Microsoft Defender for Office 365 Expert

Capability Reference

EOP — Exchange Online Protection (All Exchange Online Tenants)

EOP is the baseline anti-spam and anti-malware service included with every Exchange Online subscription. It processes all inbound and outbound email.

EOP Protection Stack:

1. Connection filtering (IP reputation, safe list, block list)
2. Anti-malware scanning (signature-based + heuristics)
3. Mail flow rules (transport rules) — policy-based routing and action
4. Anti-spam filtering (content analysis, bulk mail threshold)
5. Anti-spoofing (spoof intelligence, composite authentication)
6. Outbound spam filtering (prevent tenant compromise abuse)

Key EOP Policies:

Anti-spam policy (inbound):

• Bulk email threshold: BCL 1-9. Lower = stricter. Microsoft default: 7. Recommended: 6 for normal, 4 for strict.
• High confidence spam action: Move to Junk, Quarantine, or Delete
• Phishing action: Typically Quarantine or Move to Junk
• Safety tips: Enable sender authentication tips (red/yellow banners)

Anti-malware policy:

• Enable common attachment filter (blocks file types regardless of content scanning): .exe, .vbs, .js, .wsf, .bat, .com, .cmd
• Zero-hour auto purge (ZAP) for malware: Enabled by default
• Quarantine, do not delete — allows investigation

Spoof intelligence: EOP automatically analyzes inbound mail and identifies domain pairs where spoofing may be occurring. Spoof intelligence insight in the Security portal shows:

• Allowed spoofed senders (legitimate forwarding/bulk scenarios)
• Blocked spoofed senders
• External domain spoofing of your domains

Composite authentication (compauth): Microsoft's own meta-verdict combining SPF, DKIM, DMARC plus implicit authentication (Microsoft's own reputation signals). Visible in Authentication-Results header as compauth=pass/fail reason=XYZ.

Reason codes:

• 000 — Failed DMARC with reject/quarantine policy
• 001 — Failed DMARC with none policy
• 002 — Explicit sender/domain in block list
• 010/011 — Failed DMARC but implicit authentication helped
• 1xx — Passed (various signals)

Plan 1 — Safe Attachments and Safe Links

Licensing: Included in Microsoft 365 Business Premium, E3 with Defender add-on, E5.

Safe Attachments

Safe Attachments detonates files in a sandbox before delivery to detect zero-day malware not caught by signature scanning.

Actions:

• Off — No Safe Attachments scanning
• Monitor — Deliver but track attachments; no blocking
• Block — Block malicious attachments; deliver clean ones
• Dynamic Delivery — Deliver message immediately with attachment placeholder; replace with real attachment after scanning completes (reduces latency impact)
• Replace — Strip attachment; deliver message with notice

Dynamic Delivery is the recommended mode for most organizations — it eliminates user perception of email delay while maintaining protection.

Safe Attachments for SharePoint, OneDrive, Teams: Separate policy that scans files uploaded to SharePoint/OneDrive/Teams using the same detonation engine. Enable via: Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true

Safe Attachments detonation:

• Supported file types: Office documents, PDFs, executables, archives, scripts
• Detonation environment: Windows 10 VM with Office installed
• Verdict time: Typically 2-8 minutes (Dynamic Delivery eliminates wait)
• Files flagged as malicious are quarantined

Safe Links

Safe Links rewrites URLs in email and Office documents at delivery time, and performs time-of-click protection to catch URLs that were clean at delivery but became malicious later.

