🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Exchange Online

How to Find Malware Detected Emails in Microsoft 365

Malware emails are a major threat to businesses, leading to data breaches, system failures, and costly ransomware attacks. Just one malicious email can put your entire organization at risk. That’s why it's crucial to stay ahead by not only detecting malware emails but also understanding their patterns and sources in Microsoft 365. In this guide, we’ll show you how to effectively audit malware emails in Microsoft 365.

Solution 1
Solution 2
Solution 3
Solution 4
Important Tips
Errors and Resolution Steps
FAQs

Using the Microsoft Defender Portal

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Log in to the Microsoft 365 Defender portal.
  • Navigate to Reports»Email & collaboration»Email & collaboration reports»Threat protection status.
  • Click on the "View details" option in the Threat protection status report.
  • Change the report view from 'View data by Overview' to 'View data by Email > Malware' to get malware emails report.
  • This report provides insights into all malware emails within your organization, covering inbound, outbound, and intra-organizational threats.
Using the Microsoft Defender Portal

Using Windows PowerShell

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • Connect to the Exchange Online PowerShell using the below cmdlet.
  • Windows PowerShell Windows PowerShell 
     Connect-ExchangeOnline
  • Run the below cmdlet to obtain malware emails report in Microsoft 365.
  • Windows PowerShell Windows PowerShell 
     Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq "Malware"} | Select-Object Date, Subject, SenderAddress, RecipientAddress, MessageId | Format-Table
Using Windows PowerShell

Using PowerShell Script

Microsoft 365 Permission Required
Security Reader Least Privilege
Global Admin Most Privilege
  • The above cmdlet is useful for retrieving all malware emails in Exchange Online. However, there are times when you need specific reports on outbound, inbound, or intra-organizational malware emails. Obtaining these reports requires extensive filtering, which can be time-consuming.
  • To simplify this process, we've developed a PowerShell script that generates 9 different email protection reports, including malware, spam, and phishing reports.

  • For malware reports, use one of the following parameters:

    • 1. MalwareEmailsReceived for inbound malware emails.
    • 2. MalwareEmailsSent for outbound malware emails.
    • 3. IntraOrgMalwareMails for malware emails within your organization.
    ./MailProtectionReport.ps1 -<RequiredParameter>
Using PowerShell Script
MailProtectionReport.ps1
  • Note: The 'Get-MailDetailATPReport' cmdlet retrieves malware emails only from the past 10 days. With a Microsoft Defender for Office 365 subscription, you can extend this period by retrieving up to 30 days of data.
AdminDroid Exchange Online Reporter

Effortlessly Track Malware Emails Report in Microsoft 365

AdminDroid's Microsoft 365 email monitoring tool offers detailed insights into malicious email activities and makes malware email detection in Microsoft 365 easy. This powerful tracking capability helps admins to enforce changes to anti-malware policies, prevent malware attacks, and maintain compliance.

Get Instant Alerts on Malware Emails with AdminDroid

Utilize AdminDroid's pre-built alert policy template to get instant notifications for every new malware email delivered to your users' mailboxes.

Track Daily Malware Emails Sent/Received in Microsoft 365

Monitor the daily malware mails sent/received report to quickly identify malware emails in Microsoft 365 and protect your users from potential security risks.

Review Exchange Online Quarantined Malware Mails

Audit quarantined emails including malware messages in Exchange Online, to ensure that legitimate emails are not mistakenly flagged as malware.

Identify Top Malware Receivers in Your Exchange Online

Discover which users receive the most malware emails with AdminDroid's top malware receivers report. This helps you to identify and secure vulnerable users in your organization.

Monitor Changes to Microsoft 365 Malware Filtering Policies

Utilize AdminDroid's Microsoft 365 malware filter report to track changes made to your malware filtering policies and ensure no unauthorized changes are made.

Email Dashboard for Visualizing Malware Mails

With AdminDroid's email protection dashboard, gain comprehensive insights into malware emails, top malware recipients, etc., of your organization.

In conclusion, AdminDroid's Exchange Online mail protection reports offers a comprehensive solution for malware protection in Microsoft 365. It offers detailed reports and automated monitoring not only for malware email threats but also for spam and phishing emails. This helps safeguard your organization and ensures a secure email environment.

Explore a full range of reporting options
Download Live Demo

Important Tips

Utilize the configuration analyzer in Microsoft Defender to identify weak areas of your Exchange Online protection policies based on Microsoft's protection profiles.

Block risky file types in Exchange Online to stop malicious attachments and potential malware threats from reaching your organization.

Monitor Microsoft 365 email activity report to detect unusual patterns or spikes in email traffic, which can indicate a potential malware outbreak or phishing campaign.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while exporting malware email reports in Microsoft 365.

Error File D:\MailProtectionReport.ps1 cannot be loaded because running scripts is disabled on this system.

This error occurs when you try to run a script in PowerShell and the system's execution policy restricts running unsigned scripts.

Fix To resolve this error, execute the below cmdlet to set the execution policy as Unrestricted before running the script. 
Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Error Exiting. Note: Choose one report to generate. Please try again.

This error occurs when you don't mention the report to be generated while executing the PowerShell script.

Fix Specify what report must be generated while executing the script to avoid this error as shown below. 
./MailProtectionReport.ps1 -MalwareEmailsReceived

Error The term 'Get-MailDetailMalwareReport' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs because the 'Get-MailDetailMalwareReport' cmdlet no longer exists and has been deprecated from the Exchange Online PowerShell module.

