Phishing attacks continue to be a top threat vector, exploiting both technological gaps and human behavior. When a suspicious email slips through, rapid and precise investigation is key to minimizing damage. Microsoft Defender for Office 365 (MDO) equips security teams with powerful investigation tools - especially within the Incidents tab - to help turn alerts into actionable intelligence. In this post, we’ll guide you through a step-by-step investigation workflow using MDO’s Incidents tab. You’ll learn how to efficiently trace the attack chain, assess user impact, and leverage AI assistance with Security Copilot to stay ahead of evolving threats.
When a suspicious email is delivered due to policy configurations or evolving threat techniques, timely investigation is critical to minimizing impact. Microsoft Defender for Office 365 (MDO) offers a comprehensive suite of tools within the Incidents tab that empowers security teams to swiftly identify, investigate, and respond to email threats. But how do you investigate efficiently? What’s the most effective workflow once an alert fires?
In this blog post, we’ll walk through recommended investigation workflow using the Incidents tab (https://security.microsoft.com/incidents) turning alerts into actionable insights and minimizing dwell time for email-borne threats.
Step-by-Step Investigation Workflow
Step 1: Review the Alert Timeline and Incident Graph
The Attack Story tab in the incident view provides a visual timeline of alerts and an interactive graph that connects users, emails, and URLs.
Alerts Panel
- Shows a chronological series of alerts related to the incident.
- Each alert includes the alert type, timestamp, status, and impacted user.
- Example: A "potentially malicious URL click" by a user indicates user interaction that needs immediate review.
Best Practice:
Start from the earliest alert - often a DLP policy or internal phishing detection - to understand the root cause.
Incident Graph
- Visualizes relationships between users, emails, and URLs.
- Helps identify affected users, email origin, and the communication path.
Step 2: Investigate Alert Details
Clicking an alert opens a detailed view that includes:
- Summary of what happened
- Severity and source of the alert
- Classification insights (e.g., malicious, suspicious)
Use this to validate whether the alert is actionable, what triggered it (Safe Links, URL reputation, user behavior), and if manual escalation is needed.
Step 3: Analyze the Email Entity
Clicking the associated email entity brings up delivery metadata and headers:
Key fields to review:
- Latest Threats (e.g., Phish, Malware)
- Original and latest delivery locations
- Delivery Action (e.g., Delivered, ZAP-adjusted)
- Detection Technology (e.g., URL malicious reputation, detonation)
- Sender and Return Path
- ZAP Status (e.g., Failed, Succeeded)
Best Practice: Review whether ZAP failed to remove the email and consider if override policies are weakening response.
Step 4: Review the Email Timeline
Under the Timeline tab in Explorer:
- Track the event sequence: Delivery → Click → ZAP review
- Review Event Types (e.g., URL click detected, ZAP-Succeeded)
- Understand Result (e.g., ZAP took no action due to policy)
This reveals not just what occurred but whether Microsoft 365's post-delivery protections functioned as intended.
Step 5: Analyze Embedded URLs and Detonation Results
Open the URL tab to see which links were in the email:
- Check the URL domain, threat verdict (e.g., Phish), and source (e.g., email body)
- Click the URL to open Deep Analysis
In the Deep Analysis tab:
- Inspect the Detonation Chain (e.g., redirection to phishing pages)
- Review Verdict Reason and Screenshots to understand attacker techniques
Best Practice: Use screenshots to validate phishing lures and document threat behavior.
Step 6: Check Evidence and Response
Navigate to Evidence and Response tab:
- View all threat indicators and verdicts (Malicious, Suspicious, etc.)
- Check Remediation Status (e.g., Prevented, No action taken)
- Identify which artifacts were acted upon vs. still live
Step 7: Assess URL Prevalence and User Exposure
Clicking a malicious URL in the evidence view reveals its prevalence in your tenant:
- Emails: How many messages contained it?
- Clicks: How many users interacted with it?
- Devices: Was the URL seen by endpoint sensors?
This helps measure scope (targeted vs widespread) and prioritize remediation.
Step 8: Identify Impacted Users via Assets Tab
The Assets tab lists all users, mailboxes, and other resources tied to the incident.
In this example:
- Two users were involved including a Cloud Architect and VP of Marketing
- Both accounts are enabled, and should be assessed for privilege level, lateral risk, and post-click activity
Best Practice: Prioritize incident response for privileged users and enforce MFA, sign-out, or password resets if needed.
Step 9: Boosting Analyst Efficiency with Microsoft Security Copilot
Microsoft Security Copilot, powered by generative AI, is integrated across the Microsoft Defender portal including the Incidents tab. During investigations, Security Copilot can assist analysts by:
- Summarizing incident impact and timeline
- Explaining why an email was delivered (based on headers, policy match, and user interaction)
- Generating KQL queries for deeper hunting
- Identifying related users and assets
- Suggesting next-step actions based on the context
- Guiding the analyst through each phase of workflow
Security Copilot acts as a generative AI co-pilot to accelerate analysis and guide security analysts.
Final Thoughts
By following this structured workflow from incident timeline to user impact, security analysts can respond with confidence and precision. Microsoft Defender for Office 365 provides deep visibility, and with the help of Security Copilot, you can modernize your investigation process, reduce dwell time, and elevate your security operations.
Microsoft