Agent Foskett Academy • Lesson 55 • Email Investigation

Investigating DeliveryAction in Microsoft Defender XDR.

The email existed.

The sender was recorded.

The delivery location was known.

But the most important question was still waiting.

What did Microsoft 365 actually do with the message?

In Microsoft Defender XDR, DeliveryAction helps defenders understand whether an email was delivered, blocked, quarantined, redirected, junked or handled by another mail flow decision.

Agent Foskett Academy lesson explaining DeliveryAction in Microsoft Defender XDR
Lesson overview

Learn how to investigate the action Microsoft 365 applied to an email message and connect that decision to delivery, threat and user exposure evidence.

Review DeliveryAction outcomes
Compare DeliveryAction and DeliveryLocation
Find delivered messages with threat signals
Validate Microsoft 365 email protection

Why DeliveryAction matters

DeliveryLocation tells you where the message ended up. DeliveryAction helps explain what Microsoft 365 actually did with the message during filtering, transport and policy processing.
It explains the decisionDeliveryAction helps defenders understand whether Microsoft delivered, blocked, quarantined, redirected or otherwise handled the message.
It validates protectionThe action can show whether anti-phishing, anti-spam, malware, transport or quarantine controls behaved as expected.
It supports exposure analysisIf a suspicious message was delivered, defenders need to understand why it was allowed and whether users interacted with it.

The fields used in this lesson

These fields help defenders understand what happened to the email, why it happened and whether the user was exposed.
DeliveryActionThe action Microsoft 365 applied to the email message during delivery and filtering.
DeliveryLocationThe location where the message was placed, such as inbox, junk, quarantine or another destination.
ThreatTypesThreat classification such as phishing, malware, spam or other suspicious email categories.
DetectionMethodsDetection context that helps explain how Microsoft identified or classified the message.
EmailDirectionWhether the message was inbound, outbound or internal.
NetworkMessageIdThe message identifier used to connect email, URL, attachment and click evidence.

Step 1 — Review recent delivery actions

Start by reviewing recent messages and the action Microsoft applied to each one.
review-deliveryaction.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

Step 2 — Summarise delivery actions

Summarising DeliveryAction helps defenders understand how Microsoft 365 is handling email across the tenant.
summarise-delivery-actions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count() by DeliveryAction
| order by MessageCount desc

Step 3 — Find blocked messages

Blocked messages can show where Microsoft prevented delivery before users could access the message.
blocked-email-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where DeliveryAction has "Blocked"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          ThreatTypes
| order by Timestamp desc

Step 4 — Investigate quarantined messages

Quarantine outcomes need review because they often explain why users did not receive a suspicious or unwanted message.
quarantined-email-actions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where DeliveryAction has "Quarantine"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          DeliveryLocation,
          ThreatTypes,
          DetectionMethods
| order by Timestamp desc

Step 5 — Find suspicious messages that were delivered

Delivered messages with threat signals deserve attention because users may have had access to them.
suspicious-delivered-actions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(30d)
| where DeliveryAction =~ "Delivered"
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DetectionMethods,
          DeliveryLocation,
          NetworkMessageId
| order by Timestamp desc

Step 6 — Compare action, location and direction

DeliveryAction becomes stronger when reviewed alongside DeliveryLocation and EmailDirection.
action-location-direction.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count() by EmailDirection,
          DeliveryAction,
          DeliveryLocation,
          ThreatTypes
| order by MessageCount desc

How to read the results

DeliveryAction explains Microsoft's handling decision. Always compare it with the final delivery location and threat evidence.
DeliveredThe message was allowed through. If threat signals exist, investigate user exposure and follow-on activity.
BlockedMicrosoft prevented the message from normal delivery. Review the threat type and detection method to understand why.
QuarantinedThe message was isolated from users and should be reviewed alongside quarantine policy and release activity.

Common investigation uses

DeliveryAction helps defenders explain mail flow decisions and validate whether Microsoft 365 security controls worked as expected.
Phishing investigationsConfirm whether Microsoft delivered, blocked, quarantined or junked a suspicious message.
Security control validationReview whether anti-phishing, anti-spam, malware and transport controls produced the expected action.
User exposure analysisFocus deeper investigation on suspicious messages that were delivered to user-visible locations.

Common mistakes

DeliveryAction can be misunderstood when reviewed in isolation.
Assuming delivered means safeA delivered message can still contain threat signals or later become important in a user compromise investigation.
Ignoring DeliveryLocationDeliveryAction explains the decision, but DeliveryLocation explains where the message ended up.
Skipping detection contextThreatTypes and DetectionMethods help explain why Microsoft took the action it did.
The message did not just arrive. Microsoft made a decision.
Use DeliveryAction to understand what Microsoft 365 did with the email before deciding whether users were exposed or protected.
Back to Academy →

What you learned

DeliveryAction explains the decisionIt helps show whether Microsoft delivered, blocked, quarantined or otherwise handled the message.
DeliveryAction needs contextReview it with DeliveryLocation, ThreatTypes, DetectionMethods and NetworkMessageId.
Delivered messages still matterIf a suspicious message was delivered, defenders should review user exposure and related activity.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with core email evidence including sender, recipient, subject and delivery fields.
Investigating DeliveryLocationDetermine where the message ended up after filtering and policy decisions.
Investigating EmailAuthenticationResultsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating SenderFromAddress vs SenderMailFromAddressCompare visible sender and envelope sender evidence.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.
Investigating UrlClickEventsConfirm whether users clicked suspicious links from delivered email.
Investigating EmailAttachmentInfoReview attachment names, hashes and payload evidence.
Investigating EmailUrlInfoInvestigate URLs extracted from email messages.

Coming next

Lesson 56 — Investigating ThreatTypes in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use ThreatTypes to understand whether Microsoft classified messages as phishing, malware, spam, bulk or another threat category.
Why this mattersDeliveryAction explains what Microsoft did. ThreatTypes helps explain what Microsoft thought the message was.
What you will learn nextLearn how threat classification supports phishing, malware, spam, quarantine and delivered-email investigations.

Final thought

The message was not just delivered or blocked. It was handled by a decision.
Agent Foskett mindsetDo not stop at where the email went. Ask what Microsoft did with it and why.
Read the actionDeliveryAction turns mail flow telemetry into a clear security control story.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating DeliveryAction in Microsoft Defender XDR

Agent Foskett Academy Lesson 55 teaches defenders how to investigate DeliveryAction during Microsoft Defender XDR email investigations.

Learn email delivery action investigation in Defender XDR

This lesson explains how DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods and NetworkMessageId help defenders understand whether Microsoft 365 delivered, blocked, quarantined, redirected or otherwise handled suspicious email.