🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Find Malware Detected Emails in Microsoft 365

Malware emails are a major threat to businesses, leading to data breaches, system failures, and costly ransomware attacks. Just one malicious email can put your entire organization at risk. That’s why it's crucial to stay ahead by not only detecting malware emails but also understanding their patterns and sources in Microsoft 365. In this guide, we’ll show you how to effectively audit malware emails in Microsoft 365.

Native Solution

Microsoft 365 Permission Required

High
Least Privilege

Security Reader

Highest Privilege

Global Admin

Option 1 Using the Microsoft Defender Portal

  • Log in to the Microsoft 365 Defender portal.
  • Navigate to Reports»Email & collaboration»Email & collaboration reports»Threat protection status.
  • Click on the "View details" option in the Threat protection status report.
  • Change the report view from 'View data by Overview' to 'View data by Email > Malware' to get malware emails report.
  • This report provides insights into all malware emails within your organization, covering inbound, outbound, and intra-organizational threats.
Using the Microsoft Defender Portal

Option 2 Using Windows PowerShell

  • Connect to the Exchange Online PowerShell using the below cmdlet.
  • Windows PowerShell Windows PowerShell
     Connect-ExchangeOnline
  • Run the below cmdlet to obtain malware emails report in Microsoft 365.
  • Windows PowerShell Windows PowerShell
     Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq "Malware"} | Select-Object Date, Subject, SenderAddress, RecipientAddress, MessageId | Format-Table
Using Windows PowerShell

Option 3 Using PowerShell Script

  • The above cmdlet is useful for retrieving all malware emails in Exchange Online. However, there are times when you need specific reports on outbound, inbound, or intra-organizational malware emails. Obtaining these reports requires extensive filtering, which can be time-consuming.
  • To simplify this process, we've developed a PowerShell script that generates 9 different email protection reports, including malware, spam, and phishing reports.
  • For malware reports, use one of the following parameters:

    • 1. MalwareEmailsReceived for inbound malware emails.
    • 2. MalwareEmailsSent for outbound malware emails.
    • 3. IntraOrgMalwareMails for malware emails within your organization.
    ./MailProtectionReport.ps1 -<RequiredParameter>
Using PowerShell Script
  • Note: The 'Get-MailDetailATPReport' cmdlet retrieves malware emails only from the past 10 days. With a Microsoft Defender for Office 365 subscription, you can extend this period by retrieving up to 30 days of data.
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

ad
  • Log in to the AdminDroid Office 365 portal.
  • Navigate to the All Malware Mails report under the Audit»Email»Malware Mails.
Using AdminDroid

This report gives detailed insights into malware emails, covering both inbound and outbound emails. It includes critical information like event time, email subject, sender address, recipient address, and more.

malware-mail-count-by-sender-chart
  • Use AdminDroid's built-in charts to reveal the malware mail detection count by sender address. This helps you to pinpoint high-risk senders and take swift actions, like blocking them.

Uncover Hidden Malware Threats in Microsoft 365 Instantly!

Quickly identify and quarantine malware-infected emails with AdminDroid's Microsoft 365 malware detection reports. Thereby, protecting your user's mailboxes from malware email threats and ensure your data remains secure.

Witness the report in action using the

Important Tips

Utilize the configuration analyzer in Microsoft Defender to identify weak areas of your Exchange Online protection policies based on Microsoft's protection profiles.

Block risky file types in Exchange Online to stop malicious attachments and potential malware threats from reaching your organization.

Monitor Microsoft 365 email activity report to detect unusual patterns or spikes in email traffic, which can indicate a potential malware outbreak or phishing campaign.

Exchange OnlineSafeguard Your Mailboxes by Effectively Managing Malware Emails in Exchange Online!

Showing 1 of 3

How does Microsoft 365 detect malware in emails?

Understanding how emails are detected as malware in Microsoft 365 is crucial for admins to optimize their anti-malware policies. This ensures they can minimize risks while allowing legitimate emails to be delivered securely.

