9.8 Threat Explorer Deep Dive

Threat Explorer Deep Dive

By the end of this subsection, you will know when to use Threat Explorer vs Advanced Hunting, navigate Campaign View, take bulk remediation actions, and submit suspicious emails for analysis.

When to use Threat Explorer vs Advanced Hunting

Campaign View

Campaign View automatically clusters related phishing or malware emails into campaigns based on shared attributes: sender infrastructure, URL patterns, attachment hashes, and email content similarity.

What Campaign View shows:

• Total emails in the campaign
• Delivery breakdown (delivered, blocked, ZAP’d)
• Recipients who clicked URLs
• Timeline of campaign waves
• Infrastructure used (sender IPs, domains)

This is the visual equivalent of the cross-wave correlation query from Module 14.10 — but built into the portal with no KQL required.

Bulk remediation

When you identify a phishing campaign, you need to remove the emails from all affected mailboxes. Threat Explorer provides bulk actions:

1. Filter to the campaign (sender domain, URL, subject, or campaign ID)
2. Select all matching emails
3. Choose action: Soft delete (move to Recoverable Items) or Hard delete (permanent)
4. Confirm and execute

Email investigation KQL patterns

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

// Campaign scope: all emails from a phishing domain
EmailEvents
| where TimeGenerated > ago(7d)
| where SenderMailFromDomain has "suspicious-domain"
| summarize
    EmailCount = count(),
    Recipients = dcount(RecipientEmailAddress),
    DeliveryActions = make_set(DeliveryAction),
    Subjects = make_set(Subject, 5)
    by SenderMailFromDomain

Using Campaign View to connect related emails

Campaign View is the visual equivalent of the cross-wave correlation from Module 14.10 — but built into the portal with no KQL.

What Campaign View shows you:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

// Supplement Campaign View with KQL for custom analysis
EmailEvents
| where TimeGenerated > ago(7d)
| where CampaignId != ""
| summarize
    EmailCount = count(),
    Recipients = dcount(RecipientEmailAddress),
    Domains = make_set(SenderMailFromDomain),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    Delivered = countif(DeliveryAction == "Delivered"),
    Blocked = countif(DeliveryAction == "Blocked")
    by CampaignId
| sort by EmailCount desc

Required role and blast radius

Required role: Security Reader (to view Threat Explorer). Security Administrator or Search and Purge role (to take remediation actions).

Threat Explorer investigation workflows

Threat Explorer is the email investigation tool for Defender for Office 365 P2. It provides real-time views of email threats, URL clicks, and campaign data — with the ability to take remediation actions directly.

Navigate to: Defender portal → Email & collaboration → Explorer.

View 1: All email. Shows every email in the specified time range with filtering by: sender, recipient, subject, delivery action, threat type, detection technology, and URL domain. This is the starting point for any email investigation.

View 2: Phish. Pre-filtered to show only emails classified as phishing. Sorted by delivery time. Shows: sender, recipient, subject, delivery action, detection technology, and whether the user clicked.

View 3: Content malware. Shows malware detected in SharePoint, OneDrive, and Teams files — the Safe Attachments for cloud content detections.

Investigation pattern: campaign scope

When you receive a phishing alert, the first question is: “Is this a single email or a campaign?”

Step 1: In Threat Explorer → Phish view, filter by sender domain or URL domain from the alert. Step 2: Expand the time range to 7-30 days. Look for: multiple emails from the same domain, sent to different recipients, over multiple days. Step 3: Check the Campaign view: Defender automatically clusters related emails into campaigns based on sender, URL, and content similarity.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

// KQL equivalent: campaign scope from the email tables
EmailEvents
| where TimeGenerated > ago(30d)
| where SenderFromDomain == "phishing-domain.com"
| summarize
    Recipients = dcount(RecipientEmailAddress),
    RecipientList = make_set(RecipientEmailAddress, 20),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    Delivered = countif(DeliveryAction == "Delivered"),
    Blocked = countif(DeliveryAction == "Blocked")
    by SenderFromAddress, Subject
| order by Recipients desc

Remediation from Threat Explorer

When you identify malicious emails that were delivered to inboxes:

Soft delete: Moves the email to the Deleted Items folder. Users can recover it. Use for: confirmed phishing that users may have already read — the email disappears from the inbox without alerting the user.

Hard delete: Permanently removes the email from the mailbox. Users cannot recover it. Use for: confirmed malicious attachments that must not be accessible under any circumstances.

Move to junk: Moves the email to the Junk folder. Use for: suspicious-but-not-confirmed emails where you want to reduce user exposure without permanent deletion.

Remediation workflow in Threat Explorer: Select emails → Actions → “Move to Deleted Items” (soft delete) or “Delete” (hard delete). Remediation applies to all selected emails across all affected mailboxes. Track remediation status: Defender → Action center → Email remediation tab.

1
2
3
4
5

// Track remediation actions — verify all targeted emails were removed
EmailPostDeliveryEvents
| where TimeGenerated > ago(7d)
| where ActionType in ("AdminMailboxRemoval", "AdminMailboxPurge")
| summarize RemediatedCount = count() by ActionType, bin(TimeGenerated, 1h)

Campaign Views — pattern recognition

Campaign Views automatically clusters related phishing or malware emails into campaigns. This saves significant investigation time — instead of manually correlating emails by sender, URL, and content, Defender does the clustering for you.

