Microsoft to Improve Office 365 Malicious Email Analysis

Microsoft is currently in the process of developing significantly better manual threat hunting features for the Office 365 Threat Explorer, to be rolled out to all environments during August.

Office 365 is one of the offers available through the Microsoft 365 software bundle which also comes with two additional offers, namely Windows 10 and EMS (short for Enterprise Mobility + Security).

Threat Explorer is a Security & Compliance Center tool available to Office 365 Advanced Threat Protection (ATP) Plan 2 customers which allows Security Operations teams to review and react to threats like malware and phishing landing in their users' inboxes as emails and malicious files.

Office 365 Threat Explorer
Office 365 Threat Explorer

Threat Explorer hunting improvements

First of all, Office 365 admins with access to Threat Explorer will be able to preview and download malicious emails for further analysis, a new capability that will make analyzing bad emails a lot easier.

Secondly, an email timeline will be available as part of Office 365 Threat Explorer to differentiate multiple events being triggered for the same malicious email.

This makes it possible to simplify the hunting process and to avoid wasting time on efforts focused around several points of interest within the same malicious message.

Last but not least, emails will also have two separate columns showing their current delivery status, with 'Delivery action' to show if the message is delivered, delivered to junk, blocked, or replaced and removed by ZAP, and 'Delivery location' to further detail the exact location of the email.

"There might be events which occur post-delivery of an email, they are captured under the column “Special action”. All these values combined would help the admin understand what action(s) were taken on an email and the location of that email," adds Microsoft on the update's Microsoft 365 roadmap entry.

Threat Explorer phishing email report
Threat Explorer phishing email report

More Office 365 updates

Microsoft provides a detailed guide on how to use the Threat Explorer and real-time detections to detect and analyze malicious content within both files and emails, with instructions related to viewing data on phishing URLs, reviewing user-reported emails, as well as on how to start automated investigations to save huge amounts of time.

In related news, Redmond announced yesterday that changes designed to streamline Office 365 licensing technology for subscription-based Office clients will also be rolled out next month.

Last week, a new user activity-based expiration policy for Office 365 groups was also released in private preview, now available for select Azure AD Premium customers and designed to add automated lifetime renewals without any user intervention requirements.

The new Office 365 groups expiration policy will help all Microsoft 365 admins to improve groups' lifecycle management once the feature is released for the general public with active groups to be renewed automatically once their lifetimes expire.

Related Articles:

Microsoft to Roll Out Office 365 Client Licensing Changes in August

Microsoft 365 Business Adds Granular Controls to Company Assets

Microsoft Office 365 Webmail Exposes User's IP Address in Emails

Microsoft's Office Online Becomes Office After Rebranding

Phishers Target Office 365 Admins with Fake Admin Alerts