Defender for Office 365: Threat Policies
Implement Safe Attachments, Safe Links, anti-phishing, and anti-spam policies — plus configure alert policies to catch threats before they reach users.
Layered email protection
Defender for Office 365 wraps multiple protective layers around your email — each catching what the previous layer missed.
Anti-spam filters out bulk junk. Anti-phishing detects impersonation and spoofing. Safe Links rewrites URLs and checks them at click time (not just delivery time). Safe Attachments detonates files in a sandbox before delivering them. Together, they form a defence-in-depth stack that handles everything from commodity spam to targeted spear-phishing.
Microsoft provides preset policies (Standard and Strict) that apply recommended settings automatically — but the exam expects you to know what each setting does and when to customise beyond the presets.
Plan 1 vs Plan 2
| Feature | Plan 1 | Plan 2 |
|---|---|---|
| Safe Attachments | ||
| Safe Links | ||
| Anti-phishing (impersonation protection) | ||
| Real-time detections | ||
| Threat Explorer (full version) | ||
| Automated investigation and response (AIR) | ||
| Attack simulation training | ||
| Advanced hunting (email tables) | ||
| Campaign views | ||
| Included in | M365 Business Premium, Office 365 E3 add-on | M365 E5, Office 365 E5 |
Preset security policies
Microsoft provides two preset policy levels that apply recommended settings across all protection types:
| Feature | Standard Protection | Strict Protection |
|---|---|---|
| Target audience | Most users — balanced protection and usability | High-value targets — maximum protection, some usability trade-offs |
| Safe Attachments action | Block | Block |
| Safe Links URL scanning | On — scans URLs at click time | On — scans URLs at click time |
| Anti-phishing threshold | 2 (Aggressive) | 4 (Most aggressive) |
| Spam: bulk complaint level | 6 | 4 (more aggressive filtering) |
| Spam: high confidence phishing | Quarantine | Quarantine |
| Quarantine notification | Enabled | Enabled |
| User overrides (allow sender lists) | Allowed with warnings | Blocked — users cannot override |
| Recommended for | General staff population | Executives, finance, HR, IT admins, legal |
Priya applies Standard preset to all GlobalReach users and Strict preset to the C-suite, finance team, and IT admins — the highest-value targets for spear-phishing attacks.
Exam tip: Policy processing order
When a user is covered by multiple policies, the order of precedence is: Strict preset > Standard preset > Custom policies > Built-in protection. A user assigned to both Standard and Strict receives the Strict settings. Custom policies only apply to users not covered by a preset policy (or for settings the presets don’t configure). Built-in protection is the default fallback for everyone not covered by anything else.
Safe Attachments
Safe Attachments detonates email attachments in a sandbox environment to detect zero-day malware that signature-based scanning would miss.
How it works
- Email arrives at Exchange Online Protection (EOP)
- EOP performs anti-malware scanning (signature-based)
- If the attachment isn’t known-malicious, Safe Attachments opens it in a detonation chamber (sandbox VM)
- The sandbox observes behaviour: does the file phone home, drop additional payloads, modify registry keys, attempt lateral movement?
- If malicious — the message is quarantined. If clean — the message is delivered.
Safe Attachments actions
| Action | Behaviour | Use Case |
|---|---|---|
| Off | No scanning (not recommended) | Testing or troubleshooting only |
| Monitor | Delivers the message, logs the result | Initial rollout to measure false positive rate |
| Block | Quarantines the message if malicious | Production — recommended default |
| Dynamic Delivery | Delivers the message body immediately with a placeholder for the attachment. Replaces the placeholder with the real attachment after scanning completes. | Users who cannot tolerate attachment delivery delays |
Safe Attachments for SharePoint, OneDrive, and Teams
This is a tenant-wide setting (not per-policy) that extends detonation to files uploaded to SharePoint, OneDrive, and Teams. When a malicious file is detected:
- The file is blocked — users cannot open, move, copy, or share it
- The file remains in the library with a red “blocked” icon
- Only a SharePoint admin or global admin can release or delete the blocked file
Exam tip: Dynamic Delivery specifics
Dynamic Delivery only works for Exchange Online mailboxes — not on-premises. It delivers a placeholder attachment that says “scanning in progress” while the detonation completes (usually under 2 minutes). If the attachment is clean, the placeholder is replaced. If malicious, the message is quarantined retroactively. The exam may ask about Dynamic Delivery as the solution when users complain about email delivery delays caused by Safe Attachments.