URL rewriting format:

Original: https://malicious.example.com/payload
Rewritten: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmalicious.example.com...&data=...&reserved=0

Time-of-click protection:

1. User clicks rewritten link
2. Request goes to Microsoft Safe Links service
3. Microsoft checks URL reputation in real time (including sandboxing if unknown)
4. If malicious: Block page displayed
5. If clean: Redirect to original URL

Safe Links policy settings:

• URLs in email: Scan all URLs in inbound messages (enable)
• URLs in Microsoft Teams: Enable for Teams message links
• URLs in Office apps: Enable for links in Word/Excel/PowerPoint (requires desktop client 16.x+)
• Real-time URL scanning: Scan before delivery (wait for scan); enable for highest protection
• Safe Links for internal senders: Enable (catches compromised internal accounts)
• Do not track user clicks: Disable tracking (leave tracking enabled for investigation capability)
• Allow users to click through: Disable for maximum protection
• Do not rewrite URLs list: Add trusted URLs that should not be rewritten (internal tools, known-safe external)

Blocked URL list: Tenant-wide blocked URLs in Safe Links policy. Blocks regardless of other scanning.

Plan 2 — Advanced Investigation and Response

Licensing: Microsoft 365 E5, Microsoft 365 E5 Security add-on.

Threat Explorer (Real-Time Detections)

Threat Explorer provides real-time investigation of email flow and threat data. (Real-Time Detections in Plan 1 is a read-only subset.)

Access: Microsoft Defender portal → Email & Collaboration → Explorer

Key views:

• All email — Full email log with filtering; investigate any message
• Malware — Messages with detected malware
• Phish — Messages detected as phishing
• Campaigns — Coordinated threat campaigns hitting your tenant

Filtering capabilities:

• Sender IP, domain, user
• Recipient domain, user, group
• Subject keywords
• URL domain
• File name / file hash
• Detection technology (Safe Attachments, Safe Links, MCC, etc.)
• Delivery action (Delivered, Blocked, Replaced, Quarantine)
• Delivery location (Inbox, Junk, Quarantine, Deleted Items, External forward)
• Time range (up to 30 days)

Investigation workflow:

1. Apply filters to isolate suspicious messages
2. Select messages → view details panel (headers, authentication, URLs, attachments)
3. Click through to Email entity page for full analysis
4. Take action: Move to inbox/junk/deleted, quarantine, trigger AIR

Email entity page: Comprehensive view of a single message including:

• Full authentication results (SPF/DKIM/DMARC/compauth)
• URL analysis (each URL, verdict, clicks)
• Attachment analysis (file details, detonation results)
• Delivery timeline (original location → ZAP action → current location)
• Related alerts and incidents

Automated Investigation and Response (AIR)

AIR automatically investigates alerts and incidents, determines scope of compromise, and takes or recommends remediation actions.

Trigger scenarios:

• User reports phishing (Report Message button → triggers AIR)
• High-confidence phish detected
• Malware detected
• Security alert from other Defender XDR components

AIR investigation flow:

1. Alert triggers investigation
2. AIR expands scope — searches for related messages, same sender/URL/attachment
3. Collects evidence — emails, users, devices, URLs, files
4. Makes determinations — malicious/suspicious/clean per entity
5. Generates remediation actions — soft delete messages, block sender, quarantine
6. Pending actions require approval (or auto-approve with appropriate settings)

AIR approval settings:

• No automation: All actions require manual approval
• Semi (default): Most actions need approval; routine remediation auto-runs
• Full automation: AIR remediates automatically (M365 E5 + Defender XDR required)

PowerShell investigation:

# View recent automated investigations
Get-AirInvestigation -StartDate (Get-Date).AddDays(-7)

# Get investigation details
Get-AirInvestigation -InvestigationId "investigation-id"

Attack Simulation Training

Attack Simulation Training lets you run simulated phishing attacks against your users to measure susceptibility and assign training.

Simulation techniques:

• Credential harvest
• Malware attachment (simulated)
• Link in attachment
• Drive-by URL
• OAuth consent grant

Configuration:

1. Choose technique
2. Select or create payload (email template)
3. Target users (all, department, previous clickers, etc.)
4. Schedule (immediate or timed)
5. Assign training to users who click

Metrics tracked:

• Compromise rate (% who clicked/submitted credentials)
• Repeat offenders
• Training completion rate
• Improvement over time

ZAP — Zero-Hour Auto Purge

ZAP retroactively removes messages that were delivered but later determined to be malicious.

