Explorer
Explorer is a powerful tool for reviewing incoming and outgoing email within your environment. It contains up to 30 days of email which you can easily report to Microsoft and delete if necessary.
This page contains a few tabs to get to different sets of data easier:
- All email
- Malware
- Phish
- Campaigns
- Content Malware
- URL clicks
On these pages you can change the timespan you are viewing, setup search criteria, change the graph pivot, and save your queries for future use. Depending on the page you will be able to select an entity such as an email entity. These will quickly provide useful information about any detected threats and allow you to quickly take actions on emails without having to run a message trace or complicated PowerShell cmdlet.
Filters
Below I have provided all the filters and their selectable options where applicable. I have often wished the filter list was searchable or have forgotten which filter I needed to get to a specific piece of criteria which is why I have documented all of them below for a quick webpage search.
Filters
| Order | Filter | Category | Frequently Used | Type |
|---|---|---|---|---|
| 1 | Sender address | Basic | Yes | String |
| 2 | Recipients | Basic | String | |
| 3 | Sender domain | Basic | String | |
| 4 | Recipient domain | Basic | String | |
| 5 | Subject | Basic | String | |
| 6 | Sender display name | Basic | String | |
| 7 | Sender mail from address | Basic | String | |
| 8 | Sender mail from domain | Basic | String | |
| 9 | Return path | Basic | String | |
| 10 | Return path domain | Basic | String | |
| 11 | Tags | Basic | String | |
| 12 | Impersonated domain | Basic | String | |
| 13 | Exchange transport rule | Basic | String | |
| 14 | Data loss prevention rule | Basic | String | |
| 15 | Context | Basic | Multi-select | |
| 16 | Connector | Basic | String | |
| 17 | Delivery action | Basic | Multi-select | |
| 18 | Additional action | Basic | Yes | Multi-select |
| 19 | Directionality | Basic | Yes | Multi-select |
| 20 | Detection technology | Basic | Yes | Multi-select |
| 21 | Original delivery location | Basic | Yes | Multi-select |
| 22 | Latest delivery location | Basic | Yes | Multi-select |
| 23 | Phish confidence level | Basic | Multi-select | |
| 24 | Primary override | Basic | Yes | Single-select |
| 25 | Primary override source | Basic | Yes | Single-select |
| 26 | Override source | Basic | Yes | Single-select |
| 27 | Policy type | Basic | Yes | Multi-select |
| 28 | Policy action | Basic | Yes | Multi-select |
| 29 | Threat type | Basic | Multi-select | |
| 30 | Forwarded message | Basic | Boolean | |
| 31 | Distribution list | Basic | String | |
| 32 | Email size | Basic | String/Int | |
| 33 | Internet Message ID | Advanced | String | |
| 34 | Network Message ID | Advanced | String | |
| 35 | Sender IP | Advanced | String | |
| 36 | Attachment SHA256 | Advanced | String | |
| 37 | Cluster ID | Advanced | String | |
| 38 | Alert ID | Advanced | String | |
| 39 | Alert Policy ID | Advanced | String | |
| 40 | Campaign ID | Advanced | String | |
| 41 | ZAP URL signal | Advanced | String | |
| 42 | URL Count | Urls | String | |
| 43 | URL domain | Urls | String | |
| 44 | URL domain and path | Urls | String | |
| 45 | URL | Urls | String | |
| 46 | URL path | Urls | String | |
| 47 | URL source | Urls | Multi-select | |
| 48 | Click verdict | Urls | Multi-select | |
| 49 | URL Threat | Urls | Multi-select | |
| 50 | Attachment Count | File | String | |
| 51 | Attachment filename | File | String | |
| 52 | File type | File | String | |
| 53 | File Extension | File | String | |
| 54 | File Size | File | String | |
| 55 | SPF | Authentication | Yes | Multi-select |
| 56 | DKIM | Authentication | Yes | Multi-select |
| 57 | DMARC | Authentication | Yes | Multi-select |
