AzureFeeds

When a suspicious email is delivered due to policy configurations or evolving threat techniques, timely investigation is critical to minimizing impact. Microsoft Defender for Office 365 (MDO) offers a comprehensive suite of tools within the Incidents tab that empowers security teams to swiftly identify, investigate, and respond to email threats. But how do you investigate efficiently? What’s the most effective workflow once an alert fires?

In this blog post, we’ll walk through recommended investigation workflow using the Incidents tab (https://security.microsoft.com/incidents) turning alerts into actionable insights and minimizing dwell time for email-borne threats.

Step-by-Step Investigation Workflow

Step 1: Review the Alert Timeline and Incident Graph

The Attack Story tab in the incident view provides a visual timeline of alerts and an interactive graph that connects users, emails, and URLs.

Alerts Panel

• Shows a chronological series of alerts related to the incident.


• Each alert includes the alert type, timestamp, status, and impacted user.


• Example: A “potentially malicious URL click” by a user indicates user interaction that needs immediate review.

Best Practice:

Start from the earliest alert – often a DLP policy or internal phishing detection – to understand the root cause.

Incident Graph

• Visualizes relationships between users, emails, and URLs.


• Helps identify affected users, email origin, and the communication path.

Step 2: Investigate Alert Details

Clicking an alert opens a detailed view that includes:

• Summary of what happened


• Severity and source of the alert


• Classification insights (e.g., malicious, suspicious)

Use this to validate whether the alert is actionable, what triggered it (Safe Links, URL reputation, user behavior), and if manual escalation is needed.

Step 3: Analyze the Email Entity

Clicking the associated email entity brings up delivery metadata and headers:

Key fields to review:

• Latest Threats (e.g., Phish, Malware)


• Original and latest delivery locations


• Delivery Action (e.g., Delivered, ZAP-adjusted)


• Detection Technology (e.g., URL malicious reputation, detonation)


• Sender and Return Path


• ZAP Status (e.g., Failed, Succeeded)

Best Practice: Review whether ZAP failed to remove the email and consider if override policies are weakening response.

Step 4: Review the Email Timeline

Under the Timeline tab in Explorer:

• Track the event sequence: Delivery → Click → ZAP review


• Review Event Types (e.g., URL click detected, ZAP-Succeeded)


• Understand Result (e.g., ZAP took no action due to policy)

This reveals not just what occurred but whether Microsoft 365’s post-delivery protections functioned as intended.

Step 5: Analyze Embedded URLs and Detonation Results

Open the URL tab to see which links were in the email:

• Check the URL domain, threat verdict (e.g., Phish), and source (e.g., email body)


• Click the URL to open Deep Analysis

In the Deep Analysis tab:

• Inspect the Detonation Chain (e.g., redirection to phishing pages)


• Review Verdict Reason and Screenshots to understand attacker techniques

Best Practice: Use screenshots to validate phishing lures and document threat behavior.

Step 6: Check Evidence and Response

Navigate to Evidence and Response tab:

• View all threat indicators and verdicts (Malicious, Suspicious, etc.)


• Check Remediation Status (e.g., Prevented, No action taken)


• Identify which artifacts were acted upon vs. still live

Step 7: Assess URL Prevalence and User Exposure

Clicking a malicious URL in the evidence view reveals its prevalence in your tenant:

• Emails: How many messages contained it?


• Clicks: How many users interacted with it?


• Devices: Was the URL seen by endpoint sensors?

This helps measure scope (targeted vs widespread) and prioritize remediation.

Step 8: Identify Impacted Users via Assets Tab

The Assets tab lists all users, mailboxes, and other resources tied to the incident.

In this example:

• Two users were involved including a Cloud Architect and VP of Marketing


• Both accounts are enabled, and should be assessed for privilege level, lateral risk, and post-click activity

Best Practice: Prioritize incident response for privileged users and enforce MFA, sign-out, or password resets if needed.

Step 9: Boosting Analyst Efficiency with Microsoft Security Copilot

Microsoft Security Copilot, powered by generative AI, is integrated across the Microsoft Defender portal including the Incidents tab. During investigations, Security Copilot can assist analysts by:

• Summarizing incident impact and timeline


• Explaining why an email was delivered (based on headers, policy match, and user interaction)


• Generating KQL queries for deeper hunting


• Identifying related users and assets


• Suggesting next-step actions based on the context


• Guiding the analyst through each phase of workflow

Security Copilot acts as a generative AI co-pilot to accelerate analysis and guide security analysts.

Final Thoughts

By following this structured workflow from incident timeline to user impact, security analysts can respond with confidence and precision. Microsoft Defender for Office 365 provides deep visibility, and with the help of Security Copilot, you can modernize your investigation process, reduce dwell time, and elevate your security operations.