Agent Foskett Academy • Lesson 71 • Email Investigation

Investigating InternetMessageId in Microsoft Defender XDR.

Three users reported the same phishing email.

The sender looked the same.

The subject matched.

Agent Foskett needed to prove whether they were truly the same message.

The answer was hidden inside InternetMessageId.

In Microsoft Defender XDR, InternetMessageId helps defenders correlate email evidence, trace message delivery and connect related investigation records across Microsoft 365.

Agent Foskett Academy lesson explaining InternetMessageId in Microsoft Defender XDR
Lesson overview

Learn how to investigate InternetMessageId in EmailEvents and use message identifiers to correlate phishing reports, mail flow evidence and related investigation activity.

Review InternetMessageId activity
Identify the exact message under investigation
Connect users, senders and delivery outcomes
Correlate email evidence across Microsoft 365 investigations

Why InternetMessageId matters

InternetMessageId helps defenders identify the exact email message being investigated instead of relying only on sender, subject or recipient fields.
It identifies the exact messageMany emails can share the same subject and sender. InternetMessageId helps distinguish one message from another.
It supports correlationInternetMessageId can help connect Defender evidence with Exchange Online, message tracking and mail-header investigation work.
It reduces assumptionDefenders can prove whether several user reports relate to the same message or only similar-looking emails.

The fields used in this lesson

InternetMessageIdThe message identifier used to help correlate the same email across mail systems and investigation evidence.
NetworkMessageIdA Microsoft 365 message identifier commonly used to correlate email, URL, click and attachment telemetry.
SubjectThe email subject used to identify suspicious lures and possible campaign themes.
SenderFromAddressThe visible sender address shown to recipients.
RecipientEmailAddressThe mailbox that received the message.
DeliveryActionWhat Microsoft 365 did with the message during delivery.

Step 1 — Review InternetMessageId activity

Start by reviewing recent email records where Defender recorded an InternetMessageId.
review-internetmessageid.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(InternetMessageId)
| project Timestamp,
          InternetMessageId,
          NetworkMessageId,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject
| order by Timestamp desc

Step 2 — Investigate a specific InternetMessageId

Once the message identifier is known, pivot directly to the exact message being investigated.
specific-internetmessageid.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where InternetMessageId == "<InternetMessageId>"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          DeliveryLocation,
          ThreatTypes
| order by Timestamp desc

Step 3 — Find every recipient of the same message

Use InternetMessageId to identify every mailbox associated with the same email message.
internetmessageid-recipients.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where InternetMessageId == "<InternetMessageId>"
| summarize RecipientCount = dcount(RecipientEmailAddress),
            MessageCount = count()
          by InternetMessageId,
             Subject,
             SenderFromAddress

Step 4 — Pivot from subject to InternetMessageId

Subjects can help locate related messages, but InternetMessageId helps confirm the exact message record.
subject-to-internetmessageid.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where Subject contains "Invoice"
| project Timestamp,
          InternetMessageId,
          NetworkMessageId,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject

Step 5 — Compare InternetMessageId with delivery outcomes

This helps determine whether the same message was delivered, quarantined, junked or blocked for different recipients.
internetmessageid-delivery-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(InternetMessageId)
| summarize MessageCount = count()
          by InternetMessageId,
             DeliveryAction,
             DeliveryLocation,
             ThreatTypes
| order by MessageCount desc

Step 6 — Identify repeated InternetMessageId values

Repeated message identifiers may help reveal one message delivered to multiple recipients or represented across several investigation records.
repeated-internetmessageid-values.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(InternetMessageId)
| summarize RecipientCount = dcount(RecipientEmailAddress),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
          by InternetMessageId,
             Subject
| order by RecipientCount desc

How to read the results

InternetMessageId is correlation evidence. It should be reviewed with sender, recipient, subject, delivery and Microsoft Defender message identifiers.
Similar emails are not always the same emailAttackers can reuse subjects, sender names and themes. InternetMessageId helps confirm whether evidence belongs to the same message.
Delivery can differ by recipientThe same message may have different delivery outcomes depending on policy, mailbox state, timing or post-delivery action.
Correlation needs more than one fieldUse InternetMessageId with NetworkMessageId, recipient, subject and delivery fields to build a reliable timeline.

Common investigation uses

User-reported phishingConfirm whether multiple reports relate to the same email message or just similar phishing lures.
Mail flow investigationUse message identifiers to support deeper review in Exchange Online and Microsoft 365 mail tracking workflows.
Campaign scopingIdentify whether a message reached one mailbox, many users or repeated groups across the organisation.
Evidence correlationConnect message identity with delivery, threat classification, sender identity and recipient exposure.

Common mistakes

Assuming matching subjects prove the same messageSubjects can be reused. Use InternetMessageId and NetworkMessageId to verify correlation.
Using one identifier onlyInternetMessageId is useful, but Defender investigations often require NetworkMessageId, ReportId and other fields as well.
Ignoring delivery and recipient contextKnowing the message identifier is only the start. Check who received it, where it went and what action Microsoft took.

What you learned

InternetMessageId helps identify the messageIt gives defenders a way to distinguish one email from similar-looking messages.
Message identifiers support correlationUse InternetMessageId with NetworkMessageId, ReportId and other fields to connect evidence across investigations.
Correlation still needs contextSender, recipient, subject, delivery and threat fields help explain what the identifier is pointing to.

Related Agent Foskett Academy lessons

Investigating NetworkMessageIdConnect the same message across Microsoft Defender email, URL, click and attachment telemetry.
Investigating SubjectReview subject lines used in phishing lures and campaign themes.
Investigating RecipientEmailAddressIdentify mailboxes that received suspicious messages.
Investigating SenderDisplayNameReview the friendly sender name presented to recipients.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message.
Investigating EmailAuthenticationResultsReview SPF, DKIM, DMARC and composite authentication outcomes.

Coming next

Lesson 72 — Investigating ReportId in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use ReportId to correlate related Defender XDR records and support investigation timelines.
Why this mattersInternetMessageId helps identify the message. ReportId helps correlate Defender records that belong to related investigation evidence.

Final thought

A subject can be copied. A sender can be impersonated. InternetMessageId helps defenders prove which message they are really investigating.
Agent Foskett mindsetDo not rely on matching subjects alone. Use identifiers to prove message correlation.
Follow the identifierInternetMessageId turns similar-looking email reports into evidence that can be correlated and tested.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating InternetMessageId in Microsoft Defender XDR

Agent Foskett Academy Lesson 71 teaches defenders how to investigate InternetMessageId during Microsoft Defender XDR email investigations.

Learn InternetMessageId investigation in Defender XDR

This lesson explains how InternetMessageId, NetworkMessageId, Subject, SenderFromAddress, RecipientEmailAddress, DeliveryAction and ThreatTypes help defenders correlate email evidence, trace phishing reports and connect related Microsoft 365 investigation records.