Today I wanted to share with you some exciting new capabilities that are now available to help Microsoft Defender for Office 365 and Microsoft 365 Defender customers investigate emails.
We know that you, the security teams, spend a lot of time diving deep into alerts, hunting threats, identifying malicious indicators, and taking remediation actions. You go through multiple workflows to take the right measures to protect your organization. These workflows involving email borne threats typically have a few steps in common – all involving analyzing an email in question and any related emails – to answer questions like: Why did the system call an email malicious? Why did an email get blocked (or delivered)? How many users (and which ones) received these emails? What actions have already been taken on these emails? And a lot more.
Answering these questions often takes time and effort. And we consistently hear how much you crave ever-increasing efficiency in the tools you use, so the effort and time involved in responding to alerts and threats is reduced.
That's why we’re excited to introduce the new Email Entity page in Microsoft Defender for Office 365. A simple, yet rich experience that offers a single pane of glass view to answer all the questions above, greatly amplifying the efficiency with which you can investigate and respond to threats.
The new email entity page brings a comprehensive experience that provides an exhaustive view of details critical to investigation. The email entity page gives a 360-degree view of an email in one page, and helps security analysts save time and effort, leading to more effective threat protection.
Curious why an email was delivered despite being marked as malicious? Or what the latest location of the email is? What are the rich set of details for a URL or file that was detonated? Was it sent to a priority account? The email entity page brings you the answer to these questions, and the details you need to investigate and analyze an email – overrides, exchange transport rules, latest delivery location, detonation details, tags and a lot more.
The email page has information and capabilities for analysts to dig deeper into intricate email details, and headers, look at email preview or email download. The email page also builds on our promise to integrate Defender for Office 365 tightly with other Microsoft 365 Defender experiences like hunting, alerts, investigations and more.
We are sure the single page view is appealing, but that is not it. We bring a lot more details and capabilities to the new email entity page.
Each tab presents you with information about the email. The timeline tab has a series of events which took place on email by system, admin or user.
Figure 1: The timeline tab has a series of events which took place on email by system, admin or user.
The analysis tab shows pre and post-delivery fields about email, in addition to the headers presented in the same tab, helpful for a side-by-side analysis.
Figure 2: The analysis tab shows pre and post-delivery fields about email, in addition to the email headers
The attachment and URL tabs present detailed information about attachments and URLs present in the email, along with detonation details in case a detonation occurs (shown in the section later on detonation details).
Lastly, the similar emails tab shows emails found similar to the email. Similar emails are found using the body fingerprint i.e. the cluster ID.
Figure 3: The similar emails tab shows emails found similar to the email, using cluster ID
The email entity page not only has enriched details, but also new capabilities to help the security operations team investigate successfully, like email preview and detonation details.
We now provide full previews of emails found in cloud mailboxes. No need to download a copy of a malicious message to understand what your users saw – you can now do this with the click of a button from the safety of the admin center.
Figure 4: Email preview provides full previews of emails found in cloud mailboxes
With the email entity page, we have greatly enhanced the level of details we present about the observations we make in the detonation chamber for entities which get detonated. When a URL or file present in an email is found malicious during detonation, we will present the information to help you understand the full scope of related threats. Detonation details reveal information like the full detonation chain, a detonation summary, a screenshot and observed behavior details. This information can help security teams understand why we reached a malicious verdict for a URL or file following a detonation.
For file detonation cases (you can filter by detection technology in Threat Explorer), the Attachments tab shows a list of attachments and their respective threats. Clicking on the malicious attachment opens the detonation details flyout for the detonated attachments. For URL detonations, the URL tab shows a list of URLs and the corresponding threats. Clicking on the malicious URL will open the detonation details flyout for detonated URLs.
Figure 5: Detonation details shows additional details discovered during detonation of links and files
If you have Microsoft Defender for Office 365 or Microsoft 365 Defender, you can take advantage of this new experience today. When hunting for email-based threats, natively integrated into Explorer, you may now choose to navigate to the new email entity page. You can do the same with alerts experience, across both the security and protection portals at security.microsoft.com and protection.office.com respectively.
Do you have questions or feedback about Microsoft Defender for Office 365? Engage with the community and Microsoft experts in the Defender for Office 365 forum.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.