Microsoft Defender XDR Workflows: Automate Response Across Email and Identity | BitLyft AIR®

Modern attacks rarely stay in one domain. A phishing email leads to credential compromise, which enables lateral movement across identity and endpoints. Microsoft Defender XDR provides the foundation for cross-domain detection, but realizing its full potential requires building automated workflows that coordinate response actions across email and identity simultaneously.

This article provides practical guidance on building XDR workflows that connect email threats to identity response, reduce manual handoffs between security teams, and ensure consistent remediation regardless of where an attack originates.

Understanding XDR Cross-Domain Response

Microsoft Defender XDR unifies signals from Defender for Office 365 (email), Defender for Identity, Defender for Endpoint, and Entra ID Protection. This unified view enables detection of attack chains that span multiple domains—but detection alone is not enough.

Email Domain

Phishing detection and quarantine
Malware attachment blocking
URL detonation and rewrite
ZAP (Zero-hour Auto Purge)

Identity Domain

Sign-in risk evaluation
Session token revocation
MFA enforcement
Account suspension

The Cross-Domain Attack Pattern

Understanding how attacks traverse domains is essential for designing effective workflows. The most common pattern follows this sequence:

Typical Email-to-Identity Attack Chain

Initial Access (Email)

Phishing email delivers credential harvesting link or malicious attachment

Credential Compromise (Identity)

User submits credentials to attacker-controlled site or token is stolen

Account Takeover (Identity)

Attacker authenticates using stolen credentials, potentially from new location

Persistence (Email + Identity)

Mailbox rules created, OAuth apps consented, forwarding enabled

Lateral Movement (Email)

Internal phishing sent to other users leveraging trusted sender reputation

Workflow Architecture: Email-Triggered Identity Response

The most valuable automation pattern triggers identity actions based on email detections. When a user clicks a phishing link or interacts with malicious content, the response should not be limited to email quarantine.

Workflow 1: Phishing Click Response

When a user clicks a malicious URL detected by Safe Links, trigger immediate identity protection.

TRIGGER: Safe Links click on malicious URL
  
CONDITIONS:
  - URL verdict: Malicious OR Phishing
  - User clicked through warning (if shown)
  - Time since delivery < 48 hours
  
ACTIONS (Sequential):
  1. Revoke all active sessions (Graph API)
  2. Require MFA re-authentication
  3. Block sign-in from non-compliant devices (24h)
  4. Quarantine original email + all copies
  5. Scan mailbox for related emails (same sender/campaign)
  6. Create incident linking email + identity events
  
NOTIFICATION:
  - Alert SOC with combined email + identity context
  - Notify user of required re-authentication

Workflow 2: Credential Theft Detection Response

When identity signals indicate credential compromise, extend response to email domain.

TRIGGER: Entra ID Protection - High risk sign-in
  
CONDITIONS:
  - Risk level: High
  - Risk type: Leaked credentials OR Anomalous token OR Impossible travel
  - User is not excluded from automation
  
ACTIONS (Sequential):
  1. Revoke all refresh tokens
  2. Force password reset
  3. Audit mailbox for suspicious rules
     - External forwarding rules
     - Rules moving emails to hidden folders
     - Delegate access changes
  4. Remove any suspicious inbox rules
  5. Revoke OAuth app consents (last 7 days)
  6. Scan sent items for internal phishing
  7. If internal phishing found → expand to recipients
  
NOTIFICATION:
  - Create unified incident
  - Alert SOC with full attack timeline
  - Notify manager if VIP user

Workflow 3: BEC Attack Response

Business Email Compromise requires coordinated response across both domains to prevent financial loss.

TRIGGER: BEC detection (Defender for Office 365)
  
CONDITIONS:
  - Attack type: Impersonation OR Payment fraud
  - Confidence: Medium or higher
  - Recipient interacted with email
  
ACTIONS (Parallel where possible):
  Email Actions:
    1. Quarantine email
    2. Block sender domain (if external)
    3. Search for related campaign emails
    4. Notify recipients of other campaign emails
    
  Identity Actions:
    1. If sender is internal → immediate account suspension
    2. Revoke sender sessions
    3. Audit sender mailbox for compromise indicators
    4. Check for unusual sign-in patterns (last 30 days)
    
  Investigation Actions:
    1. Create incident with BEC tag
    2. Collect evidence package (email headers, sign-in logs)
    3. Alert finance team if payment keywords detected
  
ESCALATION:
  - If amount > $10,000 mentioned → immediate SOC call
  - If C-level impersonated → executive notification

Automation Levels by Scenario

Not all cross-domain actions should be fully automated. Use this matrix to determine appropriate automation levels based on action impact and detection confidence.