How ZAP works:

1. Message delivered to mailbox as clean
2. New intelligence (new signature, URL block, malware verdict) becomes available
3. ZAP scans recent delivered mail (7 days by default)
4. Matching messages are moved to Junk Email folder (soft delete)

ZAP for malware: Moves malicious attachments to quarantine (harder action than spam ZAP) ZAP for phishing: Moves to Junk or Quarantine based on policy ZAP for spam: Moves to Junk folder

ZAP limitations:

• 7-day window (cannot remediate messages older than 7 days)
• Does not work if user has moved message out of inbox before ZAP runs
• Cannot remove from Sent Items
• Requires Exchange Online; does not work for on-prem mailboxes

Checking ZAP actions in Threat Explorer: Filter by: Delivery action = "Replaced" or Delivery location = "Quarantine" + Original delivery location = "Inbox"

Anti-Phishing Policies

Anti-phishing policies control impersonation protection, mailbox intelligence, and spoof intelligence.

Key settings:

Impersonation protection (Plan 1+):

• Users to protect: List specific users (executives, VIPs) — up to 60 per policy
• Domains to protect: Your owned domains + custom list of partner domains
• Impersonation action: Move to Junk, Quarantine, add tip and deliver
• Mailbox intelligence: Machine learning-based detection of impersonation attempts based on contact graph

Spoof settings (EOP):

• Enable spoof intelligence: On (recommended)
• Unauthenticated sender indicators: Show "?" in sender photo for SPF/DKIM/DMARC failures
• Show "via" tag: Show sending domain if different from From domain

Advanced phishing thresholds (Plan 1+): 1 (Standard) → 2 (Aggressive) → 3 (More Aggressive) → 4 (Most Aggressive) Higher thresholds = more detections = more false positives. Start at 2 (Aggressive).

Preset security policies: Microsoft provides Standard and Strict preset policies. Use these as a baseline:

Apply Strict to high-value users (executives, IT admins). Apply Standard to general population.

PowerShell Management

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName [email protected]

# View all anti-phishing policies
Get-AntiPhishPolicy | Select Name, Enabled, ImpersonationProtectionState

# View Safe Attachments policies
Get-SafeAttachmentPolicy | Select Name, Action, Enable

# View Safe Links policies
Get-SafeLinksPolicy | Select Name, IsEnabled, ScanUrls, EnableForInternalSenders

# Check ZAP configuration
Get-HostedContentFilterPolicy | Select Name, ZapEnabled, PhishZapEnabled, SpamZapEnabled

# View quarantined messages
Get-QuarantineMessage -StartReceivedDate (Get-Date).AddDays(-1) -PageSize 100

# Release from quarantine
Release-QuarantineMessage -Identity <QuarantineMessageIdentity> -ReleaseToAll

# View message trace
Get-MessageTrace -SenderAddress [email protected] -StartDate (Get-Date).AddDays(-2)

# View detailed message trace
Get-MessageTraceDetail -MessageTraceId <id> -RecipientAddress [email protected]

Configuration Best Practices

Priority order matters: Policies are evaluated in priority order (lowest number = highest priority). Ensure user-specific policies are higher priority than organizational defaults.

Quarantine policies: In M365, configure quarantine notification emails to let users review quarantined messages. Reduce helpdesk load.

Tenant Allow/Block List (TABL):

• Use for temporary overrides during investigations
• Block: Domain, sender, URL, file hash
• Allow: Should be used sparingly; expires automatically
• Review and clean up regularly

Submission portal: Use submissions.microsoft.com to report false positives and false negatives to Microsoft. This improves detection for all tenants.

Outbound spam: Configure outbound spam policy with notification to admin when users are blocked for sending spam (indicator of account compromise).

Reference Files

Load when you need deep architectural knowledge:

• references/architecture.md — MDO architecture layers, data flows, EOP vs. Plan 1 vs. Plan 2 capability matrix, anti-phishing policy settings reference, AIR playbooks.