Agent Foskett Academy • Lesson 70 • Email Investigation

Investigating Subject in Microsoft Defender XDR.

The sender looked ordinary.

The message was short.

But the subject line created urgency.

Agent Foskett needed to understand whether this was one email or part of a wider campaign.

The answer started with Subject.

In Microsoft Defender XDR, Subject helps defenders investigate phishing lures, invoice themes, credential harvesting attempts and related messages across email investigations.

Agent Foskett Academy lesson explaining Subject in Microsoft Defender XDR
Lesson overview

Learn how to investigate Subject in EmailEvents and use subject lines to identify phishing themes, campaign patterns, suspicious lures and related email activity.

Review email subject activity
Identify phishing and invoice themes
Group related messages into campaigns
Connect subjects to sender, recipient and threat evidence

Why Subject matters

Subject helps defenders understand the lure used in an email and identify related messages that may be part of the same campaign.
It shows the lureSubject often reveals the social engineering theme used to make a user open, trust or act on a message.
It helps group campaignsMessages with similar subjects can indicate phishing waves, invoice fraud, credential harvesting attempts or repeated sender activity.
It needs contextSubject should be reviewed with sender, recipient, delivery, URL, attachment and threat classification evidence.

The fields used in this lesson

SubjectThe email subject line recorded in Microsoft Defender XDR email telemetry.
SenderFromAddressThe visible sender address shown to recipients.
SenderDisplayNameThe friendly sender name displayed to recipients.
RecipientEmailAddressThe mailbox that received the message.
DeliveryActionWhat Microsoft 365 did with the message during delivery.
ThreatTypesMicrosoft threat classification, such as phishing, malware, spam or spoofing.

Step 1 — Review Subject activity

Start by reviewing recent messages where Defender recorded an email subject.
review-subject.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(Subject)
| project Timestamp,
          Subject,
          SenderFromAddress,
          SenderDisplayName,
          RecipientEmailAddress
| order by Timestamp desc

Step 2 — Count messages by subject

Summarising by Subject helps identify repeated lures, campaign themes and high-volume subject lines.
subject-message-counts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(Subject)
| summarize MessageCount = count(),
            RecipientCount = dcount(RecipientEmailAddress)
          by Subject
| order by MessageCount desc

Step 3 — Hunt common phishing subject themes

Search for common lure words used in phishing, invoice fraud, document sharing and credential harvesting emails.
subject-phishing-themes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any (
    "invoice", "payment", "password", "urgent", "verify",
    "document", "shared", "voicemail", "sign in", "account"
)
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          DeliveryAction,
          ThreatTypes
| order by Timestamp desc

Step 4 — Review suspicious subjects with threat evidence

Combine Subject with ThreatTypes to focus on messages Microsoft classified as suspicious.
subject-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(Subject)
| where isnotempty(ThreatTypes)
| project Timestamp,
          Subject,
          SenderFromAddress,
          RecipientEmailAddress,
          ThreatTypes,
          DeliveryAction
| order by Timestamp desc

Step 5 — Measure campaign reach by subject

Use recipient counts to understand whether a subject line affected one user or many users.
subject-campaign-reach.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(Subject)
| summarize RecipientCount = dcount(RecipientEmailAddress),
            MessageCount = count()
          by Subject,
             SenderFromAddress
| order by RecipientCount desc

Step 6 — Compare subjects with delivery outcomes

This helps determine whether messages using suspicious subjects were delivered, quarantined, junked or blocked.
subject-delivery-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(Subject)
| summarize MessageCount = count()
          by Subject,
             DeliveryAction,
             DeliveryLocation
| order by MessageCount desc

How to read the results

Subject is lure evidence. It helps explain the message theme, but it should not be treated as proof of malicious activity on its own.
Repeated subjects can indicate campaignsA subject appearing across multiple recipients may represent a phishing campaign, marketing blast or repeated automated notification.
Urgent subjects need careful reviewWords like urgent, payment, password, verify and action required may indicate social engineering, but context matters.
Delivery outcome changes responseA suspicious subject that was delivered requires a different response from one blocked or quarantined by Microsoft 365.

Common investigation uses

Phishing campaign groupingIdentify related messages that use similar subject lines, lures or campaign wording.
Invoice fraud investigationsFind emails using invoice, payment, remittance or purchase order language.
Credential harvesting analysisReview subjects that pressure users to verify accounts, reset passwords or sign in.
User exposure reviewDetermine who received messages with suspicious subject themes and whether those messages were delivered.

Common mistakes

Judging by subject aloneA suspicious subject is only one clue. Always compare it with sender identity, authentication, URLs, attachments and delivery evidence.
Ignoring subject variationAttackers may slightly change wording to avoid simple exact-match searches. Use contains, has_any and normalisation where appropriate.
Forgetting benign campaignsMarketing emails and system notifications may share repeated subjects. Check sender reputation and delivery context before escalating.

What you learned

Subject reveals the lureIt helps defenders understand the message theme presented to users.
Subject supports campaign scopingSubject grouping helps identify repeated messages, affected recipients and possible phishing waves.
Subject needs evidence around itUse sender, recipient, ThreatTypes, DeliveryAction, URLs and attachments to understand the real risk.

Related Agent Foskett Academy lessons

Investigating SenderDisplayNameReview the friendly sender name presented to recipients.
Investigating SenderFromDomainUnderstand the visible sender domain shown to users.
Investigating RecipientEmailAddressIdentify mailboxes that received suspicious messages.
Investigating ThreatTypesReview Microsoft threat classifications such as phishing, malware and spoofing.
Investigating DeliveryActionUnderstand what Microsoft 365 did with the message.
Investigating EmailAttachmentInfoReview attachment names, hashes and payload evidence.

Coming next

Lesson 71 — Investigating InternetMessageId in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use InternetMessageId to correlate email evidence, message headers and related investigation records.
Why this mattersSubject explains the lure. InternetMessageId helps connect the message to its deeper mail-header and investigation context.

Final thought

The subject line is often the hook. It tells defenders what the attacker wanted the user to believe.
Agent Foskett mindsetDo not treat the subject as decoration. Treat it as part of the social engineering evidence.
Group the lureSimilar subjects can reveal a campaign long before every user reports the message.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating Subject in Microsoft Defender XDR

Agent Foskett Academy Lesson 70 teaches defenders how to investigate Subject during Microsoft Defender XDR email investigations.

Learn Subject investigation in Defender XDR

This lesson explains how Subject, SenderFromAddress, SenderDisplayName, RecipientEmailAddress, DeliveryAction, DeliveryLocation and ThreatTypes help defenders identify phishing lures, invoice fraud, credential harvesting attempts and suspicious email campaigns.