Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Threat Explorer: UX enhancements, URL clicks tab and customizable export
Published May 30 2023 12:05 PM 5,608 Views

We are thrilled to announce the release of new Threat Explorer V3 by Microsoft Defender for Office 365 with improved user experience to detect and investigate potential threats in their email environment. This tool provides real-time insights and recommendations to security analysts, helping them identify and mitigate security risks quickly and effectively. With the new release, Threat Explorer V3 offers enhanced filtering into email security events, allowing administrators to proactively respond to potential threats and prevent security incidents from occurring. Additionally, the tool provides a comprehensive view of email-based attacks, URL clicks, high-risk users making it easier for security teams to investigate and respond to these threats in a timely manner.  


Improvements in user experience 


New filtering experience: 



The new experience allows users to have a concise view of the filters, filter combinations on logical conditions and date range they have selected at one place. This can be useful when working with large data sets or complex filters, as it allows users to see all the filters they have applied and how they are interacting with each other. The "Equals" and "Contains" conditions are two of the most useful filter conditions in the new Threat Explorer filters. The " Equals " condition is used to match an exact value, which can be helpful in cases where analysts need to quickly search for a specific threat or piece of data. The " Contains" condition, on the other hand, is used to match any value that contains a specified string of keywords, which is useful when searching for more general patterns or trends.  

For example, if an analyst wants to search for all traffic to a particular domain using similar keywords in subject line, they could use the "contains" condition to search for all traffic that matches the subject keywords. The combination of these two conditions allows analysts to quickly and accurately filter large amounts of data, allowing them to focus on the most relevant threats and potential security issues.  

With the intent to make filtering experience seamless, we have effectively removed the “Advanced Filters” from explorer and absorbed the functionality in the core filtering experience, The AND and OR operators are incredibly useful for analyzing and identifying potential security threats. These logical operators allow for the creation of complex search queries that can filter data based on multiple criteria. The AND operator is used to narrow down search results by specifying that all conditions must be met for a result to be returned, while the OR operator broadens the search by returning results that match any of the specified conditions. The combination of Equals/Contains with AND/OR will provide a more efficient and effective threat detection and response. 


Additions to filter options: 

The new filter options in threat explorer filters were designed with an aim to greatly enhance the overall functionality and usefulness of the tool. With the addition of new filters, users can refine their search parameters and identify specific threats more quickly and accurately. The filters are now categorized into Basic, Advanced, URLs, Files, and Authentication section. Basic filters can include simple criteria such as subject, sender, recipient. Advanced filters may include more complex criteria such as NetworkMessageID, Sender IP, Attachment SHA256. URL filters are specifically on URLs or domains related to a threat or attack. File filters are specific to attachments, such as File name, file type etc. that may be associated with a threat and the Authentication filters can be used to identify DMARC, DKIM, SPF authentication results. The newly added filter options are -  

Recipient domains 

File size 

URL threat 

Return path  

Attachment count 

URL location 

Return path domain 

Email size 

URL count 

File type 


Policy type 

File extension 

Threat type 

Policy action 






URL clicks tab: 

The process of investigating potential threats and vulnerabilities in an organization's digital ecosystem can be complex and time-consuming. In the past, security analysts often had to navigate between multiple reports and tools like Threat protection reports, Advanced hunting etc. to gather the information they needed to identify and respond to security incidents. However, with the release of new features in Threat Explorer, this process has been streamlined and made much more efficient. The new URL clicks tab in Threat Explorer allows analysts to see end-user clicks across Email, Teams, and Office apps in a single location, eliminating the need for to-and-fro navigation between multiple tools and platforms. This consolidated view provides a comprehensive picture of user behaviour and makes it easier for analysts to identify patterns and potential risks. Security analysts can use the NetworkMessageID, Recipient and URL details to identify the emails and users who have been impacted with the URL based attacks. The new tab also features the export functionality allowing security analysts to download the result set into a csv file for further analysis if required. 






This new tab provides security analysts with a guided tool for investigating and analyzing potentially malicious URLs that have been clicked by users within an organization with the “Top clicks” and “Top targeted users” tabs. These tabs can not only give an aggregated list but users can also apply filters in the URL clicks tab to narrow down the search to get even more refined list as per their needs (ex. clicks on phishing URLs, clicks on URLs in Teams). 

The “Top clicks” tab displays the URLs that have been clicked the most by users within the organization, how many have been blocked and how many have been allowed if they are clean or as per the user settings. By analyzing this information, security analysts can identify potential phishing attempts or other malicious activity that may be targeting users within the organization. This can help security teams take proactive measures to protect their systems and users from these threats. 





The “Top targeted users” tab displays the users who have clicked on the most URLs within the organization. This information can help security analysts identify potential high-risk users who may be more susceptible to phishing or other types of attacks.  





By providing insights into the patterns and frequency of clicks, the URL clicks tab will help in identify potential threats and vulnerabilities, enabling security teams to take proactive measures to protect the systems data and the end users from malicious attacks. Identifying these users, security teams can also provide targeted training and awareness programs to help them better understand the risks and avoid falling victim to attacks. 


Customize your data exports: 

Threat explorer allows users to export additional data along with the data visible on the data grid. With the new export feature, users will have the ability to selectively export the data for their needs or use cases that are relevant to their analysis or investigation, without having to sift through irrelevant data. The latest export feature includes a group of default fields that offer fundamental information from email metadata as pre-selected options and furthermore, you have the choice to pick extra fields or modify the current selection based on your requirements. The new export feature is available across all tabs in Threat Explorer – All Email, Malware, Phish, Campaign and Content Malware 




Note: All of the these enhancements are in rollout stage and will be available in public preview by end of May, 2023 

For questions or feedback about Microsoft Defender for Office 365, engage with the community and Microsoft experts in the Defender for Office 365 forum. 

1 Comment
Version history
Last update:
‎May 30 2023 12:07 PM
Updated by: