Microsoft 365 Threat Intelligence

Cyber security breaches are a huge expenditure in today’s internet-based world; therefore, it’s incumbent upon organizations to invest in prevention rather than just recovery from a security breach.

Since Microsoft 365 hosts one of the largest networks in the world and manages content created on millions of devices, Microsoft has been able to build a vast repository of threat intelligence data and the systems needed to spot patterns that correspond to attack behaviors and suspicious activity. Microsoft 365 Threat Intelligence, available with Microsoft 365 Enterprise E5 and as a separate add-on purchase, is a collection of these insights, which can help you proactively find and eliminate threats.

The Microsoft Intelligent Security Graph (aka Microsoft Graph) powers threat intelligence in Microsoft 365 by consuming billions of signals (information traffic) across the Microsoft 365 network from sources such as user activity, authentication, email, compromised PCs, and security incidents, leveraging artificial intelligence and machine learning capabilities, and integrating this data across different security products to address different attack scenarios.

Every second, hundreds of GBs worth of telemetry is added to the Graph. This anonymized data comes from over a hundred Microsoft data centers across the globe, threats faced by over 1 billion PCs that are updated by Windows Update each month, and aggregated with external data points that are collected through extensive research and partnership with industry and law enforcement through Microsoft’s Digital Crime Unit and Cybersecurity Defense Operations Center.

The signals that are obtained from the Intelligent Security Graph, plus additional third-party feeds, are fed into Microsoft’s three major platforms: Windows, Azure, and Microsoft 365. Microsoft then integrates these signals so that security services which sit in one platform can communicate with security services which sit in one of the other platforms. Therefore, any threat seen in Windows is automatically and quickly added to the set of threats that Microsoft 365 views, which provides deep insight into the evolving cyber threat landscape.

Office 365 Advanced Threat Protection includes best-of-class threat intelligence tools that enable your organization's security team to anticipate, understand, and prevent malicious attacks.  Some of these tools are:

Threat trackers provide the latest intelligence on prevailing cybersecurity issues. For example, they allow you to view information about the latest malware, and take countermeasures before it becomes an actual threat to your organization. Threat Trackers are basically informative widgets and views that provide you with intelligence on different cybersecurity issues that might impact your company

There are a number of available trackers, including:

  • Noteworthy trackers - showing big and smaller threats and risks that Microsoft thinks you should know about.
  • Trending trackers – listing new threats that haven't been seen in your organization's email in the past week.
  • Tracked queries – allowing you to leverage your saved queries. Tracked queries run automatically, giving you up-to-date information without you having to remember to re-run your queries.
  • Saved queries - to store the common Explorer searches that you want to get back to quicker and repeatedly.
  • Explorer (aka Threat Explorer) is a real-time report that allows you to identify and analyze recent threats.

    Threat Explorer provides a color-coded chart that represents attacks that are targeted at your organization. This pane has a tabbed view of top malware families, an email list, and a map of email origins. It also displays the top targeted users in your organization.

    Threat Explorer enables security analysts and admins to drill down and understand details related to threats targeting their tenant.  It also allows you to dig deep and view reports and recommendations written by cyber hunters who partner with Microsoft to help you make informed decisions.
  • Attack Simulator allows you to run realistic attack scenarios in your organization to identify vulnerabilities. Several simulations of current types of attacks are available, including:
    • display name spear-phishing attack
    • password-spray attack
    • brute-force password attack, and more.

Threat Intelligence and protection in Microsoft 365 doesn’t stop here. If you are part of your organization's security team, you can integrate Office 365 with Windows Defender Advanced Threat Protection (ATP). If your organization is using a security incident and event management (SIEM) server, you can also integrate Office 365 Threat Intelligence and Advanced Threat Protection with your SIEM server.

The threat landscape across the globe has changed dramatically over the past several years with hackers using more sophisticated methods to compromise users and networks alike. At the same time, more and more organizations are enjoying the benefits of cloud computing. But as companies move to the cloud, they are understandably concerned how Microsoft 365 will protect their users and data from being compromised by cybercriminals.

The question really becomes - how do companies operate in this world but still adhere to security and business requirements to keep their information protected?

Microsoft is notably invested in addressing these challenges and in helping organizations be more secure by helping them to protect against, detect, and respond to a variety of threat vectors. Gartner estimates that in 2017 alone over $90B was spent on cybersecurity. Sid Deshpande, principal research analyst at Gartner, is quoted as saying that “the industry's shift to detection and response … sends a clear message that prevention is futile unless it is tied into a detection and response capability.” Threat Intelligence is (or should be) a critical part of every enterprise's portfolio of services.

Threat intelligence and protection tools in Microsoft 365 are frequently added and updated to include more capabilities and features.  For instance, you can also check out one of the latest new features announced in Feb 2019, Microsoft Threat Experts.  Integrated with Windows Defender Advanced Threat Protection, Threat Experts provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers to identify and respond to threats quickly and accurately.  You can read more about that here:

You can find references to this information, as well as more details at the following locations:

These short descriptions of Microsoft’s ever-growing cloud focused security features may be enough to draw your attention to the importance of cyber-security and may even help you begin making your plans for future deployments to Microsoft 365.  However, if you are looking for more detailed information about these security features and many more, or if you could benefit from some hands-on experience using these tools and more, check out the following courses on our upcoming schedule for Microsoft Official Courses on Microsoft 365 Security and Cybersecurity by visiting

MS-500: Microsoft 365 Security Administrator Track

NIST Cybersecurity Framework Training - Bootcamp

NIST Cybersecurity Framework Training - Foundation

We’d love to have you attend in person or virtually using our Virtual Training platform to help you save travel costs. And in case you didn’t know, however you choose to attend these courses, you will also receive a FREE Microsoft Certification exam voucher to get you moving down the road to certification!

If you have any questions or would like more information regarding courses scheduled at LRS Education Services, please call 877 832.0688 ext. 1493 or email us at 


LRS Education Services