Here's an overview of some of the key malware detection technologies in Microsoft 365.

  • Anti-malware Engines: These engines scan emails and detect known malware by comparing email attachments and links against a vast library of malware signatures. If an email contains a known malicious file or link, it will be flagged as malware.
  • Heuristic and Behavioral Analysis: Even when an attachment or email doesn't match known malware signatures, Microsoft 365 uses heuristic analysis to detect suspicious behavior. Content heuristics can detect suspicious messages based on structure and word frequency within the body of the message using machine learning models.
  • Safe Attachments: Safe Attachments in Microsoft Defender provides an additional layer of protection for email attachments by utilizing a virtual environment. Attachments are opened and analyzed for malicious behavior before reaching the recipient's inbox. This ensures that harmful content is detected, even if it passes the initial anti-malware protection scans.
  • Safe Links: Safe Links in Microsoft Defender protect users from malicious URLs embedded in emails. It rewrites URLs during mail flow and performs real-time verification when users click on these links.
  • Zero-hour Auto Purge (ZAP): Zero-hour Auto Purge (ZAP) in Exchange Online enhances Microsoft 365 email security by automatically detecting and removing malicious emails from user inboxes, even after delivery.

How to prevent malware attacks using anti-malware protection in M365?

Configuring anti-malware policies in Microsoft 365 is essential to stop malware emails from infiltrating your organization. These policies dictate how malware is detected and handled across incoming and outgoing emails. By regularly configuring and reviewing anti-malware policies, admins can stay ahead of evolving malware attacks.

Let's see how to create these anti-malware policies in the Microsoft Defender to help prevent malware emails.

  • Access the Anti-malware page in the Microsoft 365 Defender portal and click the "+Create" option.
  • Enter a name and description for your policy, then click "Next".
  • Specify the users, groups, and domains to include or exclude from the policy. Then click "Next".
  • In the Protection settings page, you can enable the common attachments filter. This filter blocks dangerous file types like .exe, .bat, .cmd, and others from being sent or received. You will also have the option to: Reject the message with a non-delivery report (NDR) or Quarantine the message.
  • You can Enable zero-hour auto purge for malware to automatically remove malicious messages even after they have been delivered to mailboxes.
  • Choose a Quarantine policy to decide who can manage quarantined messages with malware (e.g., release, delete).
  • Configure Admin notifications to alert admins if malware is detected in emails from internal or external senders. Moreover, you can also customize the notification message.
  • Review all the settings and click Submit.

anti-malware-policy-defender

After configuring your anti-malware policies in Microsoft 365, it's essential to keep track of any changes made to these policies. This helps to ensure that no unauthorized changes are made. However, native methods fall short as there is no dedicated way to audit changes made to an anti-malware policy.

Monitor critical changes to Microsoft 365 anti-malware policies with AdminDroid!

  • The anti-malware configuration changes report offers a detailed overview of any changes made to the anti-malware policy.
  • Using this report, admins can track the username, respective anti-malware policy, event time, and more.
anti-malware-config-changes-admindroid

How to remediate malware emails delivered in Microsoft 365?

Malware emails can sometimes slip through the defenses in Microsoft 365 and reach user mailboxes. When these malware emails are detected, immediate remediation is essential. This helps to minimize further exposure and safeguard your organization's data.

To remediate malware emails in Microsoft 365 Defender Threat Explorer, follow the steps below.

  • In the Microsoft 365 Defender portal, navigate to the Email & collaboration»Explorer»Malware.
  • Select the email you want to remediate and click on the Take action button.
  • In the flyout pane, choose one of the following remediate actions.
    • Move or delete: This option allows the admins to move the malicious email to a different folder (e.g., Junk, Inbox) or delete it permanently from the mailbox.
    • Submit to Microsoft for review: The email can be submitted to Microsoft for review. Depending on the admin's choice, the email can be marked as clean, suspicious, or as a confirmed threat.
    • Initiate automated investigation: This option triggers an automated investigation by gathering more information on the sender, recipient, and other recipients involved.
    • Propose remediation: This action asks for approval from another admin to remediate the threat by performing actions like deleting or moving the email.