Safe Links
Safe Links protects against malicious URLs in email and Office documents by rewriting URLs and scanning them at click time — not just at delivery time.
Key capabilities
- URL rewriting — Safe Links rewrites URLs in emails to route through Microsoft’s scanning infrastructure
- Time-of-click verification — when a user clicks a rewritten URL, Safe Links checks it against a real-time reputation database. If the URL has become malicious since delivery, the click is blocked
- URL detonation — unknown URLs are detonated (sandbox visits the URL) to detect phishing pages or malware downloads
- Click tracking — admins can see who clicked which URLs and whether clicks were blocked
Where Safe Links applies
| Context | Default Behaviour |
|---|---|
| Email messages | URLs rewritten and scanned at click time |
| Microsoft Teams | URLs in chat messages and channel posts are scanned at click time |
| Office apps | URLs in Word, Excel, PowerPoint, Visio are scanned when clicked |
Safe Links settings
- Track user clicks — enabled by default in preset policies; lets admins see click telemetry
- Let users click through to the original URL — disabled in Strict (users cannot bypass a blocked URL warning)
- Do not rewrite URLs — available for specific domains you trust (use sparingly)
Priya adds GlobalReach’s internal SharePoint domain to the “do not rewrite” list to avoid rewriting internal links — but keeps external URL rewriting and scanning fully active.
Anti-phishing policies
Anti-phishing policies in Defender for Office 365 go beyond basic EOP spoofing protection to add impersonation detection and mailbox intelligence.
Impersonation protection
| Protection Type | What It Detects | Configuration |
|---|---|---|
| User impersonation | Emails where the sender display name or address closely matches a protected user (e.g., “CEO John Smth” vs “CEO John Smith”) | Add up to 350 users to the protected list — typically executives, finance, HR |
| Domain impersonation | Emails from domains that look similar to your own (typosquatting like “gIobalreach.com” vs “globalreach.com”) | Add your domains and key partner domains to the protected list |
| Mailbox intelligence | Learns each user’s normal communication patterns and flags anomalies (e.g., a user who has never emailed the CFO suddenly receives a wire transfer request “from” the CFO) | Enabled by default when anti-phishing policies are configured |
Phishing threshold levels
The phishing threshold controls how aggressively the system classifies emails as phishing:
| Level | Aggressiveness | Preset |
|---|---|---|
| 1 — Standard | Default — catches obvious phishing | Built-in protection |
| 2 — Aggressive | Catches more sophisticated phishing, slightly higher false positive rate | Standard preset |
| 3 — More aggressive | Higher false positive rate, catches subtle impersonation attempts | Not used in presets |
| 4 — Most aggressive | Maximum detection, highest false positive rate | Strict preset |
Spoof intelligence
Spoof intelligence is an EOP feature (available without Defender for Office 365) that distinguishes legitimate spoofing from malicious spoofing:
- Legitimate spoofing — third-party services sending on your behalf (e.g., a CRM sending marketing emails with your domain in the From address)
- Malicious spoofing — attackers forging your domain to phish your users or external partners
The spoof intelligence insight shows detected spoofing attempts and lets you allow or block specific spoofed sender-domain pairs.
Deep dive: DMARC, DKIM, and SPF alignment
Anti-spoofing relies on email authentication standards:
- SPF (Sender Policy Framework) — DNS record listing authorised sending IPs for your domain
- DKIM (DomainKeys Identified Mail) — cryptographic signature in email headers proving the message wasn’t altered in transit
- DMARC (Domain-based Message Authentication, Reporting and Conformance) — policy record telling receivers what to do when SPF or DKIM fail (none, quarantine, reject)
Exchange Online Protection (EOP) handles DMARC evaluation for inbound mail — this is part of the baseline filtering layer, not Defender for Office 365 specifically. If an external domain publishes p=reject and an email fails both SPF and DKIM, EOP quarantines or rejects it. Defender for Office 365 adds advanced protection layers (Safe Attachments, Safe Links, anti-impersonation) on top of EOP’s baseline filtering. For your own domain, publishing p=reject protects your brand by telling the world to reject spoofed emails pretending to come from you.
Priya sets p=reject for globalreach.com after validating all legitimate sending services are covered by SPF and DKIM.
