Agent Foskett Academy • Lesson 58 • Email Investigation

Investigating EmailDirection in Microsoft Defender XDR.

The email looked suspicious.

The sender appeared legitimate.

The attachments looked harmless.

But Agent Foskett needed to answer a simple question.

Was the message entering the organisation, leaving the organisation, or moving internally between users?

In Microsoft Defender XDR, EmailDirection helps defenders understand how email travelled through the environment and provides valuable context during phishing, insider threat and compromised mailbox investigations.

Agent Foskett Academy lesson explaining EmailDirection in Microsoft Defender XDR
Lesson overview

Learn how to investigate email direction and connect inbound, outbound and internal message flow to threat classification, delivery and user exposure evidence.

Identify inbound, outbound and internal messages
Understand email attack paths
Investigate compromised mailboxes
Support insider threat investigations

Why EmailDirection matters

EmailDirection helps defenders understand whether a message entered the organisation, left the organisation or moved internally between users.
It identifies attack originEmailDirection helps determine whether suspicious email originated externally or came from inside the tenant.
It supports compromise investigationsOutbound email can reveal compromised accounts, malicious forwarding behaviour or phishing campaigns launched from internal mailboxes.
It improves investigation contextUnderstanding mail direction helps defenders interpret phishing, data loss, insider risk and lateral movement through email.

The fields used in this lesson

These fields help defenders understand how email travelled, what Microsoft detected and what happened during delivery.
EmailDirectionIndicates whether the email was inbound, outbound or internal.
ThreatTypesThreat classification such as phishing, malware, spam, spoofing or other suspicious email categories.
DeliveryActionThe action Microsoft 365 applied to the email message during delivery and filtering.
DeliveryLocationThe location where the message was placed, such as inbox, junk, quarantine or another destination.
DetectionMethodsDetection context that helps explain how Microsoft identified or classified the message.
NetworkMessageIdThe message identifier used to connect email, URL, attachment and click evidence.

Step 1 — Review recent email direction values

Start by reviewing recent email events where Microsoft recorded the direction of the message.
review-emaildirection.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(EmailDirection)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          EmailDirection
| order by Timestamp desc

Step 2 — Summarise email direction

Summarising EmailDirection helps defenders quickly understand overall mail flow patterns across the tenant.
summarise-emaildirection.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count() by EmailDirection
| order by MessageCount desc

Step 3 — Investigate inbound messages

Inbound messages often form the starting point for phishing, malware, spoofing and impersonation investigations.
inbound-emaildirection.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection =~ "Inbound"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DeliveryAction
| order by Timestamp desc

Step 4 — Investigate outbound messages

Outbound messages can reveal compromised mailboxes, data exfiltration attempts or internal accounts being used to send malicious email externally.
outbound-emaildirection.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection =~ "Outbound"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes
| order by Timestamp desc

Step 5 — Investigate internal mail

Internal email can become important when investigating compromised accounts, insider risk or suspicious messages moving laterally through the organisation.
internal-emaildirection.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection =~ "IntraOrg"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 6 — Compare threats by direction

Comparing EmailDirection with ThreatTypes helps defenders understand which threat categories are appearing in inbound, outbound and internal mail.
emaildirection-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
EmailEvents
| where Timestamp > ago(30d)
| summarize MessageCount = count()
                            by EmailDirection,
             ThreatTypes
| order by MessageCount desc

How to read the results

EmailDirection explains how the message was travelling. Always compare it with threat classification and delivery outcome.
Inbound means external originInbound messages are entering the organisation and often become the focus of phishing, malware and impersonation investigations.
Outbound means possible exposureOutbound messages can indicate normal business mail, but they can also reveal compromised accounts or data leaving the environment.
Internal mail still mattersIntraOrg messages can expose lateral movement, internal phishing or suspicious communication between user accounts.

Common investigation uses

EmailDirection helps defenders separate external attacks, internal movement and outbound risk.
Phishing investigationsConfirm whether suspicious messages originated externally and review whether they reached user-visible locations.
Compromised mailbox investigationsReview outbound mail to identify suspicious sending activity, spam campaigns or attacker-controlled mailbox behaviour.
Insider risk investigationsReview internal and outbound email activity when investigating unusual access, file movement or sensitive data exposure.

Common mistakes

EmailDirection is useful, but it should not be reviewed on its own.
Ignoring internal mailMany investigations focus only on inbound phishing while missing suspicious messages sent between internal accounts.
Assuming outbound means safeOutbound messages may indicate compromise, data loss or malicious activity launched from a trusted internal mailbox.
Skipping delivery contextAlways compare EmailDirection with DeliveryAction, DeliveryLocation, ThreatTypes and DetectionMethods to understand the full story.
The direction changed the investigation.
Use EmailDirection to understand whether the message was entering, leaving or moving within the organisation before deciding what happened next.
Back to Academy →

What you learned

EmailDirection explains flowIt helps defenders understand whether a message was inbound, outbound or internal.
Direction changes priorityInbound, outbound and internal messages each create different investigation questions and risk scenarios.
Direction needs contextAlways compare EmailDirection with ThreatTypes, DetectionMethods, DeliveryAction and DeliveryLocation.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with core email evidence including sender, recipient, subject and delivery fields.
Investigating DeliveryLocationDetermine where the message ended up after filtering and policy decisions.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message during delivery.
Investigating ThreatTypesReview whether Microsoft classified the message as phishing, malware, spam, spoofing or another threat type.
Investigating DetectionMethodsUnderstand how Microsoft identified and classified suspicious email activity.
Investigating EmailAuthenticationResultsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.
Investigating UrlClickEventsConfirm whether users clicked suspicious links from delivered email.

Coming next

Lesson 59 — Investigating OrgLevelAction in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use OrgLevelAction to understand organisational policy actions applied to email messages.
Why this mattersEmailDirection explains where the message was travelling. OrgLevelAction helps explain which organisational control acted on it.
What you will learn nextLearn how tenant-level policy actions support phishing, quarantine, delivered-message and mail flow investigations.

Final thought

The message direction matters. It tells defenders whether the investigation begins outside, inside or at the boundary of the organisation.
Agent Foskett mindsetDo not investigate an email without first understanding where it was travelling.
Read the directionEmailDirection turns mail flow into investigation context.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating EmailDirection in Microsoft Defender XDR

Agent Foskett Academy Lesson 58 teaches defenders how to investigate EmailDirection during Microsoft Defender XDR email investigations.

Learn email direction investigation in Defender XDR

This lesson explains how EmailDirection, ThreatTypes, DetectionMethods, DeliveryAction and DeliveryLocation help defenders understand whether suspicious messages were inbound, outbound or internal.