Agent Foskett Academy • Lesson 54 • Email Investigation

Investigating DeliveryLocation in Microsoft Defender XDR.

The email was not missing.

It was not ignored by the platform.

It had been processed, evaluated and placed somewhere.

The question was simple: did it reach the inbox, land in junk, get quarantined, or disappear before the user ever saw it?

In Microsoft Defender XDR, DeliveryLocation helps defenders understand where an email actually went after filtering, policy and transport decisions were applied.

Agent Foskett Academy lesson explaining DeliveryLocation in Microsoft Defender XDR
Lesson overview

Learn how to investigate where email messages were delivered, moved or contained inside Microsoft 365 using DeliveryLocation and related email telemetry.

Review inbox, junk and quarantine outcomes
Compare DeliveryLocation and DeliveryAction
Identify risky messages that reached users
Build better phishing investigation timelines

Why DeliveryLocation matters

Email investigations do not stop at sender, subject or authentication. Defenders need to know where the message actually ended up.
The email may have reached the userA message delivered to the inbox or another mailbox folder can create user risk even when it looks low severity at first glance.
The email may have been containedMessages sent to quarantine, junk or dropped locations may indicate that Microsoft 365 controls took action before the user could interact.
The location explains the next stepDeliveryLocation helps defenders decide whether to investigate clicks, attachments, mailbox access, user reporting or policy tuning.

The fields used in this lesson

These fields help defenders understand the final delivery story and whether the message was allowed, blocked, junked or quarantined.
DeliveryLocationThe recorded location where the email was delivered or placed, such as inbox, junk, quarantine or another destination.
DeliveryActionThe action taken on the message, helping explain whether it was delivered, blocked, junked, quarantined or otherwise handled.
LatestDeliveryLocationWhere available, this can help show the most recent known location after post-delivery actions or remediation.
LatestDeliveryActionWhere available, this helps show the latest action taken after the original delivery result.
ThreatTypesThreat classification context that helps explain why a delivery location may require attention.
NetworkMessageIdThe message identifier used to connect the email to URLs, clicks, attachments and related investigation evidence.

Step 1 — Review recent delivery locations

Start with a simple review of recent email delivery locations so you can understand what Microsoft Defender XDR recorded.
deliverylocation-basic-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

Step 2 — Summarise delivery locations

Summarising DeliveryLocation helps defenders understand the normal delivery pattern across the tenant before focusing on unusual or risky outcomes.
summarise-delivery-locations.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count()
                            by DeliveryLocation, DeliveryAction
| order by MessageCount desc

Step 3 — Find suspicious messages that reached the inbox

Messages with threat signals that reached the inbox should be reviewed quickly because the user may have seen, clicked or opened the message.
threats-delivered-to-inbox.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(30d)
| where DeliveryLocation has_any ("Inbox", "Folder")
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DeliveryAction,
          DeliveryLocation,
          NetworkMessageId
| order by Timestamp desc

Step 4 — Review quarantined messages

Quarantine results help prove that a message was contained by Microsoft 365 policy or filtering before it reached the user.
review-quarantined-messages.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where DeliveryLocation has "Quarantine"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DetectionMethods,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

Step 5 — Compare original and latest delivery evidence

Some messages are moved or remediated after delivery. Comparing original and latest delivery evidence helps show whether the message was later cleaned up.
compare-original-and-latest-delivery.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          DeliveryLocation,
          LatestDeliveryAction,
          LatestDeliveryLocation,
          NetworkMessageId
| order by Timestamp desc

Step 6 — Connect delivery location to URL click evidence

If a suspicious message reached the inbox, the next question is whether the recipient clicked a link from that message.
deliverylocation-url-click-correlation.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(30d)
| where DeliveryLocation has_any ("Inbox", "Folder")
| project EmailTime = Timestamp,
          NetworkMessageId,
          RecipientEmailAddress,
          Subject,
          DeliveryLocation
| join kind=inner (
                            UrlClickEvents
    | project ClickTime = Timestamp, NetworkMessageId, Url, ActionType
) on NetworkMessageId
| order by ClickTime desc

How to read the results

DeliveryLocation is strongest when combined with delivery action, threat classification and user interaction evidence.
Inbox or folderThe message likely reached a user-visible mailbox location and may require click, attachment and user-reporting review.
Junk or quarantineThe message may have been contained or downgraded by filtering, but still needs context if the sender, target or threat type is important.
Moved after deliveryLatest delivery fields may show that the message was removed, remediated or relocated after the original delivery event.

Common investigation uses

DeliveryLocation helps defenders answer one of the most important email investigation questions: did the user actually receive it?
Phishing triagePrioritise messages with suspicious indicators that reached the inbox or another user-visible folder.
Quarantine validationConfirm whether Microsoft 365 filtering or policy contained the message before user exposure.
Post-delivery responseReview whether messages were later moved, remediated or connected to URL clicks and attachment activity.

Common mistakes

Delivery investigations can go wrong when defenders only look at whether an email exists, rather than where it was placed and whether the user could interact with it.
Assuming delivered means inboxA delivered message may not always mean the user saw it in the inbox. Check the delivery location.
Ignoring latest delivery fieldsOriginal delivery evidence may not show what happened after ZAP, remediation or manual action.
Stopping before click evidenceIf the message reached a user-visible location, always consider whether UrlClickEvents or attachment telemetry needs review.
The email story is not complete until you know where the message went.
Use DeliveryLocation to determine whether a message reached the user, was junked, quarantined or later remediated.
Back to Academy →

What you learned

DeliveryLocation explains exposureThe field helps show whether the message reached a user-visible location or was contained elsewhere.
DeliveryAction adds decision contextDeliveryAction helps explain what Microsoft 365 did with the message during filtering and transport.
Latest delivery evidence mattersPost-delivery changes can alter the risk story after the original message event was recorded.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with core email evidence including sender, recipient, subject and delivery fields.
Investigating EmailAuthenticationResultsAdd SPF, DKIM, DMARC and composite authentication context.
Investigating SenderFromAddress vs SenderMailFromAddressCompare visible sender evidence with transport sender evidence.
Investigating NetworkMessageIdFollow the same email across related Defender XDR tables.
Investigating UrlClickEventsConfirm whether users clicked links from suspicious email.
Investigating EmailAttachmentInfoReview attachment names, hashes and payload evidence.
Investigating EmailUrlInfoInvestigate URLs extracted from email messages.
Connecting Tables with joinCombine evidence from related tables into one investigation.

Coming next

Lesson 55 — Coming SoonAgent Foskett Academy will continue building practical Microsoft Defender XDR email investigation skills with another focused telemetry lesson.
Why this mattersOnce defenders know where an email went, they can decide which follow-up evidence matters most.
What you will learn nextThe next lesson will continue connecting email telemetry to real-world investigation decisions.

Final thought

The sender told part of the story. The delivery location told what happened next.
Agent Foskett mindsetDo not assume an email was harmless because it was detected. Prove where it went and whether the user was exposed.
Follow the delivery evidenceDeliveryLocation helps turn email telemetry into a clear exposure story.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating DeliveryLocation in Microsoft Defender XDR

Agent Foskett Academy Lesson 54 teaches defenders how to investigate DeliveryLocation during Microsoft Defender XDR email investigations.

Learn email delivery location investigation for Defender XDR

This lesson explains how DeliveryLocation, DeliveryAction, latest delivery evidence and NetworkMessageId help defenders determine whether suspicious email reached the inbox, junk folder, quarantine or another destination.