    Note: If you choose the "Move or delete" action, you will not be able to select "Propose remediation", and vice versa. Both actions cannot be applied simultaneously.

    malware-remediation-defender

  • After selecting your options, click Next.
  • Add a name and description to the remediation action and select the targeted entities (recipients) involved in the incident.
  • Then, review the selected actions and click Submit to initiate the remediation process.

By following these steps, admins can swiftly respond to potential threats and remove malware emails from the organization. Microsoft 365 offers streamlined processes for email remediation, ensuring that admins can maintain a secure and compliant email environment.

AdminDroid Exchange Online ReporterEffortlessly Track Malware Emails Report in Microsoft 365

AdminDroid's Microsoft 365 email monitoring tool offers detailed insights into malicious email activities and makes malware email detection in Microsoft 365 easy. This powerful tracking capability helps admins to enforce changes to anti-malware policies, prevent malware attacks, and maintain compliance.

A Quick Summary

Get Instant Alerts on Malware Emails with AdminDroid

Utilize AdminDroid's pre-built alert policy template to get instant notifications for every new malware email delivered to your users' mailboxes.

Track Daily Malware Emails Sent/Received in Microsoft 365

Monitor the daily malware mails sent/received report to quickly identify malware emails in Microsoft 365 and protect your users from potential security risks.

Review Exchange Online Quarantined Malware Mails

Audit quarantined emails including malware messages in Exchange Online, to ensure that legitimate emails are not mistakenly flagged as malware.

Identify Top Malware Receivers in Your Exchange Online

Discover which users receive the most malware emails with AdminDroid's top malware receivers report. This helps you to identify and secure vulnerable users in your organization.

Monitor Changes to Microsoft 365 Malware Filtering Policies

Utilize AdminDroid's Microsoft 365 malware filter report to track changes made to your malware filtering policies and ensure no unauthorized changes are made.

Email Dashboard for Visualizing Malware Mails

With AdminDroid's email protection dashboard, gain comprehensive insights into malware emails, top malware recipients, etc., of your organization.

In conclusion, AdminDroid's Exchange Online mail protection reports offers a comprehensive solution for malware protection in Microsoft 365. It offers detailed reports and automated monitoring not only for malware email threats but also for spam and phishing emails. This helps safeguard your organization and ensures a secure email environment.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps in Monitoring Malware Mails in Microsoft 365

The following are the possible errors and troubleshooting hints while exporting malware email reports in Microsoft 365.

Error: File D:\MailProtectionReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run a script in PowerShell and the system's execution policy restricts running unsigned scripts.

Troubleshooting hint :To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error: Exiting. Note: Choose one report to generate. Please try again.

This error occurs when you don't mention the report to be generated while executing the PowerShell script.

Troubleshooting hint :Specify what report must be generated while executing the script to avoid this error as shown below.

./MailProtectionReport.ps1 -MalwareEmailsReceived

Error: The term 'Get-MailDetailMalwareReport' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs because the 'Get-MailDetailMalwareReport' cmdlet no longer exists and has been deprecated from the Exchange Online PowerShell module.

Troubleshooting hint :You can now use the 'Get-MailDetailATPReport' cmdlet to retrieve malware detection reports using PowerShell.

Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq "Malware"}

Error: You can't apply the same user, group, or domain in two different fields, please check your input.

This error occurs when the same user, group, or domain is specified in both the "Include" and "Exclude" fields while creating an anti-malware policy.

Troubleshooting hint :Ensure that the users, groups, or domains are listed either in the "Include" or "Exclude" field, but not in both these fields.