8.8 Threat Explorer Deep Dive

90 minutes · Module 8

Threat Explorer Deep Dive

By the end of this subsection, you will know when to use Threat Explorer vs Advanced Hunting, navigate Campaign View, take bulk remediation actions, and submit suspicious emails for analysis.

When to use Threat Explorer vs Advanced Hunting

Need	Tool	Why
Investigate a specific phishing email	Threat Explorer	Visual email timeline, delivery details, click tracking
Trace a phishing campaign across recipients	Threat Explorer	Campaign View aggregates related emails
Take bulk remediation (delete emails from 50 mailboxes)	Threat Explorer	Built-in soft/hard delete across mailboxes
Join email data with sign-in logs	Advanced Hunting	Cross-table KQL joins (Threat Explorer cannot join)
Build automated detection rules	Advanced Hunting	Custom detection rules require KQL
Query email data across 30+ days	Advanced Hunting	Threat Explorer defaults to 30 days; KQL has full retention

Use Threat Explorer for email-specific investigation. Use Advanced Hunting for cross-domain correlation.

The Module 13 investigation used both: Threat Explorer for email campaign analysis (scope, recipients, delivery actions) and Advanced Hunting for the KQL queries that joined email data with sign-in logs (the phishing-to-signin correlation in Module 2.3).

Campaign View

Campaign View automatically clusters related phishing or malware emails into campaigns based on shared attributes: sender infrastructure, URL patterns, attachment hashes, and email content similarity.

What Campaign View shows:

Total emails in the campaign
Delivery breakdown (delivered, blocked, ZAP’d)
Recipients who clicked URLs
Timeline of campaign waves
Infrastructure used (sender IPs, domains)

This is the visual equivalent of the cross-wave correlation query from Module 13.10 — but built into the portal with no KQL required.

Bulk remediation

When you identify a phishing campaign, you need to remove the emails from all affected mailboxes. Threat Explorer provides bulk actions:

Filter to the campaign (sender domain, URL, subject, or campaign ID)
Select all matching emails
Choose action: Soft delete (move to Recoverable Items) or Hard delete (permanent)
Confirm and execute

Soft delete first, hard delete only when confirmed malicious

Soft-deleted emails can be recovered from Recoverable Items for up to 14 days. Hard-deleted emails are permanent (after the retention period). If you hard-delete and later discover a false positive, the email is gone. Soft-delete first, confirm the campaign is malicious, then hard-delete if needed.

Email investigation KQL patterns

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
// Campaign scope: all emails from a phishing domain
EmailEvents
| where TimeGenerated > ago(7d)
| where SenderMailFromDomain has "suspicious-domain"
| summarize
    EmailCount = count(),
    Recipients = dcount(RecipientEmailAddress),
    DeliveryActions = make_set(DeliveryAction),
    Subjects = make_set(Subject, 5)
    by SenderMailFromDomain

Expected Output

Domain	EmailCount	Recipients	DeliveryActions	Subjects
northgate-voicemail.com	23	23	["Delivered","Replaced"]	["New voicemail from..."]

What to look for: 23 emails to 23 unique recipients with one subject pattern confirms a targeted campaign. "Replaced" in DeliveryActions indicates ZAP acted on some. The recipients who received "Delivered" (and not "Replaced") are your exposure — check their UrlClickEvents for clicks.

Campaign View is the visual equivalent of the cross-wave correlation from Module 13.10 — but built into the portal with no KQL.

What Campaign View shows you:

Data	Why it matters
Total emails in campaign	Your total exposure scope
Delivery breakdown	How many reached inboxes vs were blocked
Click-through rate	How many users interacted with the phishing URLs
Infrastructure	Sender IPs, domains — for IOC extraction
Timeline	When each wave was sent — shows the campaign’s progression
Top targeted recipients	Which departments or users are being specifically targeted

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// Supplement Campaign View with KQL for custom analysis
EmailEvents
| where TimeGenerated > ago(7d)
| where CampaignId != ""
| summarize
    EmailCount = count(),
    Recipients = dcount(RecipientEmailAddress),
    Domains = make_set(SenderMailFromDomain),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    Delivered = countif(DeliveryAction == "Delivered"),
    Blocked = countif(DeliveryAction == "Blocked")
    by CampaignId
| sort by EmailCount desc

Expected Output

CampaignId	EmailCount	Recipients	Domains	Delivered	Blocked
CAMP-2026-0314	118	86	["northgate-voicemail.com","northgate-docs.com",...]	72	46

What to look for: 118 emails across 86 recipients from 5 domains — this is the complete Module 13 AiTM campaign in a single row. CampaignId groups all related waves. 72 delivered vs 46 blocked shows protection improved as the campaign progressed (early waves delivered, later waves blocked by transport rules).

Try it yourself

You discover a phishing campaign in Threat Explorer affecting 200 mailboxes. Walk through the complete response workflow: investigation steps, remediation actions, and follow-up checks.

1. Investigate: In Threat Explorer, view the campaign details — sender domain, URL pattern, delivery breakdown, click-through data.

2. Remediate email: Select all campaign emails, soft-delete from all 200 mailboxes.

3. Check clicks: Query UrlClickEvents for users who clicked the phishing URL.

4. Investigate clickers: For each user who clicked, check SigninLogs and AADNonInteractiveUserSignInLogs for token replay (Module 13.5).

5. Contain compromised accounts: Revoke sessions, reset password, force MFA re-registration for any user showing compromise indicators.

6. Block future waves: Create a transport rule blocking the URL pattern.

7. Extract IOCs: Sender domains, URLs, IPs — create custom indicators in Defender for Endpoint.

This is the complete cycle: detect → scope → remediate → investigate → contain → prevent.

Check your understanding

1. You identify a phishing campaign affecting 50 mailboxes. Should you soft delete or hard delete the emails?

Soft delete first. Confirm the campaign is malicious by reviewing sample emails and verifying the detection. Then hard delete if confirmed. Soft delete is reversible; hard delete is not. A false positive hard deletion across 50 mailboxes causes significant business disruption.

Hard delete immediately — speed is critical

Leave them and warn users

Soft-delete-first is the safe default for bulk remediation. The emails are removed from user mailboxes (users cannot interact with them) but recoverable if needed. This balances speed of remediation with reversibility.

← 8.7 Transport Rules for Security 8.9 Automated Investigation and Response for Email →