Agent Foskett Academy • Lesson 56 • Email Investigation

Investigating ThreatTypes in Microsoft Defender XDR.

The email was suspicious.

The sender looked unusual.

Authentication checks were failing.

But before Agent Foskett reviewed URLs, attachments or mailbox activity, he wanted to know one thing.

What did Microsoft think this message was?

In Microsoft Defender XDR, ThreatTypes helps defenders understand whether Microsoft classified a message as phishing, malware, spoofing, spam, bulk mail or another email threat category.

Agent Foskett Academy lesson explaining ThreatTypes in Microsoft Defender XDR
Lesson overview

Learn how to investigate Microsoft threat classifications and connect those classifications to delivery, detection and user exposure evidence.

Review Microsoft threat classifications
Compare ThreatTypes and DeliveryAction
Investigate phishing, spoofing and malware detections
Validate Microsoft 365 threat classification context

Why ThreatTypes matters

ThreatTypes helps explain how Microsoft classified an email message. It gives defenders an early signal about whether the message was considered phishing, malware, spoofing, spam, bulk mail or another threat category.
It explains Microsoft's assessmentThreatTypes helps defenders understand how Microsoft viewed the message before deeper investigation begins.
It accelerates triageThreat classifications help defenders quickly prioritise phishing, malware and spoofing investigations.
It supports campaign analysisWhen multiple users receive similar messages, ThreatTypes can help group and compare related email threats.

The fields used in this lesson

These fields help defenders understand how Microsoft classified the message, what action was taken and whether the user was exposed.
DeliveryActionWhat Microsoft did with the message after classification, filtering and policy evaluation.
DeliveryLocationWhere the message ended up after filtering, such as inbox, junk, quarantine or another destination.
ThreatTypesMicrosoft's threat classification, such as phishing, malware, spam, spoofing, bulk or another suspicious email category.
DetectionMethodsDetection context that helps explain why Microsoft classified the message the way it did.
EmailDirectionWhether the message was inbound, outbound or internal.
NetworkMessageIdThe message identifier used to connect email, URL, attachment and click evidence.

Step 1 — Review recent threat classifications

Start by reviewing recent messages where Microsoft recorded one or more threat classifications.
review-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes)
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes
| order by Timestamp desc

Step 2 — Summarise threat classifications

Summarising ThreatTypes helps defenders understand which email threats are appearing most often across the tenant.
summarise-threattypes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes)
| summarize MessageCount = count() by ThreatTypes
| order by MessageCount desc

Step 3 — Investigate phishing messages

Phishing classifications help defenders identify messages Microsoft considered credential theft, impersonation or social engineering attempts.
phishing-threattypes-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Phish"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DeliveryAction,
          DeliveryLocation
| order by Timestamp desc

Step 4 — Investigate malware messages

Malware classifications help defenders identify email messages associated with malicious attachments, payloads or file-based threats.
malware-threattypes-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Malware"
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          DeliveryAction,
          DeliveryLocation,
          NetworkMessageId
| order by Timestamp desc

Step 5 — Investigate spoofing activity

Spoofing classifications help defenders identify impersonation attempts and connect them to sender, domain and delivery evidence.
spoofing-threattypes-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(30d)
| where ThreatTypes has "Spoof"
| project Timestamp,
          SenderFromAddress,
          SenderMailFromAddress,
          RecipientEmailAddress,
          Subject,
          ThreatTypes,
          SpoofedDomain,
          DeliveryAction
| order by Timestamp desc

Step 6 — Compare ThreatTypes with delivery outcomes

ThreatTypes becomes stronger when reviewed alongside DeliveryAction, DeliveryLocation and EmailDirection.
threattypes-delivery-outcomes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(30d)
| where isnotempty(ThreatTypes)
| summarize MessageCount = count()
                            by ThreatTypes,
             DeliveryAction,
             DeliveryLocation,
             EmailDirection
| order by MessageCount desc

How to read the results

ThreatTypes explains Microsoft's classification. Always compare it with the delivery action, delivery location and detection evidence.
PhishMicrosoft identified phishing characteristics. Review sender, authentication, URLs, clicks and user exposure.
MalwareMicrosoft identified malware-related characteristics. Review attachments, file hashes, delivery action and quarantine outcomes.
SpoofMicrosoft identified spoofing or impersonation characteristics. Review SpoofedDomain, sender evidence and authentication outcomes.

Common investigation uses

ThreatTypes helps defenders understand Microsoft's classification and prioritise the right investigation path.
Phishing campaign analysisReview messages classified as phishing and determine whether users received or clicked them.
Malware delivery investigationsIdentify messages classified as malware and review attachment, hash and quarantine evidence.
Spoofing investigationsReview brand impersonation, spoofed domains and sender authentication evidence.

Common mistakes

ThreatTypes can be misunderstood when reviewed in isolation.
Assuming ThreatTypes is always perfectThreatTypes is a strong investigation signal, but defenders should still validate the result with message evidence.
Ignoring DeliveryActionA threat classification does not always mean the message was blocked, quarantined or removed from user access.
Skipping detection contextDetectionMethods can help explain why Microsoft classified the message as phishing, malware, spoofing, spam or bulk.
The message was classified before the investigation began.
Use ThreatTypes to understand how Microsoft classified the email before deciding whether users were exposed or protected.
Back to Academy →

What you learned

ThreatTypes explains Microsoft's assessmentIt helps show whether Microsoft classified the message as phishing, malware, spoofing, spam, bulk or another threat type.
ThreatTypes needs contextReview it with DeliveryAction, DeliveryLocation, DetectionMethods and NetworkMessageId.
Classified messages need validationThreatTypes should guide the investigation, but defenders still need to validate the classification and exposure evidence.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with core email evidence including sender, recipient, subject and delivery fields.
Investigating DeliveryLocationDetermine where the message ended up after filtering and policy decisions.
Investigating EmailAuthenticationResultsReview SPF, DKIM, DMARC and composite authentication outcomes.
Investigating SenderFromAddress vs SenderMailFromAddressCompare visible sender and envelope sender evidence.
Investigating NetworkMessageIdConnect the same email across URL, click and attachment telemetry.
Investigating UrlClickEventsConfirm whether users clicked suspicious links from delivered email.
Investigating EmailAttachmentInfoReview attachment names, hashes and payload evidence.
Investigating DeliveryActionUnderstand what Microsoft did with the message after filtering and classification.

Coming next

Lesson 57 — Investigating DetectionMethods in Microsoft Defender XDRNext, Agent Foskett Academy will explain how defenders use DetectionMethods to understand how Microsoft detected or classified suspicious email activity.
Why this mattersThreatTypes explains what Microsoft thought the message was. DetectionMethods helps explain how Microsoft reached that classification.
What you will learn nextLearn how detection context supports phishing, malware, spam, spoofing and delivered-email investigations.

Final thought

The message was not just suspicious. It was classified.
Agent Foskett mindsetDo not stop at whether an email looks suspicious. Ask how Microsoft classified it and why.
Read the classificationThreatTypes turns email telemetry into a clear threat classification story.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating ThreatTypes in Microsoft Defender XDR

Agent Foskett Academy Lesson 56 teaches defenders how to investigate ThreatTypes during Microsoft Defender XDR email investigations.

Learn email threat classification investigation in Defender XDR

This lesson explains how ThreatTypes, DeliveryAction, DeliveryLocation, DetectionMethods and NetworkMessageId help defenders understand whether Microsoft classified messages as phishing, malware, spoofing, spam, bulk or another threat category.