| 58 | Composite | Authentication | Yes | Multi-select |
Multi-select and single-select filters
Filter options
Context-
- Evaluation
- Priority account protection
Delivery action-
- Blocked
- Delivered
- Delivered to junk
- Replaced
Additional action-
- Automated remediation
- Dynamic delivery
- Manual remediation
- None
- Quarantine release
- Reprocessed
- ZAP
Directionality-
- Inbound
- Intra-org
- Outbound
Detection technology-
- Advanced filter
- Antimalware protection
- Bulk
- Campaign
- Domain reputation
- File detonation
- File detonation reputation
- File reputation
- Fingerprint matching
- General filter
- Impersonation brand
- Impersonation domain
- Impersonation user
- IP reputation
- Mailbox intelligence impersonation
- Mixed analysis detection
- Spoof DMARC
- Spoof external domain
- Spoof intra-org
- URL detonation
- URL detonation reputation
- URL malicious reputation
Original delivery location-
- Deleted items folder
- Dropped
- Failed
- Inbox/folder
- Junk folder
- On-prem/external
- Quarantine
- Unknown
Latest delivery location-
- Deleted items folder
- Dropped
- Failed
- Inbox/folder
- Junk folder
- On-prem/external
- Quarantine
- Unknown
Phish confidence level-
- High
- Normal
Primary override-
- Allowed by organization policy
- Allowed by user policy
- Blocked by organization policy
- Blocked by user policy
- None
Primary override source-
- 3rd Party Filter
- Admin initiated time travel
- Antimalware policy block by file type
- Antispam policy settings
- Connection policy
- Exchange transport rule
- Exclusive mode (User override)
- Filtering skipped due to on-prem organization
- IP region filter from policy
- Language filter from policy
- Phishing Simulation
- Quarantine release
- SecOps Mailbox
- Sender address list (Admin Override)
- Sender address list (User override)
- Sender domain list (Admin Override)
- Sender domain list (User override)
- Tenant Allow/Block List file block
- Tenant Allow/Block List sender email address block
- Tenant Allow/Block List spoof block
- Tenant Allow/Block List URL block
- Trusted contact list (User override)
- Trusted domain (User override)
- Trusted recipient (User override)
- Trusted senders only (User override)
Override source-
- 3rd Party Filter
- Admin initiated time travel
- Antimalware policy block by file type
- Antispam policy settings
- Connection policy
- Exchange transport rule
- Exclusive mode (User override)
- Filtering skipped due to on-prem organization
- IP region filter from policy
- Language filter from policy
- Phishing Simulation
- Quarantine release
- SecOps Mailbox
- Sender address list (Admin Override)
- Sender address list (User override)
- Sender domain list (Admin Override)
- Sender domain list (User override)
- Trusted contact list (User override)
- Trusted domain (User override)
- Trusted recipient (User override)
- Trusted senders only (User override)
Policy typePolicy action-
- Add x-header
- Bcc message
- Delete message
- Modify subject
- Move to junk mail folder
- No action taken
- Redirect message
- Send to quarantine
Threat type-
- Malware
- Phish
- Spam
URL source-
- Attachments
- Cloud attachment
- Email body
- Email header
- QR Code
- Subject
- Unknown
Click verdict-
- Allowed
- Block overridden
- Blocked
- Error
- Failure
- None
- Pending verdict
- Pending verdict bypassed
URL Threat-
- Malware
- Phish
- Spam
SPF-
- Fail
- Neutral
- None
- Pass
- Permanent error
- Soft fail
- Temporary error
DKIM-
- Error
- Fail
- Ignore
- None
- Pass
- Test
- Timeout
- Unknown
DMARC-
- Best guess pass
- Fail
- None
- Pass
- Permanent error
- Selector pass
- Temporary error
- Unknown
Composite-
- Fail
- None
- Pass
- Soft Pass
Tip
If you build a particularly useful query you can save it and access it over on the Threat tracker page. You can also schedule your saved query to run on a regular basis.