Export Microsoft 365 Malware Emails Report

Native Solution

Microsoft 365 Permission Required

High

Least Privilege

Security Reader

Most Privilege

Global Admin

Option 1 Using the Microsoft Defender Portal

Log in to the Microsoft 365 Defender portal.
Navigate to Reports»Email & collaboration»Email & collaboration reports»Threat protection status.
Click on the "View details" option in the Threat protection status report.
Change the report view from 'View data by Overview' to 'View data by Email > Malware' to get malware emails report.
This report provides insights into all malware emails within your organization, covering inbound, outbound, and intra-organizational threats.

Option 2 Using Windows PowerShell

Connect to the Exchange Online PowerShell using the below cmdlet.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the below cmdlet to obtain malware emails report in Microsoft 365.

Windows PowerShell

 Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq "Malware"} | Select-Object Date, Subject, SenderAddress, RecipientAddress, MessageId | Format-Table

Option 3 Using PowerShell Script

The above cmdlet is useful for retrieving all malware emails in Exchange Online. However, there are times when you need specific reports on outbound, inbound, or intra-organizational malware emails. Obtaining these reports requires extensive filtering, which can be time-consuming.
To simplify this process, we've developed a PowerShell script that generates 9 different email protection reports, including malware, spam, and phishing reports.
For malware reports, use one of the following parameters:
- 1. MalwareEmailsReceived for inbound malware emails.
- 2. MalwareEmailsSent for outbound malware emails.
- 3. IntraOrgMalwareMails for malware emails within your organization.
./MailProtectionReport.ps1 -<RequiredParameter>

MailProtectionReport.ps1

Note: The 'Get-MailDetailATPReport' cmdlet retrieves malware emails only from the past 10 days. With a Microsoft Defender for Office 365 subscription, you can extend this period by retrieving up to 30 days of data.

AdminDroid Solution

More than 150 reports are under the free edition.

AdminDroid Permission Required

Delegated

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

Log in to the AdminDroid Office 365 portal.
Navigate to the All Malware Mails report under the Audit»Email»Malware Mails.

This report gives detailed insights into malware emails, covering both inbound and outbound emails. It includes critical information like event time, email subject, sender address, recipient address, and more.

Use AdminDroid's built-in charts to reveal the malware mail detection count by sender address. This helps you to pinpoint high-risk senders and take swift actions, like blocking them.

Explore a full range of reporting options

Uncover Hidden Malware Threats in Microsoft 365 Instantly!

Quickly identify and quarantine malware-infected emails with AdminDroid's Microsoft 365 malware detection reports. Thereby, protecting your user's mailboxes from malware email threats and ensure your data remains secure.

Witness the report in action using the

Live Demo

Important Tips

Utilize the configuration analyzer in Microsoft Defender to identify weak areas of your Exchange Online protection policies based on Microsoft's protection profiles.

Block risky file types in Exchange Online to stop malicious attachments and potential malware threats from reaching your organization.

Monitor Microsoft 365 email activity report to detect unusual patterns or spikes in email traffic, which can indicate a potential malware outbreak or phishing campaign.

Exchange OnlineSafeguard Your Mailboxes by Effectively Managing Malware Emails in Exchange Online!

Showing 1 of 3

How does Microsoft 365 detect malware in emails? How to prevent malware attacks using anti-malware protection in M365? How to remediate malware emails delivered in Microsoft 365?

How does Microsoft 365 detect malware in emails?

Understanding how emails are detected as malware in Microsoft 365 is crucial for admins to optimize their anti-malware policies. This ensures they can minimize risks while allowing legitimate emails to be delivered securely.

Here's an overview of some of the key malware detection technologies in Microsoft 365.

Anti-malware Engines: These engines scan emails and detect known malware by comparing email attachments and links against a vast library of malware signatures. If an email contains a known malicious file or link, it will be flagged as malware.
Heuristic and Behavioral Analysis: Even when an attachment or email doesn't match known malware signatures, Microsoft 365 uses heuristic analysis to detect suspicious behavior. Content heuristics can detect suspicious messages based on structure and word frequency within the body of the message using machine learning models.
Safe Attachments: Safe Attachments in Microsoft Defender provides an additional layer of protection for email attachments by utilizing a virtual environment. Attachments are opened and analyzed for malicious behavior before reaching the recipient's inbox. This ensures that harmful content is detected, even if it passes the initial anti-malware protection scans.
Safe Links: Safe Links in Microsoft Defender protect users from malicious URLs embedded in emails. It rewrites URLs during mail flow and performs real-time verification when users click on these links.
Zero-hour Auto Purge (ZAP): Zero-hour Auto Purge (ZAP) in Exchange Online enhances Microsoft 365 email security by automatically detecting and removing malicious emails from user inboxes, even after delivery.

How to prevent malware attacks using anti-malware protection in M365?

Configuring anti-malware policies in Microsoft 365 is essential to stop malware emails from infiltrating your organization. These policies dictate how malware is detected and handled across incoming and outgoing emails. By regularly configuring and reviewing anti-malware policies, admins can stay ahead of evolving malware attacks.

Let's see how to create these anti-malware policies in the Microsoft Defender to help prevent malware emails.

