Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.
Microsoft 365 organizations that have Microsoft Defender for Office 365 included in their subscription or purchased as an add-on have the Email entity page. The Email entity page in the Microsoft Defender portal contains highly detailed information about an email message and any related entities.
To use the Email entity page, you need to be assigned permissions. The permissions and licensing are the same as Threat Explorer (Explorer) and Real-time detections. For more information, see Permissions and licensing for Threat Explorer and Real-time detections.
There are no direct links to the Email entity page from the top levels of the Defender portal. Instead, the Open email entity action is available at the top of the email details flyout in many Defender for Office 365 features. This email details flyout is known as the Email summary panel, and contains a summarized subset of the information on the Email entity page. The email summary panel is identical across Defender for Office 365 features. For more information, see the The Email summary panel section later in this article.
Tags section. Shows any user tags (including Priority account) that are assigned to senders or recipients. For more information about user tags, see User tags in Microsoft Defender for Office 365.
Latest delivery location: The location of the message after system actions on the message (for example, ZAP), or admin actions on the message (for example, Move to Deleted Items). User actions on the message (for example, deleting or archiving the message) aren't shown, so this value doesn't guarantee the current location of the message.
The following message event information is available in the view. Select a column header to sort by that column. To add or remove columns, select Customize columns. By default, all available columns are selected.
If nothing happened to the message after delivery, the message is likely to have only one row in the Timeline view with the Event types value Original delivery. For example:
All Overrides: All organization or user settings that had the possibility to alter the intended delivery location of the message. For example, if the message matched a mail flow rule and a block entry in the Tenant Allow/Block List, both settings are listed here. The Primary Override : Source property value identifies the setting that actually affected the delivery of the message.
Primary Override : Source: Shows the organization or user setting that altered the intended delivery location of the message (allowed instead of blocked, or blocked instead of allowed). For example:
Exchange transport rules (mail flow rules): If the message was affected by mail flow rules, the rule names and GUID vales are shown. Actions taken on messages by mail flow rules occur before spam and phishing verdicts.
Connector: If the message was delivered through an Inbound connector, the connector name is shown. For more information about connectors, see Configure mail flow using connectors in Exchange Online.
Alert ID: Select the Alert ID value to open the details page for the alert (as if you found and selected the alert from the Alerts page at ). The Copy to clipboard action is also available to copy the Alert ID value.
The following attachment information is available in this view. Select a column header to sort by that column. To add or remove columns, select Customize columns. By default, all available columns are selected.
Deep analysis tab: Information is available on this tab if Safe Attachments scanned (detonated) the attachment. You can identify these messages in Threat Explorer by using the query filter Detection technology with the value File detonation.
Detonation chain section: Safe Attachments detonation of a single file can trigger multiple detonations. The detonation chain tracks the path of detonations, including the original malicious file that caused the verdict, and all other files affected by the detonation. These attached files might not be directly present in the email. But, including the analysis is important to determining why the file was found to be malicious.
If no detonation chain information is available, the value No detonation tree is shown. Otherwise, you can select Export to download the detonation chain information to a CSV file. The default filename is Detonation chain.csv and the default location is the Downloads folder. If a file with that name already exists, the filename is appended with a number (for example, Detonation chain(1).csv). The CSV file contains the following information:
Summary section: If no detonation summary information is available, the value No detonation summary is shown. Otherwise, the following detonation summary information is available:
Behavior details section: Shows the exact events that took place during detonation, and problematic or benign observations that contain URLs, IPs, domains, and files that were found during detonation. There might not be any behavior details for container files like ZIP or RAR that contain other files.
If no behavior details information is available, the value No detonation behaviors is shown. Otherwise, you can select Export to download the behavioral details information to a CSV file. The default filename is Behavior details.csv and the default location is the Downloads folder. If a file with that name already exists, the filename is appended with a number (for example, Behavior details(1).csv). The CSV file contains the following information:
If you select an entry in the Attachments view by selecting the check box next to the filename, the Block action is available. This action adds the file as a block entry in the Tenant Allow/Block List. Selecting Block starts the Take action wizard:
Deep analysis tab: Information is available on this tab if Safe Links scanned (detonated) the URL. You can identify these messages in Threat Explorer by using the query filter Detection technology with the value URL detonation.
Detonation chain section: Safe Links detonation of a single URL can trigger multiple detonations. The detonation chain tracks the path of detonations, including the original malicious URL that caused the verdict, and all other URLs affected by the detonation. These URLs might not be directly present in the email. But, including the analysis is important to determining why the URL was found to be malicious.
Screenshots section: Show any screenshots that were captured during detonation. No screenshots are captured if the URL opens into a link that directly downloads a file. However, you see the downloaded file in the detonation chain.
Behavior details section: Shows the exact events that took place during detonation, and problematic or benign observations that contain URLs, IPs, domains, and files that were found during detonation.
If you select an entry in the URL view by selecting the check box next to the filename, the Block action is available. This action adds the URL as a block entry in the Tenant Allow/Block List. Selecting Block starts the Take action wizard:
The Similar emails view shows other email messages that have the same message body fingerprint as this message. Matching criteria in other messages doesn't apply for this view (for example, file attachment fingerprints).
b1e95dc632