Agent Foskett Academy • Lesson 65 • Email Investigation

Investigating BulkComplaintLevel (BCL) in Microsoft Defender XDR.

The email was legitimate.

Authentication passed.

Yet users found it in junk mail.

Agent Foskett traced the answer to BulkComplaintLevel.

In Microsoft Defender XDR, BulkComplaintLevel helps defenders understand how Microsoft classifies newsletters, marketing campaigns and other bulk email during investigations.

Agent Foskett Academy lesson explaining BulkComplaintLevel BCL in Microsoft Defender XDR
Lesson overview

Learn how to investigate BulkComplaintLevel values in EmailEvents and understand how bulk mail classification affects filtering, delivery and user complaints.

Review BulkComplaintLevel evidence
Identify high BCL messages
Compare BCL with delivery outcomes
Investigate bulk mail and reputation issues

Why BulkComplaintLevel matters

BulkComplaintLevel helps explain why a message may be treated as bulk mail even when authentication passes and no malware is detected.
It explains bulk mail classificationBCL helps defenders understand how Microsoft assessed messages such as newsletters, marketing campaigns and high-volume sender activity.
It supports spam investigationsHigh BCL values can help explain junk folder delivery, filtering behaviour and user complaints.
It adds reputation contextBCL provides another signal alongside sender reputation, authentication, ThreatTypes, DeliveryAction and OrgLevelAction.

The fields used in this lesson

These fields help defenders connect bulk classification, sender identity and delivery outcomes.
BulkComplaintLevelMicrosoft bulk complaint level evidence associated with the email message.
SenderFromAddressThe visible sender address displayed to the recipient.
SenderFromDomainThe visible sender domain associated with the message.
DeliveryActionThe action Microsoft 365 applied to the email during delivery and filtering.
DeliveryLocationWhere the message was placed, such as inbox, junk, quarantine or another location.
ThreatTypesMicrosoft threat classification, such as phishing, malware, spam or spoofing.

Step 1 — Review BulkComplaintLevel activity

Start by reviewing recent messages where Defender recorded a BulkComplaintLevel value.
review-bulkcomplaintlevel.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(BulkComplaintLevel)
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          RecipientEmailAddress,
          Subject,
          BulkComplaintLevel,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

Step 2 — Summarise BCL values

Summarising BulkComplaintLevel helps defenders understand the spread of bulk mail classifications across the tenant.
summarise-bcl-values.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(BulkComplaintLevel)
| summarize MessageCount = count()
          by BulkComplaintLevel
| order by BulkComplaintLevel asc

Step 3 — Find high BCL messages

High BCL values are useful when investigating messages that users report as spam, junk or unwanted bulk email.
high-bcl-messages.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where toint(BulkComplaintLevel) >= 7
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          RecipientEmailAddress,
          Subject,
          BulkComplaintLevel,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

Step 4 — Review BCL by sender domain

Grouping by sender domain helps identify bulk senders, newsletters, marketing systems and possible reputation issues.
bcl-by-sender-domain.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(BulkComplaintLevel)
| summarize MessageCount = count()
          by SenderFromDomain,
             BulkComplaintLevel
| order by MessageCount desc

Step 5 — Compare BCL with delivery outcomes

Bulk mail classification becomes more useful when compared with DeliveryAction and DeliveryLocation.
bcl-delivery-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(BulkComplaintLevel)
| summarize MessageCount = count()
          by BulkComplaintLevel,
             DeliveryAction,
             DeliveryLocation
| order by BulkComplaintLevel desc,
           MessageCount desc

Step 6 — Review BCL with threats and authentication

This helps separate normal bulk mail from suspicious campaigns where bulk classification overlaps with threat or authentication evidence.
bcl-threat-authentication-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(BulkComplaintLevel)
| project Timestamp,
          SenderFromAddress,
          SenderFromDomain,
          Subject,
          BulkComplaintLevel,
          ThreatTypes,
          AuthenticationDetails,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

How to read the results

BulkComplaintLevel should be interpreted as a bulk mail and reputation signal, not as a standalone verdict that a message is malicious.
Low BCL usually means lower bulk concernMessages with low BCL values are less likely to be treated as problematic bulk mail, but still need normal security review.
High BCL can explain filteringA high BCL value can help explain junk delivery, spam handling or user complaints about unwanted messages.
BCL is not the same as phishingBulk mail classification should be reviewed with ThreatTypes, AuthenticationDetails, DeliveryAction and sender evidence.

