Agent Foskett Academy • Lesson 57 • Email Investigation

Investigating DetectionMethods in Microsoft Defender XDR.

The email had already been classified.

ThreatTypes said phishing.

DeliveryAction said quarantine.

But Agent Foskett still had one more question.

How did Microsoft reach that decision?

In Microsoft Defender XDR, DetectionMethods helps defenders understand the signals, technologies and protection logic Microsoft used to identify and classify suspicious email activity.

Agent Foskett Academy lesson explaining DetectionMethods in Microsoft Defender XDR
Lesson overview

Learn how to investigate Microsoft threat classifications and connect those classifications to delivery, detection and user exposure evidence.

Review Microsoft detection methods
Compare ThreatTypes and DeliveryAction
Investigate phishing, spoofing and malware detections
Validate Microsoft 365 threat classification context

Why DetectionMethods matters

ThreatTypes tells you what Microsoft classified the email as. DetectionMethods helps explain how Microsoft reached that decision.
It explains the reasonDetectionMethods helps defenders understand the signals and protection logic behind Microsoft email threat classifications.
It validates controlsThe field can support reviews of anti-phishing, anti-spam, malware, impersonation and reputation-based detection behaviour.
It improves triageUnderstanding the detection method helps defenders prioritise phishing, malware, spoofing and delivered-message investigations.

The fields used in this lesson

These fields help defenders understand what Microsoft detected, how the message was classified and what happened during delivery.
DetectionMethodsDetection context that helps explain how Microsoft identified or classified the message.
ThreatTypesThreat classification such as phishing, malware, spam, spoofing or other suspicious email categories.
DeliveryActionThe action Microsoft 365 applied to the email message during delivery and filtering.
DeliveryLocationThe location where the message was placed, such as inbox, junk, quarantine or another destination.
EmailDirectionWhether the message was inbound, outbound or internal.
NetworkMessageIdThe message identifier used to connect email, URL, attachment and click evidence.

Step 1 — Review recent detection methods

Start by reviewing recent email messages where Microsoft recorded detection context.
review-detectionmethods.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(DetectionMethods)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DetectionMethods
| order by Timestamp desc

Step 2 — Summarise detection methods

Summarising DetectionMethods helps defenders understand which Microsoft detections are most common across the tenant.
summarise-detectionmethods.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(DetectionMethods)
| summarize MessageCount = count() by DetectionMethods
| order by MessageCount desc

Step 3 — Review phishing detections

Phishing investigations become stronger when ThreatTypes and DetectionMethods are reviewed together.
phishing-detectionmethods.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DetectionMethods,
          DeliveryAction
| order by Timestamp desc

Step 4 — Review malware detections

Malware detections should be reviewed with delivery outcomes to understand whether the user was exposed.
malware-detectionmethods.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Malware"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DetectionMethods,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

Step 5 — Investigate spoofing detections

Spoofing investigations often depend on understanding how Microsoft identified impersonation activity.
spoofing-detectionmethods.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Spoof"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          SpoofedDomain,
          ThreatTypes,
          DetectionMethods,
          DeliveryAction
| order by Timestamp desc

Step 6 — Compare detections with delivery outcomes

DetectionMethods becomes more useful when compared with ThreatTypes, DeliveryAction and DeliveryLocation.
detectionmethods-delivery-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count()
                            by DetectionMethods,
             ThreatTypes,
             DeliveryAction,
             DeliveryLocation
| order by MessageCount desc

How to read the results

DetectionMethods explains the reasoning behind the classification. Always compare it with the threat type and the final delivery outcome.
ThreatTypes tells you whatThreatTypes explains the category Microsoft assigned, such as phishing, malware or spoofing.
DetectionMethods tells you howDetectionMethods helps explain the signals or technologies that contributed to that classification.
DeliveryAction tells you exposureDeliveryAction helps determine whether the message was delivered, blocked, quarantined or handled another way.

Common investigation uses

DetectionMethods helps defenders explain why Microsoft made a classification and whether the decision aligns with the evidence.
Phishing investigationsUnderstand the detection context behind phishing classifications and compare it with authentication, sender and URL evidence.
Malware investigationsReview how malicious attachments, payloads or file evidence contributed to the detection outcome.
Security control validationConfirm whether Microsoft 365 protections are identifying suspicious email in the way defenders expect.

Common mistakes

DetectionMethods is useful, but it should not be reviewed on its own.
Stopping at ThreatTypesThreatTypes tells you the classification, but DetectionMethods helps explain how Microsoft arrived at it.
Ignoring delivered detectionsA message can contain detection context and still be delivered depending on policy, confidence and transport decisions.
Skipping correlationUse NetworkMessageId to connect DetectionMethods to URL, click, attachment and post-delivery evidence.
The classification was only the beginning.
Use DetectionMethods to understand how Microsoft identified the email threat before deciding whether the tenant was protected or exposed.
Back to Academy →

What you learned

DetectionMethods explains howIt helps defenders understand the detection context behind Microsoft email threat classifications.
ThreatTypes and DetectionMethods work togetherThreatTypes explains what Microsoft thought the message was. DetectionMethods helps explain why.
Delivery outcomes still matterAlways compare DetectionMethods with DeliveryAction and DeliveryLocation to understand user exposure.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with core email evidence including sender, recipient, subject and delivery fields.
Investigating DeliveryLocationDetermine where the message ended up after filtering and policy decisions.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating ThreatTypesReview whether Microsoft classified the message as phishing, malware, spam, spoofing or another threat type.
Investigating EmailAuthenticationResultsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.
Investigating UrlClickEventsConfirm whether users clicked suspicious links from delivered email.
Investigating EmailAttachmentInfoReview attachment names, hashes and payload evidence.

Coming next

Lesson 58 — Investigating EmailDirection in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use EmailDirection to determine whether messages were inbound, outbound or internal.
Why this mattersDetectionMethods explains how Microsoft detected the threat. EmailDirection helps explain where the message was travelling.
What you will learn nextLearn how inbound, outbound and internal email direction supports phishing, compromise and mail flow investigations.

Final thought

The threat classification matters. The reason behind it matters more.
Agent Foskett mindsetDo not stop at what Microsoft called the message. Ask how Microsoft reached the conclusion.
Read the detectionDetectionMethods turns classification into investigation context.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating DetectionMethods in Microsoft Defender XDR

Agent Foskett Academy Lesson 57 teaches defenders how to investigate DetectionMethods during Microsoft Defender XDR email investigations.

Learn email detection method investigation in Defender XDR

This lesson explains how DetectionMethods, ThreatTypes, DeliveryAction, DeliveryLocation and NetworkMessageId help defenders understand how Microsoft identified, classified and handled suspicious email.