Defender for Office 365

8 min read

Defender for Office 365 provides advanced threat protection for email and collaboration. This guide covers anti-phishing policies, safe attachments, safe links, and impersonation protection. Available in Plan 1 (protection) and Plan 2 (protection + investigation + automation).

Anti-Phishing Policies

Anti-phishing policies protect against impersonation attacks. Configure both user impersonation (specific users like CEO, CFO) and domain impersonation (your domains and partner domains). Mailbox intelligence uses each user's email patterns to improve detection.

User impersonation protection Add high-value targets: CEO, CFO, IT Director. Action: Quarantine.

Domain impersonation protection Add your domains + key partner domains. Action: Quarantine.

Mailbox intelligence Enable mailbox intelligence and mailbox intelligence protection. Action: Move to Junk.

First contact safety tip Enable. Warns users on first email from a new sender.

Safe Attachments

Safe Attachments detonates attachments in a sandbox before delivery. Choose Dynamic Delivery for least user disruption - the message body is delivered immediately while the attachment is scanned. Block mode holds the entire message until scanning completes.

Enable Safe Attachments for SharePoint, OneDrive, and Teams separately. This is not on by default even with a Safe Attachments policy for email.

Safe Links

Safe Links rewrites URLs in email messages and scans them at time of click. This catches delayed-detonation attacks where a URL is clean at delivery but weaponized later. Enable URL rewriting and do not allow users to click through to the original URL on blocked links.

Preset Security Policies

Microsoft offers two preset policy tiers: Standard and Strict. These apply a curated set of anti-phishing, safe attachments, and safe links settings. Use Strict for high-value users (executives, finance) and Standard for the rest. Custom policies override presets where they conflict.