Email threats continue to evolve, leveraging both technology gaps and human behavior. The resulting attack chain requires security teams to be vigilant and quick to investigate when suspicious emails slip through the cracks. This article explores how to efficiently and precisely investigate suspicious emails using the Incidents tab in Microsoft Defender for Office 365 (MDO).

The investigate suspicious email origins with reviewing the email and its attachments. Often, the first clue that an email is malicious is the lack of familiarity with the sender or recipient. If the message does not relate to previous correspondence or contact, it should be flagged as suspicious. Other red flags include urgent demands, such as those asking to update credit card information or to verify accounts within a short timeframe. Also, look out for emails containing poor grammar and spelling and mismatched URLs.

How to Investigate Suspicious Email Origins with OSINT Tools

If you do not recognize the sender or the domain name, cross-reference these details with threat intelligence feeds to see if they match any known threats. Then, peek into your SIEM system for internal logs to see if there is any unusual activity that could support the email’s claims. Next, investigate the attachments – are they unfamiliar extensions like.zip,.exe, or.scr, which are typically used to download malware? If so, recipients should flag these files to be virus-scanned before opening. Lastly, look at the email’s content for signs of phishing. For example, if the email contains alarming or threatening language designed to provoke fear or panic in order to lure victims into taking immediate action without due diligence.