Common investigation uses

BulkComplaintLevel is useful when defenders need to explain mail handling decisions that are not caused by malware or obvious phishing.
Newsletter delivery issuesInvestigate why newsletters or vendor updates are landing in junk or being treated as unwanted bulk mail.
Marketing campaign reviewsReview high-volume campaigns and determine whether sender reputation or complaint behaviour may be affecting delivery.
False positive spam investigationsUnderstand whether bulk classification contributed to messages being filtered, junked or complained about by users.
Sender reputation analysisCorrelate BCL values with sender domains, delivery outcomes and authentication evidence.

Common mistakes

BCL can be misunderstood when defenders treat it as a simple malicious or safe decision.
Assuming authenticated means wantedA message can pass SPF, DKIM and DMARC but still be treated as bulk mail based on complaint and reputation signals.
Ignoring delivery locationBCL should be reviewed with DeliveryLocation to understand whether the message went to inbox, junk or quarantine.
Treating BCL as a threat typeBulkComplaintLevel is not the same as ThreatTypes. Review both fields before drawing conclusions.
The message was authenticated, but users still complained.
Use BulkComplaintLevel to understand how Microsoft classified bulk mail behaviour and why delivery outcomes may have changed.
Back to Academy →

What you learned

BulkComplaintLevel explains bulk classificationBCL helps defenders understand how Microsoft assessed high-volume, marketing or newsletter-style email.
BCL supports delivery investigationsIt can help explain junk delivery, filtering behaviour, user complaints and reputation-related outcomes.
BCL needs contextAlways review BCL with sender identity, AuthenticationDetails, ThreatTypes, DeliveryAction and DeliveryLocation.

Related Agent Foskett Academy lessons

Investigating SenderMailFromDomainReview the SMTP sender domain used during email delivery.
Investigating SenderMailFromAddressReview the SMTP envelope sender address behind email messages.
Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware, spam and spoofing.
Investigating DetectionMethodsUnderstand how Microsoft identified and classified suspicious email activity.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating DeliveryLocationUnderstand where Microsoft 365 placed the message.
Investigating OrgLevelActionReview organisational policy actions applied to suspicious messages.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.

Coming next

Lesson 66 — Investigating CompositeAuthentication in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use CompositeAuthentication to understand Microsoft's combined assessment of email authenticity.
Why this mattersBulkComplaintLevel explains bulk mail behaviour. CompositeAuthentication helps explain whether Microsoft trusted the message as a whole.
What you will learn nextLearn how composite authentication supports spoofing, impersonation, SPF, DKIM and DMARC investigations.

Final thought

Not every unwanted email is malware. Sometimes the signal is reputation, volume and user complaints.
Agent Foskett mindsetDo not stop at authentication. Ask how Microsoft classified the message and whether users complained about similar bulk mail.
Read the reputation signalBulkComplaintLevel turns an email investigation into a sender reputation and bulk mail investigation.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating BulkComplaintLevel (BCL) in Microsoft Defender XDR

Agent Foskett Academy Lesson 65 teaches defenders how to investigate BulkComplaintLevel during Microsoft Defender XDR email investigations.

Learn BCL and bulk mail investigation in Defender XDR

This lesson explains how BulkComplaintLevel, SenderFromDomain, DeliveryAction, DeliveryLocation, ThreatTypes and AuthenticationDetails help defenders understand bulk mail classification, sender reputation, spam filtering and user complaint behaviour.