Microsoft Defender for Office 365

What does Defender for Office 365 protect?

Safe Attachments

Safe Attachments is one of the headline features you need to know for the exam.

How it works: When an email arrives with an attachment, Defender opens that attachment in a secure sandbox (an isolated virtual environment) and watches what happens. If the attachment tries to download malware, modify system files, or phone home to a command-and-control server — it gets blocked before it ever reaches the user’s inbox.

This is called detonation — the attachment is “detonated” safely where it can’t do damage.

Safe Attachments also protects files uploaded to SharePoint, OneDrive, and Teams — not just email.

💡 Exam tip: Safe Attachments vs standard anti-malware

Exchange Online Protection (EOP) includes basic anti-malware scanning that checks attachments against known malware signatures. Safe Attachments goes further by detonating files in a sandbox to catch unknown (zero-day) threats that don’t match any signature yet.

If the exam asks what catches “novel” or “zero-day” malware in email — the answer is Safe Attachments.

Safe Links

Safe Links protects users from malicious URLs — and the timing matters.

The problem: An attacker sends an email with a link that’s clean at delivery time. Hours later, after the email is sitting in the inbox, the attacker weaponises the URL — it now points to a phishing page.

The solution: Safe Links rewrites every URL in the email. When the user clicks, the rewritten URL first checks with Microsoft’s threat database at click-time, not delivery-time. If the link has turned malicious since delivery — the click is blocked.

Safe Links also works in Teams messages and Office documents, not just email.

Anti-phishing policies

Defender for Office 365 includes specialised anti-phishing protection:

• Impersonation protection: Detects when someone pretends to be a specific person (like your CEO) or a specific domain (like your bank). You configure which users and domains to protect.
• Mailbox intelligence: Learns each user’s typical email patterns. If someone suddenly receives an email from “your CEO” but the sending pattern doesn’t match — it’s flagged.
• Spoof intelligence: Identifies when an email’s “from” address doesn’t match the actual sending domain.

💡 Scenario: Alex stops a BEC attack at SecureBank

Director Reyes (CISO) asks Alex to investigate a suspicious email that three employees received.

The email appears to come from “Director Reyes” asking employees to urgently wire money to a vendor. But Defender for Office 365 flagged it:

• Impersonation detection caught that the sender’s domain was securebnk.com (not securebank.com)
• Mailbox intelligence noted that Director Reyes never emails these employees directly
• Safe Links rewrote the “Click here to authorise” URL — when one employee clicked, it was blocked because the destination was a credential-harvesting site

Result: Zero money lost, zero credentials stolen. Alex quarantined the emails and added the spoofed domain to the block list.

Plan 1 vs Plan 2

Defender for Office 365: Plan 1 vs Plan 2

Feature	Plan 1 (P1)	Plan 2 (P2)
Safe Attachments	Yes	Yes
Safe Links	Yes	Yes
Anti-phishing policies	Yes	Yes
Real-time detections	Yes	Yes
Threat Explorer	No	Yes — investigate and hunt email threats
Automated investigation and response (AIR)	No	Yes — automatically investigate and remediate
Attack simulation training	No	Yes — send fake phishing to test employees
Threat trackers	No	Yes — track emerging threat campaigns

Simple way to remember: P1 = protection (block bad stuff). P2 = P1 + investigation (find and fix bad stuff that got through) + simulation (test your people).

Threat Explorer

Threat Explorer is a P2 feature that lets security teams investigate email threats after the fact:

• Search for all emails containing a specific malicious URL
• See which users received, clicked, or were affected
• Manually remediate — delete emails from all inboxes, even if they were already delivered
• Hunt for threats proactively

Alex uses Threat Explorer daily at SecureBank to investigate alerts and clean up any threats that slipped through.

How it fits into Defender XDR

Defender for Office 365 doesn’t work in isolation. Its email signals feed directly into the Defender XDR portal:

• A phishing email detected by Defender for Office 365 can be correlated with malware detected by Defender for Endpoint on the device that clicked the link
• All email alerts roll up into unified incidents in the Defender portal
• Automated investigation in P2 can trigger response actions across the entire XDR stack — not just email

🎬 Video walkthrough

🎬 Video coming soon

Defender for Office 365 — SC-900 Module 6

Defender for Office 365 — SC-900 Module 6

~8 min

Flashcards

Question

What does Safe Attachments do in Defender for Office 365?

Click or press Enter to reveal answer

Answer

Safe Attachments detonates (opens) suspicious email attachments in an isolated sandbox environment. If the attachment behaves maliciously, it's blocked before reaching the user. It also scans files in SharePoint, OneDrive, and Teams.

Click to flip back

Question

How does Safe Links protect users from malicious URLs?

Click or press Enter to reveal answer

Answer

Safe Links rewrites URLs in emails, Teams messages, and Office documents. When a user clicks, the URL is checked at click-time (not just delivery-time) against Microsoft's threat database. This catches links that become malicious after the email was delivered.

Click to flip back

Question

What is the key difference between Defender for Office 365 Plan 1 and Plan 2?

Click or press Enter to reveal answer

Answer

Plan 1 provides real-time protection: Safe Attachments, Safe Links, and anti-phishing. Plan 2 adds everything in P1 PLUS investigation tools (Threat Explorer), automated investigation and response (AIR), and attack simulation training.

Click to flip back

💡 Show hint

Question

What three anti-phishing capabilities does Defender for Office 365 provide?

Click or press Enter to reveal answer

Answer

1) Impersonation protection — detects someone pretending to be a specific person or domain. 2) Mailbox intelligence — learns normal email patterns and flags anomalies. 3) Spoof intelligence — catches emails where the 'from' address doesn't match the sending domain.

Click to flip back

Knowledge Check

Knowledge Check

SecureBank receives an email with an attachment that contains a new type of malware not yet in any virus signature database. Exchange Online Protection (EOP) doesn't catch it. Which Defender for Office 365 feature is most likely to detect this threat?

ASafe Links — it checks URLs at click-timeBSafe Attachments — it detonates the file in a sandbox to observe malicious behaviourCAnti-phishing policies — it detects impersonation attemptsDThreat Explorer — it lets Alex search for the threat

Check Answer

Knowledge Check

Alex wants to send a fake phishing email to SecureBank employees to test their security awareness. He also wants to automatically investigate and remediate any real phishing emails that get through. Which Defender for Office 365 plan does he need?

APlan 1 — it includes all protection and investigation featuresBPlan 2 — attack simulation training and automated investigation are P2-only featuresCNeither — attack simulation is a separate productDExchange Online Protection (EOP) — it includes built-in phishing simulation

Check Answer

Knowledge Check

An attacker sends an email to 200 SecureBank employees containing a link. The link is safe when the email is delivered but becomes malicious 3 hours later. 15 employees click the link after it turns malicious. What happens?

AAll 15 employees are compromised — the email was already delivered with the safe linkBSafe Links blocks the clicks — it checks URLs at click-time, not just delivery-timeCSafe Attachments blocks the email — it scans all links in the sandboxDThe email is recalled automatically after 3 hours

Check Answer

---

Next up: Microsoft Defender for Endpoint — protecting the devices where the real work (and real attacks) happen.