Hunting Messages That Slip Through Anti-Malware Protection

When we consult frameworks such as NIST, it is clear that cybersecurity has different stages: Identify, Protect, Detect, Respond, and Recover. It is essential to see security as a multi-layered approach. This concept applies to Microsoft Defender for Office 365 (MDO). While the primary responsibility of defense mechanisms, such as MDO, is to block malicious emails, we must also consider detection and response. No single tool will block 100% of malicious emails, and you need to have a process to continuously monitor for messages that get past your defenses and take actions to remove the malware from your environment.

In this article, we discuss some methods to identify malicious emails that end up in inboxes using Microsoft Defender for Office 365. I will also review some of the reporting capabilities included in Defender for Office 365 Plan 2.

User Submissions

End-user submissions are the single most important feature to identify emails that get past the defenses. Damian Scoles previously describes this process in this article. The important takeaway is that this feature is only powerful if users report problem messages correctly. Responding to and investigating malicious emails is tedious and can take up a ton of your time.

Three different options are available to report problem messages:

  • Spam
  • Phish
  • Not spam

Phishing poses a major threat to email. Spam is an unwanted email that does not contain any malicious indicators. A phishing email tries to trick the recipient into responding with information (usually credentials or financial information). You should train users how to identify phishing emails and report them with the phishing button. Afterward, you can investigate the details of the reported messages and remove them from all mailboxes if deemed malicious. You can educate users to correctly identify phishing emails by using phishing simulators like the Microsoft Attack Simulator or KnowBe4.

Rolling out the phishing button is a long-term project. It takes time before people become used to identifying malicious emails and know how to distinguish between spam and phishing. In most of my customers’ environments, 95% of the reported emails were not phishing. Instead, the email was either spam or unexpected messages. By training people to understand how to recognize problem emails, the number of false positives can be decreased.

Incidents Generated by Defender for Office 365

Microsoft Defender for Office 365 has a built-in ZAP or zero-hour auto purge feature. Suppose a situation occurs where an email containing malware bypasses all checks because the attacker uses a new technique. Exchange Online Protection allows the email to pass into the inbox because it detects no threat. Later, Microsoft receives information that the email was malicious and updates Exchange Online Protection. Because the email is now deemed to be a threat, Exchange Online Protection removes (zaps) it from inboxes. This scenario generates several types of alerts:

  • Email messages containing malicious URLs/file were removed after delivery​
    • This is the most common incident. It is generated if an email is zapped. This is an informational incident and does not require any immediate action.
  • User accessed link in ZAP-quarantined email
    • This is an important incident and should be treated with high priority. The user clicked a link in an email that has now been zapped (and thus removed from the inbox).
    • You should investigate the email and see where the link leads to. If it goes to a phishing website, you might need to reset the user’s password to ensure the attacker does not gain access to the account.
  • Messages containing malicious entities not removed after delivery
    • This type of incident is related to the first. While the first incident indicates an email that was successfully removed, this incident happens when the removal failed. An unsuccessful ZAP can be due to several reasons. For instance, the email might have been removed already, or it was moved to another folder.
    • If you receive this incident, you should try to locate the email using a Content Search (or the Search-Mailbox cmdlet) and remediate it.

The last incident I want to discuss is the ‘Phish delivered due to an ETR override’. This is a different type of incident as it does not refer to ZAP. Instead, it happens due to the delivery of a phishing email because an Exchange Transport Rule allowed the delivery (most likely by setting the Spam Confidence Level to 1.). This incident is typically generated if the spam policy allows delivery of email from a domain and a malicious email is delivered because of that override. You should investigate the email and remediate it if it is found to be malicious.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Using Indicators of Compromise

The third option to identify malicious emails inside an inbox is using Indicators of Compromise. This is not really a native feature within Exchange Online, but uses the advanced hunting feature from Defender for Office 365. Indicators of Compromise, or IOCs for short, are a form of Threat Intelligence that allows you to identify whether you are affected by a particular attack. In terms of email, an IOC can be in the form of:

  • Sender Domain
  • Sender Address
  • Subject
  • URL’s
  • Email Attachments

You can use IOCs to identify if your environment was also affected by a specific attack and if your end-users received the same email. There are multiple places where you can find IOCs:

  • Blogs from security providers talking about a specific attack.
    • For instance, This blog by Microsoft discussing a Russian attacker contains a list of malicious email domains.
  • Community sources: Twitter is an excellent source of Threat Intelligence as it’s often shared by various researchers.
  • There are a lot of products out there that offer ‘IOCs as a service’. By subscribing to such a tool, you can access the IOCs the vendor has identified. Microsoft has its own Threat Intelligence tool ‘Microsoft Defender Threat Intelligence’.

An example of email-related IOCs can also be found on the Microsoft Defender GitHub. This query uses the ‘EmailEvents’ and ‘EmailAttachmentInfo’ tables in Microsoft 365 Advanced Hunting to identify known patterns used to deliver the initial payload in a ransomware attack. Note that running this query requires Microsoft Defender for Office 365 Plan 2. Without this license, you are not able to run in-depth searches.

Let SubjectTerms = pack_array(“RE:, “”FW:”,”FWD:”,”AW:”,”WG:”);


  | where Subject has_any(SubjectTerms)

  | where EmailDirection == “Inbound” // Join on those emails by file type (doc or zip>doc)

  | join EmailAttachmentInfo on $left.NetworkMessageId == $right.NetworkMessageId

  | where AttachmentCount == 1

  | where FileType has ‘WordStorage’ or FileType has ‘WordStorage;Zip’

Be on the Look-Out

Security never stops, that might be the takeaway from this article. There is no silver bullet to protecting your environment from malicious emails. Defense against email-transmitted malware is a continuous process that must be maintained. As an email administrator, knowing what tools can help you remove malicious emails in an inbox is important. Not all organizations have the capacity to deploy a SOC team to monitor Threat Intelligence daily and respond to every security incident. Organizations need to build their own process and be ready when an email bypasses Microsoft Defender for Office 365.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.


  1. Gman

    Greatness! Articles like these are what we need. Easy to understand and no-nonsense.

    1. Avatar photo
      Thijs Lecomte

      Thank you! That’s lovely to hear! If you have any requests of other articles you would like to see, feel free to let me know!

Leave a Reply