Threat Investigation and Response in Office 365 Security

With the ever-increasing risk of cybercrimes, businesses all around the world struggle to safeguard their most prized asset: their data. Luckily, Microsoft Defender for Office 365 provides IT administrators and analysts with threat investigation and response capabilities, which allow them to proactively protect their users and data.

Using these built-in Office 365 security features, you can gain valuable insights into common threats, collect practical data and plan effective response actions. Your security team can easily identify, monitor and fend off malicious activities before they cause irreparable damage to your organization.

This post breaks down the various tools included in Microsoft’s threat investigation and response. Read on to get an overview of the different features and how they combine to create an infallible shield against file- and email-based attacks.

What Is Office 365 Threat Investigation and Response?

Office 365 threat investigation and response is an umbrella term referring to a set of capabilities in Microsoft Defender for Office 365 plan 2. These tools help IT administrators and analysts monitor and collect information about potential threats. Security teams can then use the response actions available in the Microsoft 365 Defender portal to address risks in SharePoint Online, OneDrive for Business, Exchange Online and Microsoft Teams.

With these Office 365 security features, you can gather data from several sources such as previous security incidents, user activity, authentication, emails and compromised computers. The threat investigation and response workflow includes the following:

  • Explorer (Real-time detections in MS Defender for Office 365 Plan 1)
  • Incidents (also known as Investigations)
  • Attack simulation training
  • Automated investigation and response

It is important to mention that all of these capabilities provide the necessary protection by gathering data from the built-in threat trackers in Microsoft Defender, so let’s take a closer look at these first.

Threat Trackers

Threat trackers are a collection of informative widgets, charts and tables that provide Office 365 monitoring. They display useful details on cyber threats that can affect your organization. Tracker pages contain periodically updated figures on trending risks like malware and phishing schemes to indicate which issues are currently the most dangerous to your organization. In addition, you can find an Actions column that redirects you to Threat Explorer where you can view more in-depth information.


  • Threat trackers are included in the Microsoft Defender for Office 365 Plan 2 and you need a global administrator, security administrator or security reader permission to use them.
  • To access Threat Trackers for your organization, go to, click on Email & collaboration, then Threat tracker. You can also directly go to

There are four different features in threat trackers: Noteworthy trackers, trending trackers, Tracked queries and Saved queries.

Noteworthy trackers

This widget shows new or existing threats of varying severity and whether they exist within your Microsoft 365 environment or not. If they do, you can also see links to helpful articles that detail the issue and how it can impact Office 365 security in your organization.

Your security team should check the noteworthy trackers regularly since they are only posted for a couple of weeks and then replaced by more recent items. This keeps the list up to date so you could stay informed on more relevant risks.

Trending trackers

Trending trackers highlight the latest threats sent to your organization’s email during the last week. Administrators gain better insights by viewing dynamic assessments of tenant-level malware trends and identifying the behavior of malware families.

Tracked queries

Tracked queries is another Office 365 monitoring tool that periodically assesses activity in your Microsoft environment by leveraging the saved queries. This is an automatic process that gives recent information on suspicious activities to help ensure Office 365 threat protection.

Saved queries

The common Explorer searches or Noteworthy tracker queries that you usually perform can be stored as Saved queries. This way you do not have to create a new search every time and easily access previously saved queries.

Threat Explorer and Real-Time Detections

In Microsoft Defender for Office 365, Explorer, also known as Threat Explorer, allows security experts to analyze potential threats that target your organization and monitor the volume of attacks over time. With this feature, you can view comprehensive reports and policy recommendations to learn how you can efficiently respond to the risks that are trying to infiltrate your organization.


  • Explorer is included in Microsoft Defender for Office 365 plan 2 while plan 1 offers Real-time detections.
  • To access either of these tools, go to the Security & Compliance Center then Threat management.

Threat Explorer provides important information on threats such as basic historical data, common methods of delivery and the possible damage that might be caused. Analysts can use this tool as a starting point for their investigation to examine data by attacker infrastructure, threat families and other parameters.

Check detected malware

You can use Explorer to view malware discovered in your organization’s email. The report can be filtered by different Microsoft 365 technologies.

View phishing URL and click verdict data

Phishing attempts through URLs in email messages are also shown in Threat Explorer. This report includes a list of allowed, blocked and overridden URLs sorted in two tables:

  • Top URLs: Attackers sometimes add good URLs alongside the bad links to confuse the recipient. This list mostly contains legitimate URLs found in the messages you filtered down and they are sorted by total email count.
  • Top clicks: These are the Safe Links-wrapped URLs that were opened and they are sorted by total click count. The links here are most likely malicious and you can find the Safe Links click verdict count next to each URL.

Note: When setting up the Office 365 phishing filter, you should configure Safe Links and their policies to identify which URLs were clicked and benefit from time-of-click protection and logging of click verdicts.

