Threats Overview
Unified view of email threats detected across your Exchange Online environment. The threats overview dashboard aggregates data from anti-spam, anti-phishing, anti-malware, Safe Links, and Safe Attachments to provide a comprehensive security picture.
Note: Full threat analytics require Microsoft Defender for Office 365 Plan 2. Basic threat data is available with EOP and Defender Plan 1.
Threat Dashboard
| Metric | Description |
|---|---|
| Total Threats | All threats detected in the selected period |
| Spam Blocked | Messages filtered as spam |
| Phishing Detected | Phishing attempts identified |
| Malware Caught | Malicious attachments blocked |
| URLs Blocked | Malicious URLs blocked by Safe Links |
| Users Targeted | Number of unique users who received threats |
Threat Categories
Email Malware
Malicious attachments detected by anti-malware engines and Safe Attachments sandbox detonation. Includes known malware signatures and zero-day threats discovered through behavioral analysis.
Phishing
Credential harvesting, business email compromise, and impersonation attacks. Detected by anti-phishing policies, spoof intelligence, and URL analysis.
Spam
Unwanted bulk email, marketing spam, and nuisance messages. Filtered by anti-spam policies based on content analysis, sender reputation, and bulk complaint level.
Malicious URLs
URLs leading to phishing sites, malware downloads, or exploit kits. Detected by Safe Links at time of click and URL reputation services.
Threat Trends
Daily Volume
Track threat volume over time to identify trends and spikes:
- Unusual increases may indicate a targeted campaign
- Seasonal patterns in spam and phishing activity
- Correlation with real-world events (tax season, holidays)
Top Targeted Users
Identify users who receive the most threats:
- Executives and finance staff are common targets
- IT administrators targeted for credential attacks
- New employees may receive more spam
Top Threat Sources
Most common sending IPs, domains, and infrastructure used by attackers:
- Identify persistent threat actors
- Block recurring sources via connection filter
- Report to Microsoft for broader protection
Threat Explorer
Investigate specific threats in detail:
- Search by sender, recipient, subject, or threat type
- View message headers and delivery path
- Check Safe Links click data
- Review Safe Attachments detonation results
Best Practices
- Review dashboard daily — Monitor for unusual threat spikes or targeted campaigns.
- Investigate top-targeted users — Ensure high-risk users have the strongest protection.
- Use trend data for planning — Adjust security policies based on observed threat patterns.
- Export reports — Share threat data with stakeholders and compliance teams.
API Reference
GET /api/exchange/threats/overview
Get threat overview statistics
GET /api/exchange/threats/trends
Get threat trend data
GET /api/exchange/threats/top-targeted
Get most targeted users
GET /api/exchange/threats/explorer
Search threat data with filters