverable for 14 days
Hard delete	Threat Explorer → select emails → Hard delete	Confirmed malware or high-confidence phishing where recovery is not desired
Move to Junk	Threat Explorer → select emails → Move to Junk	Lower-confidence spam/phishing — user can review if needed
Block sender	Tenant Allow/Block List → add sender domain	Ongoing campaign — prevents future delivery from this sender
Submit for analysis	Threat Explorer → select email → Submit to Microsoft	When you believe an email was incorrectly classified (false positive or false negative)

Soft delete first, hard delete only when confirmed

Soft-deleted emails move to Deleted Items, then to Recoverable Items (14-day retention). Hard-deleted emails are permanently gone after the retention period. If you hard-delete 200 emails and one was a false positive, that business email is unrecoverable. Soft delete first, verify the classification, then hard delete if needed.

Email AIR — automated investigation for email threats

When Defender for Office 365 P2 detects a phishing campaign, Automated Investigation and Response (AIR) can:

1. Identify all emails in the campaign (same sender, URL, or attachment hash) 2. Determine which mailboxes received the campaign 3. Check which users clicked URLs 4. Recommend remediation (soft delete from all affected mailboxes) 5. Execute remediation (with or without analyst approval, depending on your automation level)

The AIR investigation appears in the incident and in the Action center. Review the investigation findings, verify the scope is correct, and approve or reject the recommended actions.

Try it yourself

Threat Explorer and Advanced Hunting query the same underlying data

Navigate to Threat Explorer in your lab tenant (Email & collaboration → Explorer). Select the "All Email" view and look at any emails sent between your test users. Examine the columns available: sender, recipient, subject, delivery action, detection technology. Then switch to Advanced Hunting and run the EmailEvents query above (substituting a sender domain from your test emails). Compare what Threat Explorer shows visually with what the KQL query returns as raw data.

Threat Explorer and Advanced Hunting query the same underlying data. Explorer provides a visual interface with filtering and bulk actions. Advanced Hunting provides KQL flexibility for custom analysis. During a phishing investigation, use Explorer for campaign scoping and bulk remediation. Use Advanced Hunting when you need to correlate email data with sign-in or endpoint data (the cross-product join from Module 6.3).

Compliance mapping

NIST CSF: DE.AE-1 (Baseline of operations established), PR.DS-1 (Data-at-rest is protected). ISO 27001: A.8.15 (Logging), A.8.16 (Monitoring activities). SOC 2: CC7.2 (Monitor system components). Every configuration in this subsection contributes to the logging and monitoring controls that auditors verify.

Compliance Myth: "The Secure Score tells you how secure you are"

The myth: The Secure Score tells you how secure you are

The reality: Secure Score measures configuration compliance against Microsoft's recommended settings. It does not measure: whether your detection rules catch real attacks, whether your SOC can investigate an incident, whether your users recognize phishing, or whether your IR plan works under pressure. A tenant with a 95% Secure Score and no SOC is less secure than a tenant with a 70% Secure Score and a trained, practiced incident response team. Score is hygiene. Capability is security.

Check your understanding

1. A phishing campaign delivered 19 of 23 emails to inboxes. What is your first remediation action?

Soft delete the 19 delivered emails from all affected mailboxes via Threat Explorer. This removes them from user access immediately while keeping them recoverable. Then check UrlClickEvents to determine which users clicked the phishing link — those users need account investigation (Module 1.2 containment sequence).

Block the sender domain first

Hard delete all 23 emails

Wait for ZAP to clean up

Remove the threat from mailboxes first (soft delete), then investigate who interacted with it (click tracking), then block future waves (sender block). ZAP may act eventually, but the 23+ minute gap means users can interact with the email before ZAP reaches it.

This detection capability integrates with the broader NE detection program — each rule contributes to the cumulative ATT&CK coverage that transforms NE from 7.2% baseline to 35%+ target coverage.

Decision point

You manage NE's M365 security stack. Microsoft releases a new Defender feature in preview. The feature promises to reduce AiTM risk by 80%. Do you enable it immediately?

Not in production. Enable in a test tenant or for a pilot group first. Preview features may: change behavior before GA, have undocumented interactions with existing CA policies, or produce unexpected results in specific tenant configurations. The deployment sequence: (1) enable in a test tenant and validate against NE's CA policy set, (2) enable for a pilot group of 10 users for 2 weeks, (3) monitor for FPs and operational impact, (4) roll out to all users after successful pilot. Microsoft's '80% reduction' claim is based on their telemetry across all tenants — NE's specific configuration may produce different results.

You've set up your M365 tenant and learned the Defender XDR unified portal.

Module 0 got your M365 developer tenant configured with sample data. Module 1 took you through the Defender XDR unified incident queue across endpoint, email, identity, and cloud apps. Now you investigate every major M365 attack type and deploy the detections that catch them next time.

15 investigation and configuration modules — Defender for Endpoint, Purview, Defender for Cloud, Security Copilot, Sentinel workspace design, log ingestion, analytics rules, and threat hunting
5 named attack investigations — AiTM credential phishing, BEC and financial fraud, consent phishing and OAuth grant abuse, token replay and session hijacking, insider threat
KQL from fundamentals through advanced hunting — dedicated modules on query language, cross-table joins, statistical analysis, and threat hunting queries
SC-200 exam objectives fully covered — every module maps to the January 2026 SC-200 update. The certification is the side effect of operational competence, not the goal
Production artefacts per module — detection rules, investigation playbooks, and hardening checklists you deploy to your own tenant

Unlock the full course with Premium See Full Syllabus

← Previous Next →