Navigate to: Defender → Email & collaboration → Explorer → Campaign tab.

Each campaign shows: the sender domain, URL domains, affected users, delivery outcomes, and a timeline. Click into a campaign to see all member emails and take bulk remediation actions.

Operational value: When a new phishing email is reported, check Campaign Views first. If the email belongs to an existing campaign: the scope is already known. If it is a new campaign: Campaign Views may identify additional recipient emails that have not yet been reported.

Threat Explorer investigation scenario: Module 12 AiTM

Walk through the Threat Explorer investigation for the Northgate Engineering AiTM campaign:

Step 1: Initial alert. You receive a phishing alert. Open Threat Explorer → Phish view.

Step 2: Find the campaign. Filter by sender domain: northgate-voicemail.com. Time range: 27-28 February. Result: 23 emails to 23 unique recipients.

Step 3: Delivery analysis. Of the 23 emails: 4 were blocked by anti-phishing. 19 were delivered to inboxes. This is the “Delivered” metric from subsection 9.2 — 83% delivery rate indicates the phishing evaded most protection.

Step 4: Click analysis. Switch to URL tracking. Of the 19 delivered emails: 6 users clicked the Safe Links URL. Safe Links allowed the click (the URL was behind a CAPTCHA). This is the Safe Links gap from subsection 9.3.

Step 5: Remediation. Select all 19 delivered emails → Actions → Soft delete. This removes the remaining emails from the 13 users who received but did not click. The 6 clickers need containment (Module 12.7).

Step 6: Block future waves. Actions → Block sender domain: northgate-voicemail.com. Create a transport rule blocking the URL pattern for broader coverage.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

// KQL equivalent of the full Threat Explorer investigation
let PhishDomain = "northgate-voicemail.com";
let CampaignStart = datetime(2026-02-27T08:00:00Z);
let CampaignEnd = datetime(2026-02-28T23:59:00Z);
// Step 1: All campaign emails
let CampaignEmails = EmailEvents
| where TimeGenerated between(CampaignStart .. CampaignEnd)
| where SenderFromDomain == PhishDomain
| project TimeGenerated, NetworkMessageId, RecipientEmailAddress,
    DeliveryAction, Subject;
// Step 2: Who clicked?
let Clickers = UrlClickEvents
| where TimeGenerated between(CampaignStart .. CampaignEnd)
| where Url has PhishDomain
| where ActionType == "ClickAllowed"
| distinct AccountUpn;
// Step 3: Combined view
CampaignEmails
| extend Clicked = iff(RecipientEmailAddress in (Clickers), "YES", "no")
| summarize
    TotalEmails = count(),
    Delivered = countif(DeliveryAction == "Delivered"),
    Blocked = countif(DeliveryAction == "Blocked"),
    Clicked = countif(Clicked == "YES")

This single query reproduces the entire Threat Explorer investigation in KQL — useful when you need the data in Sentinel for cross-product correlation (joining with SigninLogs to find which clickers were compromised).

User-reported phishing

Threat Explorer integrates with user-reported messages. When a user clicks “Report phishing” in Outlook, the email appears in Threat Explorer under the Submissions tab. This creates a human sensor network — users reporting suspicious emails that automated detection missed.

Operational workflow: Review user submissions daily (5 minutes). For each: is it a true phishing email that detection missed? If yes: remediate (soft delete from all recipients), block the sender, and consider whether the anti-phishing threshold should be increased. Is it a false positive (legitimate email the user thought was phishing)? If yes: mark as “not a threat” — this feedback improves Defender’s ML models.

1
2
3
4
5
6
7
8

// User-reported phishing submissions
EmailPostDeliveryEvents
| where TimeGenerated > ago(7d)
| where ActionType == "PhishReport"
| summarize
    Reports = count(),
    UniqueReporters = dcount(RecipientEmailAddress)
    by bin(TimeGenerated, 1d)

A spike in user reports (3x the daily average) may indicate: an active phishing campaign that detection is missing, or a false positive wave (a legitimate email that looks suspicious). Investigate any spike before it becomes an incident.

Threat Explorer advanced filtering

Beyond basic sender/recipient filtering, Threat Explorer supports complex conditions that accelerate investigation:

Filter by detection technology: Show only emails caught by a specific detection layer. Useful for: assessing Safe Links effectiveness (filter: detection technology = URL detonation), evaluating impersonation protection (filter: detection technology = impersonation), and identifying emails that bypassed all detection (filter: delivery action = delivered, threat types = Phish).

Filter by URL domain: When investigating a phishing URL, filter all emails containing URLs pointing to that domain — across all recipients, all time ranges, and all subjects. This surfaces the complete campaign footprint regardless of how many different email subjects the attacker used.

Filter by sender IP: When investigating a compromised sending infrastructure (e.g., a vendor’s mail server), filter all email from that IP. This shows whether the compromised server sent phishing to other recipients beyond the initial alert.

Export to CSV: For large investigations: export Threat Explorer results to CSV for analysis in Excel or Python. This is useful when the investigation involves hundreds of emails and you need to: sort by recipient department (which department was targeted most?), correlate with HR data (were departing employees targeted differently?), or feed into a SIEM correlation query.

Threat Explorer vs KQL: when to use which

The practical split: Use Threat Explorer for the immediate response (find the emails, remediate them, block the sender). Use KQL for the deeper investigation (correlate with sign-in logs, build detection rules, create the IR report). They complement — not replace — each other.