Access the Anti-malware page in the Microsoft 365 Defender portal and click the "+Create" option.
Enter a name and description for your policy, then click "Next".
Specify the users, groups, and domains to include or exclude from the policy. Then click "Next".
In the Protection settings page, you can enable the common attachments filter. This filter blocks dangerous file types like .exe, .bat, .cmd, and others from being sent or received. You will also have the option to: Reject the message with a non-delivery report (NDR) or Quarantine the message.
You can Enable zero-hour auto purge for malware to automatically remove malicious messages even after they have been delivered to mailboxes.
Choose a Quarantine policy to decide who can manage quarantined messages with malware (e.g., release, delete).
Configure Admin notifications to alert admins if malware is detected in emails from internal or external senders. Moreover, you can also customize the notification message.
Review all the settings and click Submit.

After configuring your anti-malware policies in Microsoft 365, it's essential to keep track of any changes made to these policies. This helps to ensure that no unauthorized changes are made. However, native methods fall short as there is no dedicated way to audit changes made to an anti-malware policy.

Monitor critical changes to Microsoft 365 anti-malware policies with AdminDroid!

The anti-malware configuration changes report offers a detailed overview of any changes made to the anti-malware policy.
Using this report, admins can track the username, respective anti-malware policy, event time, and more.

How to remediate malware emails delivered in Microsoft 365?

Malware emails can sometimes slip through the defenses in Microsoft 365 and reach user mailboxes. When these malware emails are detected, immediate remediation is essential. This helps to minimize further exposure and safeguard your organization's data.

To remediate malware emails in Microsoft 365 Defender Threat Explorer, follow the steps below.

In the Microsoft 365 Defender portal, navigate to the Email & collaboration»Explorer»Malware.
Select the email you want to remediate and click on the Take action button.
In the flyout pane, choose one of the following remediate actions.
- Move or delete: This option allows the admins to move the malicious email to a different folder (e.g., Junk, Inbox) or delete it permanently from the mailbox.
- Submit to Microsoft for review: The email can be submitted to Microsoft for review. Depending on the admin's choice, the email can be marked as clean, suspicious, or as a confirmed threat.
- Initiate automated investigation: This option triggers an automated investigation by gathering more information on the sender, recipient, and other recipients involved.
- Propose remediation: This action asks for approval from another admin to remediate the threat by performing actions like deleting or moving the email.
Note: If you choose the "Move or delete" action, you will not be able to select "Propose remediation", and vice versa. Both actions cannot be applied simultaneously.
After selecting your options, click Next.
Add a name and description to the remediation action and select the targeted entities (recipients) involved in the incident.
Then, review the selected actions and click Submit to initiate the remediation process.

By following these steps, admins can swiftly respond to potential threats and remove malware emails from the organization. Microsoft 365 offers streamlined processes for email remediation, ensuring that admins can maintain a secure and compliant email environment.

AdminDroid Exchange Online ReporterEffortlessly Track Malware Emails Report in Microsoft 365

AdminDroid's Microsoft 365 email monitoring tool offers detailed insights into malicious email activities and makes malware email detection in Microsoft 365 easy. This powerful tracking capability helps admins to enforce changes to anti-malware policies, prevent malware attacks, and maintain compliance.

A Quick Summary

Get Instant Alerts on Malware Emails with AdminDroid

Utilize AdminDroid's pre-built alert policy template to get instant notifications for every new malware email delivered to your users' mailboxes.

Track Daily Malware Emails Sent/Received in Microsoft 365

Monitor the daily malware mails sent/received report to quickly identify malware emails in Microsoft 365 and protect your users from potential security risks.

Review Exchange Online Quarantined Malware Mails

Audit quarantined emails including malware messages in Exchange Online, to ensure that legitimate emails are not mistakenly flagged as malware.

Identify Top Malware Receivers in Your Exchange Online

Discover which users receive the most malware emails with AdminDroid's top malware receivers report. This helps you to identify and secure vulnerable users in your organization.

Monitor Changes to Microsoft 365 Malware Filtering Policies

Utilize AdminDroid's Microsoft 365 malware filter report to track changes made to your malware filtering policies and ensure no unauthorized changes are made.

Email Dashboard for Visualizing Malware Mails

With AdminDroid's email protection dashboard, gain comprehensive insights into malware emails, top malware recipients, etc., of your organization.

In conclusion, AdminDroid's Exchange Online mail protection reports offers a comprehensive solution for malware protection in Microsoft 365. It offers detailed reports and automated monitoring not only for malware email threats but also for spam and phishing emails. This helps safeguard your organization and ensures a secure email environment.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps in Monitoring Malware Mails in Microsoft 365

The following are the possible errors and troubleshooting hints while exporting malware email reports in Microsoft 365.

Error: File D:\MailProtectionReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run a script in PowerShell and the system's execution policy restricts running unsigned scripts.

Troubleshooting hint :To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error: Exiting. Note: Choose one report to generate. Please try again.

This error occurs when you don't mention the report to be generated while executing the PowerShell script.

Troubleshooting hint :Specify what report must be generated while executing the script to avoid this error as shown below.

./MailProtectionReport.ps1 -MalwareEmailsReceived

Error: The term 'Get-MailDetailMalwareReport' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs because the 'Get-MailDetailMalwareReport' cmdlet no longer exists and has been deprecated from the Exchange Online PowerShell module.

Troubleshooting hint :You can now use the 'Get-MailDetailATPReport' cmdlet to retrieve malware detection reports using PowerShell.

Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq "Malware"}

Error: You can't apply the same user, group, or domain in two different fields, please check your input.

This error occurs when the same user, group, or domain is specified in both the "Include" and "Exclude" fields while creating an anti-malware policy.

Troubleshooting hint :Ensure that the users, groups, or domains are listed either in the "Include" or "Exclude" field, but not in both these fields.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Find Malware Detected Emails in Microsoft 365