The click verdict values displayed in Explorer help you understand the action that was taken once a URL was selected:

  • Allowed: The user was able to navigate to the URL.
  • Blocked: The user was not able to navigate to the URL.
  • Pending verdict: The detonation-pending page was shown when the user clicked on the URL.
  • Error: The error page was presented to the user since an error occurred when trying to capture the verdict.
  • Failure: An unknown exception occurred when trying to capture the verdict. It is possible that the user clicked through the URL.
  • None: Could not capture the verdict. It is possible that the user clicked through the URL.
  • Blocked overridden: The user overrode the block and navigated to the URL.
  • Pending verdict bypassed: The detonation page was shown but the user overrode the message to access the URL.

Review email messages reported by users

This report shows data regarding messages that users in your organization reported as junk, not junk or phishing. To get better results, it is recommended that you configure spam protection for Office 365.

Find and investigate malicious emails that were delivered

Real-time detections and Threat Explorer give security personnel the ability to investigate hostile activities that could put your organization at risk. The available actions are:

  • Locating and identifying the IP address of a malicious email sender
  • Finding and deleting messages
  • Starting an incident to conduct further investigation
  • Check the delivery action and location
  • View the timeline of your email

View malicious files detected in SharePoint Online, OneDrive and Microsoft Teams

Reports in Explorer list information about files that are identified as malicious by Safe Attachments for OneDrive, Microsoft Teams and SharePoint Online. Admins can also view these files in quarantine.

Check the threat protection status report

This widget displays the status of your Office 365 security. In addition to the count of email messages that contain malicious content, you can also find:

  • Files or URLs that were blocked
  • Zero-hour auto purge (ZAP)
  • Safe Links
  • Safe Attachments
  • Impersonation protection features in anti-phishing policies

This information allows you to analyze security trends so you could determine if your policies need adjustment.

Attack Simulation Training

Set up and run realistic but benign cyberattacks in your organization to test your security policies and identify vulnerabilities before an actual attack takes place. These simulations are a part of Office 365 threat protection since they help train your employees to stay vigilant against social engineering schemes like phishing attacks.

Note: You can access this feature by going to the Microsoft 365 Defender portal > Email & collaboration > Attack simulation training. Or go directly to the Attack simulation training page.

The attack simulation training has a specific workflow consisting of a series of steps that you need to complete before launching the simulated attack.

Pick a social engineering technique

First, you need to choose one of the available social engineering schemes:

  • Link to malware: Runs an arbitrary code from a file hosted on a reputable file sharing service then sends a message containing a link to this malicious file. If the user opens the file, then the device is compromised.
  • Credential harvest: Users are redirected to what looks like a well-known website where they can input their username and password.
  • Link in attachment: A URL is added to an email attachment and behaves similarly to credential harvest.
  • Malware attachment: A malicious attachment is added to a message. If the attachment is opened, then the target’s device is compromised.
  • Drive-by URL: A URL redirects the user to a familiar website that installs malicious code in the background. Office 365 endpoint protection might not be able to deter such threats and subsequently, the device gets infected.

Choose a name and describe the simulation

The next step is to enter a unique and descriptive name for the simulation you are creating. A detailed description is optional.

Select a Payload

On this page, you should pick the payload that will be presented to the users in the simulation. This could be either an email message or a webpage. You can choose from the built-in catalog that contains the available payloads. It is also possible to create a custom payload that works better with your organization.

Target users

Here you select the users in your company that will receive the attack simulation training. You can either include all users or choose specific targets and groups.

Assign training

Microsoft recommends that you assign training for each simulation you create since the employees that go through it are less likely to fall prey to a similar attack. You can view the suggested courses and modules and pick the ones that best fit your needs based on the user’s results.

Select end user notification

This tab allows you to configure your notification settings. You can add a positive reinforcement notification if you choose Customized end user notifications to encourage your users once they are done with the training.

Automated Investigation and Response (AIR)

In Office 365 security, Automated Investigation and Response (AIR) capabilities trigger automatic alerts when a well-known threat targets your organization. This reduces manual work and allows your security team to operate more efficiently by reviewing, prioritizing and responding accordingly.

An automated investigation can be initiated either by a suspicious attachment that arrived in an email message or by an analyst using Threat Explorer. AIR gathers data related to the email in question such as intended recipients, files and URLs. Administrators and security personnel can review the investigation results and check the recommendations to approve or reject the remediation actions.

AIR can be triggered by one of the following alerts:

  • A possibly malicious URL was clicked
  • A user reported an email as phishing or malware
  • An email message containing malware or phish URL was removed after delivery
  • A suspicious email sending pattern was detected
  • A user is restricted from sending messages


Office 365 threat investigation offers various capabilities that help safeguard your data. With Microsoft Defender for Office 365 plan 2, you can employ advanced features like threat trackers and threat explorer. You can also conduct attack simulation training to keep your users vigilant and safe from potential cyberattacks. In addition, you can set up automated investigation and response (AIR) to offload your security team so they could focus on more high-priority threats.

That said, the only way to ensure complete protection of an Office 365 environment is by deploying a modern data protection solution like NAKIVO Backup & Replication. The solution provides powerful backup and recovery capabilities for Exchange Online, Teams, OneDrive for Business and SharePoint Online. Try the Free Edition today!

People also read