Pivot into Office 365

From the Windows Defender ATP portal, if you investigate an attack and find the suspicious file originated from an email or is discovered in other mailboxes, you can select to launch the Office 365 ATP portal: https://protection.office.com/#/threatexplorer.

The Windows Defender ATP portal provides the specific information required to search for and filter the specific file across all mailboxes:

The administrator can then create an incident within Office 365 and attach the affected emails: