Investigating Microsoft 365 Email Threats with Radiant Security

What is Microsoft 365?

Microsoft Office 365, often referred to as Office 365 or simply O365, is a comprehensive suite of cloud-based productivity and collaboration tools and services developed by Microsoft. Microsoft 365 includes Microsoft’s Outlook solution— the world’s most popular email-management tool, with a staggering 40.42% market share.

What is Radiant Security?

Radiant Security has developed an AI-driven SOC Co-pilot, a virtual companion for the SOC. It empowers security operations center (SOC) analysts by harnessing AI’s capabilities to streamline and automate critical tasks, such as alert triage and incident investigation. The outcome is a substantial increase in SOC analyst efficiency, a substantial improvement in the identification of genuine threats through comprehensive incident analysis, and a significant reduction in response times.

Microsoft 365 & Radiant Security: Automating Email Threat Investigation

Phishing and BEC are two of the most prolific and widespread attack types 1 2, and as such they generate an incredible amount of work for the SOC. Within Microsoft 365, users are presented with a button they can use to escalate suspicious email messages to the SOC for review. After messages are escalated to the SOC, analysts must triage them to understand if the messages represent true phishing or business email compromise attempts or not, then investigate all true positives to understand if the attacks were successful and if they impacted any users or systems.

The combination of Microsoft 365 and Radiant Security provides best of class email, with automated, AI-powered triage and investigation. This approach means that SOCs, regardless of size or capacity, can examine every suspicious email to determine whether or not an email was malicious, what the impact of the attack was, if and where it spread, and how to clean it up.

Why Investigating Microsoft 365 Email Threats is Important

For the sake of clarity, it’s important to draw a distinction between triaging suspected email threats and investigation of them. L1 analysts typically perform the phishing and BEC triage which culminates in a decision about the maliciousness of the message in question and a response to the user. Triage may also result in basic findings with regard to malicious IoCs such as senders and URLs to block, etc. After triage has deemed a message to be malicious, an investigation must be performed to understand whether or not the attack was successful and what happened.

Investigating email threats, such as phishing and business email compromise (BEC), is absolutely critical in today’s cybersecurity landscape. Phishing emails, often the entry point for cyberattacks, can lead to a cascade of malicious actions, including credential theft and malware infection. Failing to conduct a thorough investigation could mean missing crucial indicators of compromise, allowing the threat to persist undetected. In essence, a thorough email threat investigation serves as the linchpin for effectively mitigating cyberattacks, preventing further damage, and safeguarding digital assets and sensitive information. It’s the proactive stance that ensures no stone is left unturned in the ever-evolving battle against cyber adversaries.

Why Investigating Microsoft 365 Email Threats is Difficult

Performing comprehensive investigations of any security alert, including escalated email threats, presents challenges in scaling due to limited time and expertise within most SOCs. Expertise is crucial, as analysts must possess a deep understanding of the threat landscape to conduct effective investigations. Moreover, as attacks grow in complexity, the likelihood of overlooking crucial details increases. Time is another constraint; thorough investigations demand more time, but most organizations grapple with insufficient SOC staffing and time constraints, making it impractical to thoroughly investigate every incident to its fullest extent.

How Radiant Automates The Investigation of Microsoft 365 Email Threats

Radiant uses an AI-engine to automate the manual, time-consuming process of triaging and investigating Microsoft 365 email threats. To accomplish this, Radiant uses a proprietary AI engine that analyzes each escalated email, and then dynamically selects and executes dozens to hundreds of tests to determine maliciousness. Upon deeming an alert to be a true-positive attack, Radiant then uses this AI engine to perform incident investigation and analysis. It will automatically perform root cause analysis, uncover the complete incident scope and follow attacks even if they change attack vectors or cross security data silos. This means that by the time an analyst sees an escalated email, it’s decision-ready with a complete analysis of the incident, what caused it, and what security issues need to be resolved. Using this approach, SOCs have the capacity to deeply investigate every escalated email, and can ensure that no parts of attacks go undetected. 

