Edit

Share via

The Microsoft Defender for Office 365 Overview dashboard

The Microsoft Defender for Office 365 Overview dashboard in the Microsoft Defender portal shows the effectiveness of Defender for Office 365. You open the dashboard in the Defender portal at Email & collaboration > Overview, or directly at https://security.microsoft.com/emailandcollaborationoverviewreport.

The information on the Overview page is organized into the following areas:

For the permissions required to view the dashboard and reports, see What permissions are needed to view these reports?.

By default, the data on the page is shown for the last 30 days.

Screenshot of the Email and collaboration overview report page in the Microsoft Defender portal.

Defender for Office 365 summary

The information in the Defender for Office 365 summary at the top of the page is described in the following subsections.

Phish / Malware Efficacy card

The graph on the Phish / Malware Efficacy card visually represents the protection given by Defender for Office 365 against phishing and malware in email messages:

  • Pre-delivery: Items detected before they reach the recipient's mailbox.
  • Post-delivery: Items removed after the item was delivered to the recipient's mailbox via zero-hour auto purge (ZAP).
  • Uncaught: Delivered items that ZAP identified but failed to remove. For example:
    • Admin deletions or remediations.
    • ZAP being disabled for the specific mailboxes.
    • Admin submissions to Microsoft identifying the message as malware or phishing.
    • User deletions.
    • Non-Microsoft security provider deletions.

The percentage value is the number of messages in each category divided by the total number of malicious malware and phishing email during the review period selected.

Hover over a category in the chart to see the number of messages in each category for the review period. Hover over the percentage to see the total number of messages

Screenshot of the Phish / Malware Efficacy card in the Defender for Office 365 section of the Email & collaboration overview report page.

Tip

  • It's important to submit false positives and false negatives to Microsoft so we can tune our filters and correctly calculate the efficacy values:
    • False negatives undetected by Microsoft aren't included in the efficacy calculations. Submitting undetected entities enables us to include those counts in the Uncaught calculations.
    • False positives detected by Microsoft are removed from the efficacy calculations.

Based on customer feedback, we determined the Pre-delivery, Post-delivery, and Uncaught components most accurately reflect an organization's protection state. To create a different efficacy report, see Build custom email security reports and dashboards with workbooks in Microsoft Sentinel or the advanced hunting query in the Appendix section.

Threat detections card

The graph on the Threat detections card shows the number of messages detected by the following technologies during the review period selected.

Hover over a category in the chart to see the number of messages in each category for the review period.

Screenshot of the Threat detections card in the Defender for Office 365 section of the Email & collaboration overview report page.

Optimize section

The information in the Optimize section is described in the following subsections.

Priority accounts card

The graph on the Priority accounts card shows how many message senders you designated as priority accounts to receive tailored protection. For more information about priority accounts, see Manage and monitor priority accounts.

To designate more accounts, select Add employees to go to the Priority accounts page in the Microsoft 365 admin center at https://admin.cloud.microsoft/?#/priorityaccounts.

Hover over a category in the chart to see the number of Onboarded priority accounts and Open slots. The maximum number of priority accounts is 250.

Screenshot of the Priority accounts card in the Optimize section of the Email & collaboration overview report page.

Posture recommendations card

The graph on the Policy recommendations card shows the number of users directly protected by Safe Links and Safe Attachments policies as a percentage of the total number of users (the value 100% means everyone is protected). The numbers are taken from whether the following recommended actions in Microsoft Secure Score have the Status value Completed:

  • Safe Links: Create Safe Links policies for email messages
  • Safe Attachments: Ensure Safe Attachments policy is enabled

Hover over a category in the chart to see the number of Impacted users (the total number of users in the organization) and Protected users (users protected by Safe Links or Safe Attachment policies as defined by the recommended actions in Microsoft Secure Score).

Notes:

Screenshot of the Posture recommendations card in the Optimize section of the Email & collaboration overview report page.

Risky allows section

The information in the Risky allows section is described in the following subsections.

Messages allowed card

The Messages allowed card shows the count of messages allowed by user or organization allow entries that bypass protection:

  • The total number of messages allowed.
  • Phish messages allowed.
  • Spam messages allowed.
  • Good messages allowed.

Screenshot of the Messages allowed card in the Risky allows section of the Email & collaboration overview report page.

Tenant allow types card

The Tenant allow types card shows a table with the types of allow entries in the Tenant Allow/Block List that let bad mail get delivered to user mailboxes:

  • Allow type column:
  • Messages allowed column: The number of messages allowed for the review period selected.

Screenshot of the Tenant allow types card in the Risky allows section of the Email & collaboration overview report page.

Exchange transport rules card

The Exchange transport rules card shows the mail flow rules (also known as transport rules) that allowed messages that would otherwise be blocked:

  • Rule ID
  • Messages allowed: The number of messages allowed during the review period selected.

Select Review rules to go to the Rules page in the Exchange admin center (EAC) at https://admin.cloud.microsoft/exchange#/transportrules.

Screenshot of the Exchange transport rules card in the Risky allows section of the Email & collaboration overview report page.

Insights section

The information in the Insights section is described in the following subsections.

The graph on the Top trending attacks card shows the most encountered phishing attack types by volume for the review period selected.

Threat classification in Defender for Office 365 uses advanced technologies such as large language models (LLMs), small language models (SLMs), and machine learning (ML) models to automatically detect and classify email-based threats.

The breakdown of phishing attack types is also available in the Threat protection status report under View data by Email > Phish and Chart breakdown by Threat classification.

Screenshot of the Top trending attacks card in the Insights section of the Email & collaboration overview report page.

Emerging threats card

The Emerging threats card shows any notable campaigns observed by Microsoft security researchers.

Microsoft 365 Secure Email Gateway performance card

The graph on the Microsoft 365 Secure Email Gateway performance card compares the effectiveness of Defender for Office 365 against other secure email gateways. To ensure fairness, the number of missed phish and malware messages is normalized per 1,000 active users.

Screenshot of the Microsoft 365 Secure Email Gateway performance card in the Insights section of the Email & collaboration overview report page.

Appendix: Advanced hunting efficacy query in Defender for Office 365 Plan 2

Organizations with Defender for Office 365 Plan 2 can use the following query in advanced hunting to generate the same data on the Phish / Malware Efficacy card.

Note

The numbers might differ slightly due to the different refresh and expiry rates for advanced hunting vs. reporting data.

let _startTime = ago(30d); 
let _endTime = now(); 
let PreDelivery = toscalar(
    EmailEvents 
    | where Timestamp between (_startTime .. _endTime) 
        and EmailDirection == "Inbound" 
        and (ThreatTypes contains "Phish" or ThreatTypes contains "Malware")
    | where not(DeliveryAction == "Blocked" and DeliveryLocation in ("Dropped","Failed"))
    | extend MDO_detection = parse_json(DetectionMethods) 
    | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0])) 
    | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)") 
    | summarize PreDelivery = count()
); 
let PostDelivery = toscalar(
    EmailPostDeliveryEvents 
    | where Timestamp between (_startTime .. _endTime)
        and ActionType in ("Malware ZAP","Phish ZAP") 
        and ActionResult in ("Success","UserTriaged")
    | summarize PostDelivery = count()
); 
let Uncaught = toscalar(
    EmailPostDeliveryEvents 
    | where Timestamp between (_startTime .. _endTime)
        and ActionType in ("Malware ZAP","Phish ZAP") 
        and ActionResult !in ("Success", "UserTriaged")
    | summarize Uncaught = count()
); 
let PreDeliveryReal = toreal(PreDelivery);
let PostDeliveryReal = toreal(PostDelivery);
let UncaughtReal = toreal(Uncaught);
let Effectiveness = round(
    iif(
        (PreDeliveryReal + PostDeliveryReal + UncaughtReal) == 0, 
        0.0, 
        ((PreDeliveryReal + PostDeliveryReal) / (PreDeliveryReal + PostDeliveryReal + UncaughtReal)) * 100.0
    ), 2
);
union 
    (print StatisticName = "Pre-Delivery Catch", Value = PreDeliveryReal),
    (print StatisticName = "Post-Delivery Catch", Value = PostDeliveryReal),
    (print StatisticName = "Failed ZAP / Miss or Uncaught", Value = UncaughtReal),
    (print StatisticName = "Phish / Malware Efficacy", Value = Effectiveness)
| project StatisticName, Value