3.8 Email Investigation with Threat Explorer
Threat Explorer
Threat Explorer is the investigation interface for email-based threats in Defender for Office 365 P2. Where Advanced Hunting lets you write KQL against email tables, Threat Explorer provides a visual interface purpose-built for email investigation: search email flow, view detection verdicts, trace phishing campaigns, and take manual remediation actions on specific emails.
Organisations with Defender for Office 365 P1 get "Real-time detections" — a reduced version. The full Threat Explorer with campaign views, email timeline, and 30-day data is P2 only (included in M365 E5 or as an add-on). This matters for the SC-200 exam and for real investigations.
When to use Threat Explorer vs Advanced Hunting
Use Threat Explorer when:
- You need to investigate a specific phishing email or campaign quickly
- You want to see the visual delivery timeline (when it was sent, when it was delivered, when ZAP acted)
- You need to take manual email actions (soft delete, hard delete, move to junk) across multiple mailboxes
- You want Campaign Views to see the scope of a coordinated attack
Use Advanced Hunting when:
- You need to correlate email data with sign-in logs or device events (cross-table joins)
- You need complex KQL logic that Threat Explorer’s filters cannot express
- You want to build a detection rule from your query
Key Threat Explorer views
All email — every email processed by the tenant. Filter by sender, recipient, subject, delivery action, detection technology, and date range. This is your starting point for any email investigation.
Phish — pre-filtered to show only emails detected as phishing. Shows detection technology (URL detonation, impersonation detection, spoof intelligence) and delivery action (blocked, delivered, ZAP removed).
Malware — pre-filtered to show emails with malware detections.
Campaign Views — aggregates related phishing or malware emails into campaigns. Shows the full scope of a coordinated attack: total emails sent, total recipients, delivery success rate, and which detection technology caught the campaign.
Email timeline
Clicking any email opens its timeline showing every event in order:
- Email received — when Exchange Online received the email from the sending mail server
- Filtering verdict — what Safe Links, Safe Attachments, and anti-phishing determined
- Delivery action — delivered to inbox, delivered to junk, blocked
- Post-delivery actions — ZAP removal, admin action, user report
Try it yourself
Check the Delivery action column. Emails with "Delivered" that were later "Removed by ZAP" indicate delayed detonation — the URL or attachment was clean at delivery but flagged later. Emails that were "Blocked" never reached the inbox.
Click on any individual email to see its full timeline. The gap between "Email received" and "ZAP removal" tells you how long the email was accessible in the user's inbox before being pulled.
Taking remediation actions from Threat Explorer
When you identify a malicious email that was delivered, Threat Explorer lets you take bulk actions:
- Soft delete — moves the email to the Deleted Items folder across all recipient mailboxes
- Hard delete — permanently removes the email from all recipient mailboxes
- Move to junk — moves to the Junk folder
- Trigger investigation — launches an AIR investigation for the email
Soft delete is recoverable — the user or admin can restore from Deleted Items. Hard delete is permanent. Default to soft delete unless you have a specific reason to hard delete (e.g. the email contains active malware and you cannot risk a user restoring it).
Check your understanding
1. When should you use Threat Explorer instead of Advanced Hunting for email investigation?
2. Campaign Views shows a phishing campaign targeted 450 recipients in your organisation. 12 emails were delivered before detection caught the rest. What is your immediate next step?