Campaign Views in Microsoft Defender for Office 365 Plan - Office 365 (2022)

  • Article
  • 13 minutes to read

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

  • Microsoft Defender for Office 365 plan 2

Campaign Views is a feature in Microsoft Defender for Office 365 Plan 2 (for example, Microsoft 365 E5 or organizations with a Defender for Office 365 Plan 2 add-on). Campaign Views in the Microsoft 365 Defender portal identifies and categorizes phishing attacks in the service. Campaign Views can help you to:

  • Efficiently investigate and respond to phishing attacks.
  • Better understand the scope of the attack.
  • Show value to decision makers.

Campaign Views lets you see the big picture of an attack faster and more complete than any human.

Watch this short video on how campaign views in Microsoft Defender for Office 365 help you understand attack campaigns targeting your organization.

What is a campaign?

A campaign is a coordinated email attack against one or many organizations. Email attacks that steal credentials and company data are a large and lucrative industry. As technologies increase in an effort to stop attacks, attackers modify their methods in an effort to ensure continued success.

Microsoft leverages the vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns. We analyze and classify the attack information according to several factors. For example:

  • Attack source: The source IP addresses and sender email domains.
  • Message properties: The content, style, and tone of the messages.
  • Message recipients: How recipients are related. For example, recipient domains, recipient job functions (admins, executives, etc.), company types (large, small, public, private, etc.), and industries.
  • Attack payload: Malicious links, attachments, or other payloads in the messages.

A campaign might be short-lived, or could span several days, weeks, or months with active and inactive periods. A campaign might be launched against your specific organization, or your organization might be part of a larger campaign across multiple companies.

Campaign Views in the Microsoft 365 Defender portal

Campaign Views is available in the Microsoft 365 Defender portal at https://security.microsoft.com at Email & collaboration > Campaigns, or directly at https://security.microsoft.com/campaigns.

You can also get to Campaign Views from:

  • Email & collaboration > Explorer > View > Campaigns
  • Email & collaboration > Explorer > View > All email > Campaign tab
  • Email & collaboration > Explorer > View > Phish > Campaign tab
  • Email & collaboration > Explorer > View > Malware > Campaign tab

To access Campaign Views, you need to be a member of the Organization Management, Security Administrator, or Security Reader role groups in the Microsoft 365 Defender portal. For more information, see Permissions in the Microsoft 365 Defender portal.

Campaigns overview

The overview page shows information about all campaigns.

On the default Campaign tab, the Campaign type area shows a bar graph that shows the number of recipients per day. By default, the graph shows both Phish and Malware data.

(Video) Campaign Views in Microsoft Defender for Office 365

Tip

If you don't see any campaign data, try changing the date range or filters.

The table below the graph on the overview page shows the following information on the Campaign tab:

  • Name

  • Sample subject: The subject line of one of the messages in the campaign. Note that all messages in the campaign will not necessarily have the same subject.

  • Targeted: The percentage as calculated by: (the number of campaign recipients in your organization) / (the total number of recipients in the campaign across all organizations in the service). This value indicates the degree to which the campaign is directed only at your organization (a higher value) vs. also directed at other organizations in the service (a lower value).

  • Type: This value is either Phish or Malware.

  • Subtype: This value contains more details about the campaign. For example:

    • Phish: Where available, the brand that is being phished by this campaign. For example, Microsoft, 365, Unknown, Outlook, or DocuSign.
    • Malware: For example, HTML/PHISH or HTML/<MalwareFamilyName>.

    Where available, the brand that is being phished by this campaign. When the detection is driven by Defender for Office 365 technology, the prefix ATP- is added to the subtype value.

  • Recipients: The number of users that were targeted by this campaign.

  • Inboxed: The number of users that received messages from this campaign in their Inbox (not delivered to their Junk Email folder).

  • Clicked: The number of users that clicked on the URL or opened the attachment in the phishing message.

  • Click rate: The percentage as calculated by "Clicked / Inboxed". This value is an indicator of the effectiveness of the campaign. In other words, if the recipients were able to identify the message as phishing, and if they didn't click on the payload URL.

    Note that Click rate isn't used in malware campaigns.

  • Visited: How many users actually made it through to the payload website. If there are Clicked values, but Safe Links blocked access to the website, this value will be zero.

The Campaign origin tab shows the message sources on a map of the world.

(Video) Microsoft Defender for Office 365, What features it has, Where to set it up, demo & overview pt-1

Filters and settings

At the top of the Campaign page, there are several filter and query settings to help you find and isolate specific campaigns.

The most basic filtering that you can do is the start date/time and the end date/time.

To further filter the view, you can do single property with multiple values filtering by clicking the Campaign type button, making your selection, and then clicking Refresh.

The filterable campaign properties that are available in the Campaign type button are described in the following list:

  • Basic:

    • Campaign type: Select Malware or Phish. Clearing the selections has the same result as selecting both.
    • Campaign name
    • Campaign subtype
    • Sender
    • Recipients
    • Sender domain
    • Subject
    • Attachment filename
    • Malware family
    • Tags: Users or groups that have had the specified user tag applied (including priority accounts). For more information about user tags, see User tags.
    • Delivery action
    • Additional action
    • Directionality
    • Detection technology
    • Original delivery location
    • Latest delivery location
    • System overrides
  • Advanced:

    • Internet message ID: Available in the Message-ID header field in the message header. An example value is <08f1e0f6806a47b4ac103961109ae6ef@server.domain> (note the angle brackets).
    • Network message ID: A GUID value that's available in the X-MS-Exchange-Organization-Network-Message-Id header field in the message header.
    • Sender IP
    • Attachment SHA256: To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt: certutil.exe -hashfile "<Path>\<Filename>" SHA256.
    • Cluster ID
    • Alert ID
    • Alert Policy ID
    • Campaign ID
    • ZAP URL signal
  • URLs:

    • URL domain
    • URL domain and path
    • URL
    • URL path
    • Click verdict

For more advanced filtering, including filtering by multiple properties, you can click the Advanced filter button to build a query. The same campaign properties are available, but with the following enhancements:

  • You can click Add a condition to select multiple conditions.
  • You can choose the And or Or operator between conditions.
  • You can select the Condition group item at the bottom of the conditions list to form complex compound conditions.

When you're finished, click the Query button.

After you create a basic or advanced filter, you can save it by using Save query or Save query as. Later, when you return to the Campaigns page, you can load a saved filter by clicking Saved query settings.

To export the graph or the list of campaigns, click Export and select Export chart data or Export campaign list.

If you have a Microsoft Defender for Endpoint subscription, you can click MDE Settings to connect or disconnect the campaigns information with Microsoft Defender for Endpoint. For more information, see Integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint.

Campaign details

When you click on the name of a campaign, the campaign details appear in a flyout.

Campaign information

At the top of the campaign details view, the following campaign information is available:

  • Campaign ID: The unique campaign identifier.
  • Activity: The duration and activity of the campaign.
  • The following data for the date range filter you selected (or that you select in the timeline):
  • Impact
  • Messages: The total number of recipients.
  • Inboxed: The number of messages that were delivered to the Inbox, not to the Junk Email folder.
  • Clicked link: How many users clicked on the URL payload in the phishing message.
  • Visited link: How many users visited the URL.
  • Targeted(%): The percentage as calculated by: (the number of campaign recipients in your organization) / (the total number of recipients in the campaign across all organizations in the service). Note that this value is calculated over the entire lifetime of the campaign, and doesn't change based on date filters.
  • Start date/time and end data/time filters for the campaign flow as described in the next section.
  • An interactive timeline of campaign activity: The timeline shows activity over the entire lifetime of the campaign. You can hover over the data points in the graph to see the amount of detected messages.

Campaign flow

In the middle of the campaign details view, important details about the campaign are presented in a horizontal flow diagram (known as a Sankey diagram). These details will help you to understand the elements of the campaign and the potential impact in your organization.

(Video) Microsoft Defender for Office 365 Demo: Cutting-edge phishing protection for your users

Tip

The information that's displayed in the flow diagram is controlled by the date range filter in the timeline as described in the previous section.

If you hover over a horizontal band in the diagram, you'll see the number of related messages (for example, messages from a particular source IP, messages from the source IP using the specified sender domain, etc.).

The diagram contains the following information:

  • Sender IPs

  • Sender domains

  • Filter verdicts: Verdict values are related to the available phishing and spam filtering verdicts as described in Anti-spam message headers. The available values are described in the following table:

    ValueSpam filter verdictDescription
    AllowedSFV:SKN

    SFV:SKI

    The message was marked as not spam and/or skipped filtering before being evaluated by spam filtering. For example, the message was marked as not spam by a mail flow rule (also known as a transport rule).

    The message skipped spam filtering for other reasons. For example, the sender and recipient appear to be in the same organization.

    BlockedSFV:SKSThe message was marked as spam before being evaluated by spam filtering. For example, by a mail flow rule.
    DetectedSFV:SPMThe message was marked as spam by spam filtering.
    Not DetectedSFV:NSPMThe message was marked as not spam by spam filtering.
    ReleasedSFV:SKQThe message skipped spam filtering because it was released from quarantine.
    Tenant Allow*SFV:SKAThe message skipped spam filtering because of the settings in an anti-spam policy. For example, the sender was in the allowed sender list or allowed domain list.
    Tenant Block**SFV:SKAThe message was blocked by spam filtering because of the settings in an anti-spam policy. For example, the sender was in the allowed sender list or allowed domain list.
    User Allow*SFV:SFEThe message skipped spam filtering because the sender was in a user's Safe Senders list.
    User Block**SFV:BLKThe message was blocked by spam filtering because the sender was in a user's Blocked Senders list.
    ZAPn/aZero-hour auto purge (ZAP) moved the delivered message to the Junk Email folder or quarantine. You configure the action in anti-spam policies.

    * Review your anti-spam policies, because the allowed message would have likely been blocked by the service.

    ** Review your anti-spam policies, because these messages should be quarantined, not delivered.

  • Message destinations: You'll likely want to investigate messages that were delivered to recipients (either to the Inbox or the Junk Email folder), even if users didn't click on the payload URL in the message. You can also remove the quarantined messages from quarantine. For more information, see Quarantined email messages in EOP.

    • Deleted folder
    • Dropped
    • External: The recipient is located in your on-premises email organization in hybrid environments.
    • Failed
    • Forwarded
    • Inbox
    • Junk folder
    • Quarantine
    • Unknown
  • URL clicks: These values are described in the next section.

Note

(Video) Get started with Microsoft 365 Defender

In all layers that contain more than 10 items, the top 10 items are shown, while the rest are bundled together in Others.

URL clicks

When a phishing message is delivered to a recipient's Inbox or Junk Email folder, there's always a chance that the user will click on the payload URL. Not clicking on the URL is a small measure of success, but you need to determine why the phishing message was even delivered to the mailbox.

If a user clicked on the payload URL in the phishing message, the actions are displayed in the URL clicks area of the diagram in the campaign details view.

  • Allowed
  • BlockPage: The recipient clicked on the payload URL, but their access to the malicious website was blocked by a Safe Links policy in your organization.
  • BlockPageOverride: The recipient clicked on the payload URL in the message, Safe Links tried to stop them, but they were allowed to override the block. Inspect your Safe Links policies to see why users are allowed to override the Safe Links verdict and continue to the malicious website.
  • PendingDetonationPage: Safe Attachments in Microsoft Defender for Office 365 is in the process of opening and investigating the payload URL in a virtual computer environment.
  • PendingDetonationPageOverride: The recipient was allowed to override the payload detonation process and open the URL without waiting for the results.

Tabs

The tabs in the campaign details view allow you to further investigate the campaign.

Tip

The information that's displayed on the tabs is controlled by the date range filter in the timeline as described in Campaign information section.

  • URL clicks: If users didn't click on the payload URL in the message, this section will be blank. If a user was able to click on the URL, the following values will be populated:

    • User*
    • URL*
    • Click time
    • Click verdict
  • Sender IPs

    • Sender IP*
    • Total count
    • Inboxed
    • Not Inboxed
    • SPF passed: The sender was authenticated by the Sender Policy Framework (SPF). A sender that doesn't pass SPF validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.
  • Senders

    • Sender: This is the actual sender address in the SMTP MAIL FROM command, which is not necessarily the From: email address that users see in their email clients.
    • Total count
    • Inboxed
    • Not Inboxed
    • DKIM passed: The sender was authenticated by Domain Keys Identified Mail (DKIM). A sender that doesn't pass DKIM validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.
    • DMARC passed: The sender was authenticated by Domain-based Message Authentication, Reporting, and Conformance (DMARC). A sender that doesn't pass DMARC validation indicates an unauthenticated sender, or the message is spoofing a legitimate sender.
  • Attachments

    • Filename
    • SHA256
    • Malware family
    • Total count
  • URL

    • URL*
    • Total Count

* Clicking on this value opens a new flyout that contains more details about the specified item (user, URL, etc.) on top of the campaign details view. To return to the campaign details view, click Done in the new flyout.

Buttons

The buttons at the bottom the campaign details view allow you to investigate and record details about the campaign:

  • Explore messages: Use the power of Threat Explorer to further investigate the campaign:

    • All messages: Opens a new Threat Explorer search tab using the Campaign ID value as the search filter.
    • Inboxed messages: Opens a new Threat Explorer search tab using the Campaign ID and Delivery location: Inbox as the search filter.
    • Internal messages: Opens a new Threat Explorer search tab using the Campaign ID and Directionality: Intra-org as the search filter.
  • Download threat report: Download the campaign details to a Word document (by default, named CampaignReport.docx). Note that the download contains details over the entire lifetime of the campaign (not just the filter dates you selected).

FAQs

Which of the following features are part of Microsoft Defender for Office 365 evaluation mode? ›

Defender for Office 365: Policies that are exclusive to Defender for Office 365 are created for your evaluation of Defender for Office 365: Impersonation protection in anti-phishing policies. Safe Attachments for email messages. Safe Links for email messages and Microsoft Teams.

What does Microsoft Defender for Office 365 do? ›

Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against advanced threats to email and collaboration tools, like phishing, business email compromise, and malware attacks.

What are the four categories of reporting found in the Microsoft 365 Defender Portal? ›

In this article
  • View and download reports.
  • Safe Attachments file types report.
  • Safe Attachments message disposition report.
  • Mail latency report.
  • Threat protection status report.
  • Top senders and recipients report.
  • URL protection report.
  • Additional reports to view.
Aug 22, 2022

Is Microsoft Defender included in Microsoft 365? ›

Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions.

What plans include Defender for endpoint? ›

Microsoft Defender for Endpoint is available in two plans, Endpoint Plan 1 and Endpoint Plan 2, which are available either as standalone services or a part of Microsoft 365. As a standalone SKU, Microsoft Defender for Endpoint Plan 1 users can enable the service on up to five concurrent devices.

Is Microsoft Defender an XDR? ›

Microsoft 365 Defender is an eXtended detection and response (XDR) solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment, including endpoint, email, applications, and identities.

What license is required for Microsoft Defender? ›

A license to a Microsoft 365 security product generally entitles you to use Microsoft 365 Defender without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses that provides access to all supported services.

Does Microsoft 365 E3 include Microsoft Defender for Office 365? ›

Any of these licenses gives you access to Microsoft 365 Defender features via the Microsoft 365 Defender portal without additional cost: Microsoft 365 E5 or A5. Microsoft 365 E3 with the Microsoft 365 E5 Security add-on. Microsoft 365 E3 with the Enterprise Mobility + Security E5 add-on.

What is Microsoft Defender for endpoint? ›

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

What should you use in Microsoft 365 Defender portal to view security trends? ›

To view the Security Dashboard in the Security & Compliance Center, go to go to Threat management > Dashboard. To go directly to the Security dashboard, use https://protection.office.com/searchandinvestigation/dashboard.

Which type of alert can you manage from the Microsoft 365 Defender Portal? ›

This article describes security alerts in Microsoft 365 Defender. However, you can use activity alerts to send email notifications to yourself or other admins when users perform specific activities in Microsoft 365. For more information, see Create activity alerts - Microsoft Purview | Microsoft Docs.

What are two capabilities of Microsoft Defender for endpoint? ›

Capabilities
  • Eliminate the blind spots in your environment.
  • Discover vulnerabilities and misconfigurations in real time.
  • Quickly go from alert to remediation at scale with automation.
  • Block sophisticated threats and malware.
  • Detect and respond to advanced attacks with deep threat monitoring and analysis.

How do I add endpoints in office 365 Defender? ›

Set up your device groups, device collections, and organizational units
  1. Go to the Microsoft 365 Defender portal (https://security.microsoft.com).
  2. In the navigation pane on the left, choose Settings > Endpoints > Permissions > Device groups.
  3. Choose + Add device group.
  4. Specify a name and description for the device group.

What is the difference between Microsoft Defender and defender for endpoint? ›

Microsoft Defender for Endpoint is different to Microsoft Defender antivirus, which is built into all Windows 10 devices. Instead, it offers enterprise security teams incident response and investigation tools and lives as an instance in the Azure cloud.

What is Microsoft Defender for o365 Plan 1? ›

Microsoft Defender for Office 365 Plan 1

Defender for Office 365 Plan 1 offers protection against advanced attacks across email and collaboration tools in Office 365.

What does Microsoft Defender Plan 1 include? ›

Defender for Endpoint Plan 1 includes the Microsoft 365 Defender portal, which enables your security team to view current information about detected threats, take appropriate actions to mitigate threats, and centrally manage your organization's threat protection settings.

What is the difference between XDR and SIEM? ›

Extended Detection and Response (XDR) and Security Information and Event Management (SIEM) are both enterprise cybersecurity solutions. But while XDR and SIEM both pull and analyze data from multiple sources to detect cyber threats, XDR includes advanced cybersecurity functionality.

What is the meaning of XDR? ›

Extended Detection and Response (XDR) is a consolidation of tools and data that provides extended visibility, analysis, and response across networks and clouds in addition to apps and endpoints. XDR is a more sophisticated and advanced progression of endpoint detection and response (EDR) security.

What are the Microsoft Defender products? ›

  • Microsoft Sentinel.
  • Microsoft Defender for Cloud.
  • Microsoft 365 Defender.
  • Microsoft Defender for Endpoint.
  • Microsoft Defender for Office 365.
  • Microsoft Defender for Identity.
  • Microsoft Defender for Cloud Apps.
  • Microsoft Defender Vulnerability Management.

Which Microsoft 365 for Business subscription includes azure information protection? ›

Microsoft Azure Information Protection can be purchased either as a standalone or through one of the following Microsoft licensing suites: Microsoft 365 Enterprise plans, Microsoft 365 Compliance plan (includes Azure Information Protection P2), Microsoft 365 Business (includes Azure Information Protection P1), ...

Which extensibility feature of Microsoft teams allows for applications like GitHub? ›

Which extensibility feature of Microsoft Teams allows for applications like GitHub to be integrated into a Teams channel? Message extensions.

What is Microsoft Secure score quizlet? ›

What is Microsoft Secure Score? Secure Score is a measurement of an organization's security posture.

What benefits does Microsoft Graph have over using individual service endpoints? ›

Microsoft Graph simplifies queries that would otherwise be more complex. You can use Microsoft Graph to: Access data from multiple Microsoft cloud services, including Azure Active Directory, Exchange Online as part of Office 365, SharePoint, OneDrive, OneNote, Planner and Microsoft Teams.

Videos

1. Get more out of Microsoft Defender for Office 365 with Microsoft 365 Defender
(Microsoft Security)
2. Defender for Office 365
(Microsoft Modern Work Webinars)
3. Hunting in Microsoft Defender for Office 365
(Microsoft Security)
4. eDiscovery in Microsoft 365 | How eDiscovery works | Step by Step guide to use eDiscovery in M365
(Office 365 Concepts)
5. Threat Hunting with Defender for Office 365
(Nick Ross)
6. Protect your most visible and most targeted users with Microsoft Defender for Office 365
(Microsoft Security)

Top Articles

You might also like

Latest Posts

Article information

Author: Madonna Wisozk

Last Updated: 11/05/2022

Views: 6652

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Madonna Wisozk

Birthday: 2001-02-23

Address: 656 Gerhold Summit, Sidneyberg, FL 78179-2512

Phone: +6742282696652

Job: Customer Banking Liaison

Hobby: Flower arranging, Yo-yoing, Tai chi, Rowing, Macrame, Urban exploration, Knife making

Introduction: My name is Madonna Wisozk, I am a attractive, healthy, thoughtful, faithful, open, vivacious, zany person who loves writing and wants to share my knowledge and understanding with you.