Fix You can now use the 'Get-MailDetailATPReport' cmdlet to retrieve malware detection reports using PowerShell. 
Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq "Malware"}

Error You can't apply the same user, group, or domain in two different fields, please check your input.

This error occurs when the same user, group, or domain is specified in both the "Include" and "Exclude" fields while creating an anti-malware policy.

Fix Ensure that the users, groups, or domains are listed either in the "Include" or "Exclude" field, but not in both these fields.

1. How does Microsoft 365 detect malware in emails?

Understanding how emails are detected as malware in Microsoft 365 is crucial for admins to optimize their anti-malware policies. This ensures they can minimize risks while allowing legitimate emails to be delivered securely.

Here's an overview of some of the key malware detection technologies in Microsoft 365.

  • Anti-malware Engines: These engines scan emails and detect known malware by comparing email attachments and links against a vast library of malware signatures. If an email contains a known malicious file or link, it will be flagged as malware.
  • Heuristic and Behavioral Analysis: Even when an attachment or email doesn't match known malware signatures, Microsoft 365 uses heuristic analysis to detect suspicious behavior. Content heuristics can detect suspicious messages based on structure and word frequency within the body of the message using machine learning models.
  • Safe Attachments: Safe Attachments in Microsoft Defender provides an additional layer of protection for email attachments by utilizing a virtual environment. Attachments are opened and analyzed for malicious behavior before reaching the recipient's inbox. This ensures that harmful content is detected, even if it passes the initial anti-malware protection scans.
  • Safe Links: Safe Links in Microsoft Defender protect users from malicious URLs embedded in emails. It rewrites URLs during mail flow and performs real-time verification when users click on these links.
  • Zero-hour Auto Purge (ZAP): Zero-hour Auto Purge (ZAP) in Exchange Online enhances Microsoft 365 email security by automatically detecting and removing malicious emails from user inboxes, even after delivery.

2. How to prevent malware attacks using anti-malware protection in M365?

Configuring anti-malware policies in Microsoft 365 is essential to stop malware emails from infiltrating your organization. These policies dictate how malware is detected and handled across incoming and outgoing emails. By regularly configuring and reviewing anti-malware policies, admins can stay ahead of evolving malware attacks.

Let's see how to create these anti-malware policies in the Microsoft Defender to help prevent malware emails.

  • Access the Anti-malware page in the Microsoft 365 Defender portal and click the "+Create" option.
  • Enter a name and description for your policy, then click "Next".
  • Specify the users, groups, and domains to include or exclude from the policy. Then click "Next".
  • In the Protection settings page, you can enable the common attachments filter. This filter blocks dangerous file types like .exe, .bat, .cmd, and others from being sent or received. You will also have the option to: Reject the message with a non-delivery report (NDR) or Quarantine the message.
  • You can Enable zero-hour auto purge for malware to automatically remove malicious messages even after they have been delivered to mailboxes.
  • Choose a Quarantine policy to decide who can manage quarantined messages with malware (e.g., release, delete).
  • Configure Admin notifications to alert admins if malware is detected in emails from internal or external senders. Moreover, you can also customize the notification message.
  • Review all the settings and click Submit.

anti-malware-policy-defender

After configuring your anti-malware policies in Microsoft 365, it's essential to keep track of any changes made to these policies. This helps to ensure that no unauthorized changes are made. However, native methods fall short as there is no dedicated way to audit changes made to an anti-malware policy.

Monitor critical changes to Microsoft 365 anti-malware policies with AdminDroid!

  • The anti-malware configuration changes report offers a detailed overview of any changes made to the anti-malware policy.
  • Using this report, admins can track the username, respective anti-malware policy, event time, and more.
anti-malware-config-changes-admindroid

3. How to remediate malware emails delivered in Microsoft 365?

Malware emails can sometimes slip through the defenses in Microsoft 365 and reach user mailboxes. When these malware emails are detected, immediate remediation is essential. This helps to minimize further exposure and safeguard your organization's data.

To remediate malware emails in Microsoft 365 Defender Threat Explorer, follow the steps below.

  • In the Microsoft 365 Defender portal, navigate to the Email & collaboration»Explorer»Malware.
  • Select the email you want to remediate and click on the Take action button.
  • In the flyout pane, choose one of the following remediate actions.
    • Move or delete: This option allows the admins to move the malicious email to a different folder (e.g., Junk, Inbox) or delete it permanently from the mailbox.
    • Submit to Microsoft for review: The email can be submitted to Microsoft for review. Depending on the admin's choice, the email can be marked as clean, suspicious, or as a confirmed threat.
    • Initiate automated investigation: This option triggers an automated investigation by gathering more information on the sender, recipient, and other recipients involved.
    • Propose remediation: This action asks for approval from another admin to remediate the threat by performing actions like deleting or moving the email.

    Note: If you choose the "Move or delete" action, you will not be able to select "Propose remediation", and vice versa. Both actions cannot be applied simultaneously.

    malware-remediation-defender

  • After selecting your options, click Next.
  • Add a name and description to the remediation action and select the targeted entities (recipients) involved in the incident.
  • Then, review the selected actions and click Submit to initiate the remediation process.

By following these steps, admins can swiftly respond to potential threats and remove malware emails from the organization. Microsoft 365 offers streamlined processes for email remediation, ensuring that admins can maintain a secure and compliant email environment.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Exchange Online
How to Find Malware Detected Emails in Microsoft 365
Exchange Online Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo