Threat Detection Report
Phishing attempts, malware detections, spam volume, and Safe Links/Safe Attachments activations. Track threat trends over time across your Exchange Online environment.
Overview
The Threat Detection Report provides a comprehensive view of all email-based threats detected across your managed tenants. This includes phishing campaigns, malware attachments, spam messages, and activations of Microsoft Defender for Office 365 protection features.
Report Columns
| Column | Description |
|---|---|
| Date | Detection date |
| Threat Type | Phishing, Malware, Spam, or Bulk |
| Detection Method | Safe Attachments, Safe Links, Anti-malware, or Anti-spam |
| Count | Number of threats detected |
| Blocked | Number of threats successfully blocked |
| Delivered | Number of threats that reached inboxes |
| Tenants Affected | Number of managed tenants impacted |
| Top Targeted Users | Users receiving the most threats |
Threat Categories
- Phishing — Messages attempting to steal credentials or personal information
- Malware — Messages containing malicious attachments or links to malware
- Spam — Unsolicited bulk email
- Bulk Mail — Legitimate newsletters and marketing that users may not want
- Spoof — Messages with forged sender addresses
- Impersonation — Messages impersonating known users or brands
Trend Analysis
The report tracks threat trends across multiple dimensions:
- Volume over time — Daily, weekly, and monthly threat counts
- Threat type distribution — Breakdown by phishing, malware, spam
- Block rate — Percentage of threats successfully blocked
- Top targeted users — Users receiving the most threats
- Top sender domains — Domains sending the most malicious content
Key Metrics
| Metric | Description |
|---|---|
| Total Threats | All threats detected in the period |
| Block Rate | Percentage of threats blocked before delivery |
| Phishing Rate | Phishing messages per 1,000 emails received |
| Zero-Day Detections | New threats caught by Safe Attachments detonation |
| User Reports | Threats reported by end users via Report Message |
Filters
- Date Range — Last 7 days, 30 days, 90 days, or custom
- Threat Type — Phishing, Malware, Spam, Spoof, Impersonation
- Severity — High, Medium, Low
- Detection Method — Safe Attachments, Safe Links, Anti-malware, Anti-spam
- Tenant — Filter by managed tenant
Recommended Actions
- Review delivered threats and investigate any user interactions
- Strengthen policies if specific threat types are increasing
- Enable Safe Links and Safe Attachments if not already active
- Conduct phishing awareness training for frequently targeted users
API Reference
GET /api/reports/exchange/threats— Get threat detection summaryGET /api/reports/exchange/threats/trends— Get threat trend dataGET /api/reports/exchange/threats/top-targeted— Get most targeted usersPOST /api/reports/exchange/threats/export— Export report data
Last updated on