A browser extension for SOC analysts triaging Microsoft Defender for Office 365 email events. It reads the Email Details panel directly from the page, automatically expands collapsed URL and attachment sections, and produces a structured, defanged summary ready to paste into a ticket.
Works on security.microsoft.com only. No network calls, no telemetry; all parsing happens locally in the popup.
Click the toolbar icon while you have an email open in Defender, hit Extract from current Defender tab, and you get back something like:
Subject: Re: Invoice approval needed
Recipient: jane.doe[@]example[.]com
Sender display name: Acme Billing
Sender address: billing[@]acme-secure[.]net
Sender IP: 203[.]0[.]113[.]42
Time received: May 18, 2026 11:09 AM
Threat classification: Phish
Detection technologies: URL malicious reputation, Spoof DMARC
Original threats: Phish
Latest threats: Phish
Campaign ID: N/A
DMARC: fail
DKIM: pass
SPF: pass
Composite authentication: fail
Original location: Inbox
Latest location: Quarantine
Delivery action: Blocked
Additional action: ZAP
Primary override: N/A
Attachments: invoice.pdf - No threat
URLs: hxxps://acme-secure[.]net/invoice/9281, hxxps://safelinks-redir[.]net/x
Threat URLs: [Phish] hxxps://acme-secure[.]net/invoice/9281
Highlights:
- URLs and attachments are captured in full. Defender hides them behind "View all" toggles which the extension clicks before scraping. Defender's Safe Links wrappers are unwrapped to the original target.
- Attachments render as
filename - threatper line. Verdict cells like- / Nonenormalise toNo threat; real detections (e.g.Antimalware engine / Trojan.Win32.X) come through verbatim. - Threat URLs is a focused checklist of URLs marked as anything other than No threat, one per line with the verdict prefix. Renders as
Nonewhen every URL is No threat. - Everything is defanged on the way out (
https->hxxp,.->[.],@->[@]) for safe pasting into chat / tickets / emails.
Chrome or Edge:
- Download the latest release zip and unzip it somewhere stable (e.g.
C:\Tools\defender-extractor). Avoid synced folders like OneDrive or Dropbox; conflicts can corrupt the extension. - Open
chrome://extensions(oredge://extensions). - Toggle Developer mode on (top right).
- Click Load unpacked and pick the unzipped folder.
- Pin the extension to the toolbar.
The extension stores the absolute path on first load. If you move or rename the folder later, Chrome will mark the extension as missing and you'll need to Load unpacked again from the new location. To update, overwrite the files in place and click the reload arrow on the extension's card.
- Open the email in Microsoft Defender so the Email Details flyout or entity view is visible.
- Click the extension icon, then Extract from current Defender tab. The popup will:
- Locate the email-details panel
- Click any "View all" / "Show more" / "+N more" toggles
- Wait briefly for the lists to render
- Pull the text, parse it, and capture per-URL threat verdicts from the URL flyout
- Use Copy All (field/value text), Copy CSV, Copy JSON, or Download CSV.
If extraction can't find the panel (e.g. Defender redesigns the UI), paste the panel text into the textarea and click Parse pasted text. Most fields parse the same way; the Threat URLs field requires a live DOM and renders as N/A in paste-only sessions.
Subject, Recipient, Sender display name, Sender address, Sender IP, Time received, Threat classification, Detection technologies, Original threats, Latest threats, Campaign ID, DMARC, DKIM, SPF, Composite authentication, Original location, Latest location, Delivery action, Additional action, Primary override, Attachments, URLs, Threat URLs.
Blanks become N/A. URLs and email addresses are defanged. Attachments render as filename - threat. Threat URLs is a filtered checklist of URLs marked anything other than No threat.
"No threats found" on a specific URL or attachment is Defender's verdict on that entity after Safe Links / Safe Attachments analysis (reputation lookup, sandbox detonation). It's not a user click indicator, and it's not the verdict on the email overall. If every URL/attachment shows "No threat" but the email was actioned, the reason lives in:
- Detection technologies (the specific signal, e.g. URL malicious reputation, Domain impersonation, Spoof DMARC, ML/LLM analysis)
- Threat classification (Phish, High confidence phish, Spam, Malware, Bulk)
- Additional action (e.g. User reported, ZAP)
All three are captured by this extractor.
The URL list flyout in Defender carries the per-URL threat verdict but not the click count. Click counts live in each URL's drill-down detail panel under URL prevalence > Clicks. The Threat URLs field gives you a checklist; for any URL on that list, drill into it in Defender to read the click count and decide whether follow-on user actions need investigation.
activeTab+scripting: inject the content script into the current Defender tab when you click Extract.clipboardWrite: for the Copy buttons.host_permissions: https://security.microsoft.com/*: restricts where the extension can run. It can't read or run on any other site.
defender-extractor/
manifest.json Manifest V3, host scoped to security.microsoft.com
popup.html Popup UI
popup.css Popup styles
popup.js Parser, defanger, copy/CSV/JSON helpers, tab messaging
content.js Injected into Defender to locate the panel,
expand sections, and capture URL row data
icons/ 16/48/128 px icons
Issues and PRs welcome. If Defender's UI changes and a field stops parsing, the most useful bug report includes:
- A screenshot of the relevant Defender panel.
- The contents of the popup's textarea after clicking Extract (i.e. the raw scraped text).
- What you expected the field to show.
Don't paste real customer data; sanitise sender / recipient / subject / IPs first.
MIT