Anti-spam policies
Anti-spam policies control how Exchange Online Protection handles inbound and outbound spam:
Inbound spam filter
| Verdict | Action (Standard Preset) | Action (Strict Preset) |
|---|---|---|
| Spam | Move to Junk Email folder | Quarantine |
| High confidence spam | Quarantine | Quarantine |
| Phishing | Quarantine | Quarantine |
| High confidence phishing | Quarantine | Quarantine |
| Bulk | Move to Junk Email folder | Quarantine |
The Bulk Complaint Level (BCL) threshold determines how aggressively bulk mail (newsletters, marketing) is filtered. Lower BCL threshold = more aggressive filtering. Standard uses BCL 6; Strict uses BCL 4.
Outbound spam filter
Outbound spam filtering protects your tenant’s sending reputation. If a compromised account starts sending spam:
- The outbound filter detects the anomalous sending pattern
- The user is restricted from sending (added to the Restricted entities list)
- An alert is generated
- An admin must investigate and unblock the user manually (covered in the next module)
Exam tip: Zero-hour Auto Purge (ZAP)
ZAP is a post-delivery protection feature: if EOP reclassifies a delivered message as spam or phishing after delivery (based on updated threat intelligence), ZAP automatically moves it to Junk or Quarantine — even though the user already received it.
Key exam points:
- ZAP works for spam, phishing, and malware
- ZAP respects Safe Sender lists (won’t move messages from trusted senders)
- ZAP only applies to messages still in the mailbox
- The exam may ask: “A phishing email was delivered, then identified as malicious 20 minutes later. What happens?” → ZAP moves it to quarantine automatically
Deep dive: Quarantine policies
Quarantine policies control what happens to quarantined messages:
- Admin-only access — only admins can review and release (strictest)
- Limited access — end users can view quarantined messages and request release, but cannot release themselves
- Full access — end users can view and release their own quarantined messages
The default quarantine policy varies by verdict type. Anti-spam quarantine typically uses limited access; anti-malware uses admin-only. Custom quarantine policies can override these defaults.
Alert policies
Alert policies generate notifications when specific events occur. Defender for Office 365 includes default alert policies and lets you create custom alert policies.
Default alert policies
| Alert Policy | What It Detects | Severity |
|---|---|---|
| Email messages have been delayed | Mail flow delays indicating potential infrastructure issues | Informational |
| Malware campaign detected after delivery | Malware that bypassed initial scanning, detected retroactively | High |
| Messages have been delayed | Significant mail flow delays | Medium |
| Tenant restricted from sending email | Outbound spam caused tenant-level sending restrictions | High |
| User restricted from sending email | Individual user blocked due to outbound spam | Medium |
| Admin triggered manual investigation of email | Admin initiated manual investigation in Threat Explorer | Informational |
Custom alert policies
You can create custom alert policies based on:
- Activity type — specific event (e.g., admin permission grant, mailbox forwarding rule creation)
- Threshold — trigger when the event occurs more than N times within a time window
- Scope — all users, specific users, or specific groups
- Severity — Low, Medium, High, Informational
- Notification — email recipients who should be alerted
Priya creates a custom alert for “mailbox forwarding rule created to an external domain” — a classic indicator of business email compromise at GlobalReach.
Exam tip: Alert policies vs Defender alerts
Don’t confuse alert policies (which you configure in the compliance portal or Defender portal under Policies > Alert policies) with Defender XDR alerts (which are generated automatically by Defender’s detection engine). Alert policies are rule-based notifications you define. Defender alerts are ML-driven detections from the security engine. Both appear in the unified Alerts queue, but they have different origins and configuration paths.
Key concepts to remember
Knowledge check
Priya is rolling out Safe Attachments at GlobalReach. The finance team complains that attachment delivery takes too long — they receive time-sensitive invoices that need immediate processing. What should Priya configure for the finance team?
Dev Patel notices that executives at Oakwood Financial are receiving phishing emails that impersonate the CEO. The emails use a slightly misspelled display name. Standard EOP anti-spam filtering is not catching them because the emails pass SPF and DKIM checks. What should Dev configure?
A GlobalReach user's account is compromised and starts sending phishing emails to external recipients. Exchange Online automatically blocks the user. Where does Priya find this user, and what alert triggered?
🎬 Video coming soon
Next up: Email Threats, Attack Simulation and Restricted Entities — where Elena uses Threat Explorer to investigate email threats, runs phishing simulations, and manages blocked users at MedGuard Health.