Agent Foskett Academy • Lesson 67 • Email Investigation

Investigating RecipientEmailAddress in Microsoft Defender XDR.

The phishing email looked convincing.

Multiple users reported receiving it.

Agent Foskett needed to identify every mailbox that received the message.

The answer was hidden inside RecipientEmailAddress.

In Microsoft Defender XDR, RecipientEmailAddress helps defenders investigate message delivery, phishing campaign reach, targeted users and email distribution activity.

Agent Foskett Academy lesson explaining RecipientEmailAddress in Microsoft Defender XDR
Lesson overview

Learn how to investigate RecipientEmailAddress in EmailEvents and map suspicious messages to affected mailboxes, users, departments and campaign scope.

Review recipient activity
Identify who received suspicious messages
Measure phishing campaign reach
Connect recipients to delivery and threat outcomes

Why RecipientEmailAddress matters

RecipientEmailAddress helps defenders understand who received a message and how far suspicious email activity spread through the organisation.
It identifies affected mailboxesRecipientEmailAddress shows the mailbox that received a message, helping defenders identify impacted users during email investigations.
It maps campaign reachWhen a phishing campaign targets multiple users, RecipientEmailAddress helps measure spread, scope and exposure.
It supports prioritisationRecipient data helps identify whether executives, privileged users or sensitive departments were targeted.

The fields used in this lesson

RecipientEmailAddressThe mailbox that received the email message inside Microsoft 365.
SenderFromAddressThe visible sender address shown to recipients.
SenderFromDomainThe sender domain presented to the recipient.
SubjectThe email subject used to identify related messages and campaigns.
DeliveryActionWhat Microsoft 365 did with the message during delivery.
ThreatTypesMicrosoft threat classification, such as phishing, malware, spam or spoofing.

Step 1 — Review RecipientEmailAddress activity

Start by reviewing recent messages where Defender recorded a recipient mailbox.
review-recipientemailaddress.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(RecipientEmailAddress)
| project Timestamp,
          RecipientEmailAddress,
          SenderFromAddress,
          SenderFromDomain,
          Subject
| order by Timestamp desc

Step 2 — Count messages by recipient

Summarising by RecipientEmailAddress helps identify high-volume recipients and users receiving unusual mail volumes.
recipient-message-counts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(RecipientEmailAddress)
| summarize MessageCount = count() by RecipientEmailAddress
| order by MessageCount desc

Step 3 — Find recipients of suspicious messages

Use ThreatTypes to focus on recipients who received messages Microsoft classified as suspicious.
recipients-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(RecipientEmailAddress)
| where isnotempty(ThreatTypes)
| project Timestamp,
          RecipientEmailAddress,
          SenderFromAddress,
          Subject,
          ThreatTypes,
          DeliveryAction
| order by Timestamp desc

Step 4 — Find all recipients from a suspicious sender

When a suspicious sender is identified, review every mailbox that received messages from that sender.
recipient-suspicious-sender.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromAddress == "sender@domain.com"
| project Timestamp,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          ThreatTypes
| order by Timestamp desc

Step 5 — Measure campaign reach by subject

Grouping by subject and recipient count can help identify email campaigns that reached multiple users.
campaign-reach-by-subject.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| summarize RecipientCount = dcount(RecipientEmailAddress),
            MessageCount = count()
          by Subject,
             SenderFromAddress
| order by RecipientCount desc

Step 6 — Compare recipients with delivery outcomes

This helps determine whether affected recipients received, quarantined or were protected from suspicious messages.
recipient-delivery-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(RecipientEmailAddress)
| summarize MessageCount = count()
          by RecipientEmailAddress,
             DeliveryAction,
             DeliveryLocation
| order by MessageCount desc

How to read the results

RecipientEmailAddress is scope evidence. It should be interpreted with sender, subject, delivery and threat classification context.
One message can affect many usersA suspicious campaign may target many mailboxes. Recipient counts help define investigation scope.
High-value recipients matterA message sent to executives, finance staff or administrators may need higher priority than general bulk mail.
Delivery outcome changes responseA recipient who received a delivered phishing message requires a different response from one where the message was blocked or quarantined.

Common investigation uses

Phishing campaign scopingIdentify every user who received a reported phishing message or related campaign.
Targeted user analysisDetermine whether specific teams, executives or privileged accounts were targeted.
Post-delivery responseFind recipients who may need message removal, user notification or follow-up investigation.
Mailbox exposure reviewUnderstand who was exposed to suspicious links, attachments or impersonation attempts.

Common mistakes

Looking at only one reported userThe first user report may only reveal one mailbox. RecipientEmailAddress helps find everyone else who received the same message.
Ignoring delivery contextKnowing who received the message is not enough. Check whether it was delivered, quarantined, blocked or moved.
Forgetting high-value usersRecipient lists should be reviewed for executives, finance staff, administrators and other sensitive roles.

What you learned

RecipientEmailAddress identifies affected mailboxesIt shows who received email messages inside Microsoft 365.
Recipient evidence defines scopeRecipient counts help defenders understand how far a suspicious campaign spread.
Recipient context supports responseDeliveryAction, ThreatTypes and sender evidence help determine the right follow-up actions.

Related Agent Foskett Academy lessons

Investigating AuthenticationDetailsReview SPF, DKIM, DMARC and authentication detail evidence.
Investigating CompositeAuthenticationUnderstand Microsoft’s overall authentication verdict.
Investigating BulkComplaintLevel (BCL)Understand bulk mail classification and reputation signals.
Investigating SenderMailFromAddressReview the SMTP Mail From address behind the email.
Investigating SenderMailFromDomainUnderstand the SMTP domain used during message delivery.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.

Coming next

Lesson 68 — Investigating SenderFromDomain in Microsoft Defender XDR Next, Agent Foskett Academy will explain how defenders use SenderFromDomain to investigate the visible sender domain presented to recipients, helping identify domain impersonation, phishing campaigns and trusted-domain abuse.
Why this matters RecipientEmailAddress identifies who received the message. SenderFromDomain reveals the domain users believed the email came from, helping expose impersonation and phishing attacks.

Final thought

A reported email is rarely just one mailbox. RecipientEmailAddress helps reveal who else was exposed.
Agent Foskett mindsetDo not stop at the user who reported the message. Find every mailbox that received it.
Map the exposureRecipientEmailAddress turns a single email report into a campaign scope investigation.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating RecipientEmailAddress in Microsoft Defender XDR

Agent Foskett Academy Lesson 67 teaches defenders how to investigate RecipientEmailAddress during Microsoft Defender XDR email investigations.

Learn RecipientEmailAddress investigation in Defender XDR

This lesson explains how RecipientEmailAddress, SenderFromAddress, Subject, DeliveryAction, DeliveryLocation and ThreatTypes help defenders identify affected mailboxes, scope phishing campaigns and investigate email distribution activity.