A screenshot of Radiant Security's incident analysis for a Microsoft 365 email threat

Figure 1 – An AI-generated incident analysis summary for an email threat sent to a Microsoft 365 user. 

The Benefits of Using AI to Investigate Microsoft 365 Email Threats

In most organizations triaging and investigating escalated emails represents a significant portion of the work to be done, to the point where it may even require dedicated staff. Using AI to assist in performing this drudgery can pay dividends for SOC productivity and efficacy.  Some benefits of using AI to perform email threat investigation include:

Finding More Real Attacks

The detection problem most SOCs have today is not a lack of signals (i.e. security alerts) coming from their security tooling, it’s actually the ability to review and investigate all of these alerts. According to a recent report by Palo Alto Networks, the average company has 75 security products that they manage, and part of that management is looking into the detection results that come out of those tools. By deeply scrutinizing every alert or escalated email, security teams are able to find and respond to more real attacks. 

Increasing SOC Capacity

In a SOC, analysts dedicate considerable time to triaging and investigating security alerts, escalated emails, and incidents. Automating this workflow, so that alerts arrive decision-ready with incident-specific response plans, significantly enhances SOC analyst productivity. This automation not only enables the handling of every escalated email but also frees up time that would otherwise be spent on triage and investigation for more valuable projects.

Lowering the Skill bar for Analysts

While L1 SOC analysts can triage basic email threats, they may lack the skills for thorough investigations. This may be problematic given that phishing often leads to complex threats like malware or credential compromises, which may cause additional security concerns. Typically, senior staff handle investigations, but their scarcity in the SOC means investigation resources are limited. Outsourcing email threat investigation to AI enables junior analysts to be more effective because, upon reaching an incident, it’s already decision-ready with root cause analysis, a comprehensive attack scope, and a one-click launchable response plan. This enables SOCs to get more out of their junior staff members. 

Teaching Junior Team Members

Radiant provides a transparent solution that offers security analysts a clear view of the actions taken, the reasoning behind conclusions, and the recommended steps. This transparency serves as an educational resource for junior analysts, guiding them in understanding best practices for triaging, investigating, and responding to security incidents like phishing and BEC. It empowers less experienced team members to gain a deeper understanding of handling specific threats using your security tools.

A screenshot of Radiant Security displaying security issues that must be addressed.

Figure 2 – Radiant displaying the security issues related to an incident in an easy to absorb manner to help team members understand what happened and what needs to be done.

Integrating Microsoft 365 and Radiant

Setting up Radiant Security to Investigate Microsoft 365 email threats is accomplished via API integration and is simple enough that it can be completed in minutes. Radiant customers will configure it to leverage an API to obtain user reported emails from Microsoft 365, it will also bring in email data to be used in triage and investigation. 

For the purpose of investigation, it’s also recommended to connect several other key data sources including Active Directory and Azure AD IAM (or other non-Microsoft identity provider), and Microsoft Defender for Endpoint (or other endpoint detection and response (EDR) solution). This will allow Radiant to follow attacks across these security data sources as part of investigations. Each of these integrations can be setup in minutes. The telemetry from Microsoft 365 and any other tools connected to Radiant will be used for continuous learning (i.e. understanding how the environment normally operates), and for analysis during investigation.  Radiant also connects directly back to the Microsoft 365 solutions over these same API connections for the purpose of taking corrective actions as part of response workflows.

A diagram showing the integration between Microsoft 365 and Radiant Security.

Figure 3 – a diagram showing an overview of the Microsoft 365 and Radiant Security Integration.


Leveraging the combined capabilities of Radiant Security’s AI-driven SOC Co-pilot for investigating Microsoft 365 email threats transforms the landscape for modern SOCs. This automation streamlines the triage and investigation workflow, guaranteeing proactive responses and comprehensive detection of genuine attacks, facilitating their effective mitigation.

Want to learn more about Radiant Security? Visit our website at

Want to see it in action?  Visit our live product tour.