Scenario	Email Action	Identity Action	Automation Level
Phishing click (high confidence)	Quarantine	Session revoke + MFA	Full Auto
Phishing click (medium confidence)	Soft quarantine	MFA challenge	Full Auto
Leaked credentials detected	Audit mailbox rules	Password reset	Auto + Notify
BEC - standard user	Quarantine + block	Session revoke	Full Auto
BEC - VIP/executive target	Quarantine	Session revoke	Approval Required
Impossible travel sign-in	None initial	MFA + risk flag	Full Auto
Account takeover confirmed	Full mailbox audit	Account suspension	Auto + Notify
Internal phishing from compromised account	Recall + quarantine	Account suspension	Full Auto

Implementation: Graph API Integration Points

Building cross-domain workflows requires integration with multiple Graph API endpoints. Here are the key API calls for each action category.

Email Actions

POST/security/alerts - Create alert
POST/security/triggers/emailQuarantine
GET/users/{id}/mailFolders/inbox/messageRules
DELETE/users/{id}/mailFolders/.../messageRules/{ruleId}
GET/users/{id}/messages?$filter=...

Identity Actions

POST/users/{id}/revokeSignInSessions
PATCH/users/{id} - Update accountEnabled
POST/users/{id}/authentication/methods/.../resetPassword
GET/users/{id}/oauth2PermissionGrants
DELETE/oauth2PermissionGrants/{id}

Unified Incident Creation

Cross-domain attacks should generate unified incidents that correlate events from both domains. This enables analysts to see the full attack chain in a single view.

Incident Correlation Strategy

User-based correlation: Link all events affecting the same user within a 24-hour window

Campaign correlation: Link events matching the same phishing campaign indicators (sender, URL patterns, attachment hashes)

IP-based correlation: Link sign-in events from IPs associated with known malicious infrastructure

Timeline correlation: Events within 30 minutes of a confirmed malicious action on the same user

Guardrails and Safety Mechanisms

Cross-domain automation amplifies both impact and risk. Implement these guardrails to prevent automation from causing business disruption.

VIP Protection

Require approval for C-level accounts
Notify executive assistant for any action
Extended grace period before suspension
Manager notification for all automated actions

Service Account Handling

Never auto-suspend service accounts
Alert only for service account anomalies
Require app owner approval for actions
Maintain service account inventory

Rate Limiting

Max 10 identity actions per minute
Max 50 email quarantines per hour
Pause automation if thresholds exceeded
Alert SOC on rate limit triggers

Rollback Capability

Log all automated actions for audit
Maintain pre-action state snapshots
One-click rollback for sessions/rules
24-hour undo window for most actions

Metrics and Monitoring

Track these metrics to measure workflow effectiveness and identify areas for tuning.

Metric	Target	Alert Threshold
Cross-domain response time	< 60 seconds	> 5 minutes
Email-to-identity correlation rate	> 85%	< 70%
False positive rate (identity actions)	< 2%	> 5%
Workflow completion rate	> 98%	< 95%
Rollback request rate	< 1%	> 3%
Mean time to unified incident	< 2 minutes	> 10 minutes

Common Mistakes to Avoid

Treating domains independently:Always check if email events have identity implications and vice versa

Over-automating high-impact actions:Account suspension should require approval except for confirmed compromise

Ignoring OAuth app consents:Always audit and revoke suspicious app consents during ATO response

Missing mailbox rule cleanup:Credential reset without mailbox audit leaves attacker persistence

No VIP differentiation:Executive accounts need approval workflows to prevent business disruption

Single-domain incident creation:Cross-domain attacks need unified incidents for complete visibility

Key Takeaways

Cross-domain attacks require cross-domain response — email and identity actions must be coordinated
Trigger identity actions from email detections and vice versa to close response gaps
Use automation levels based on action impact and detection confidence
Implement guardrails for VIPs, service accounts, and rate limiting
Create unified incidents that correlate events across domains for complete visibility
Always audit mailbox rules and OAuth consents during credential compromise response

Automate Cross-Domain Response with BitLyft AIR®

BitLyft AIR® provides pre-built XDR workflows that coordinate response across Microsoft 365 email and identity domains — no scripting required.

Request a Demo Learn About Incident Response