Important
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
Applies to:
- Attack simulation training Generally Available We are pleased to announce the General Availability (GA) of Attack simulation training in Microsoft Defender for Office 365. Delivered in partnership with Terranova Security, Attack simulation training is an intelligent social engineering risk manageme.
- Microsoft Defender for Office 365, the new name for Office 365 Advanced Threat Protection. Microsoft Defender Plan 2 cover Office 365 Plan 1 capabilities (Safe Attachments, Safe Links, ATP for SharePoint, OneDrive, and Microsoft Teams, Anti-phishing in Defender for Office 365 protection, Real-time detections) plus Automation, investigation.
- Microsoft 365 Defender
Important
This telemetry is made up of signals from across Microsoft’s services such as Microsoft Defender ATP, Office 365 ATP and data from Microsoft’s cybersecurity teams and global law enforcement etc. Microsoft call this pool of data the ‘Microsoft Intelligent Security Graph’. Microsoft runs world-class machine learning, AI and big data. Open a service request in the Microsoft 365/Office 365 Admin Center. Premium, Unified and Paid Technical Support Get technical support for on-premise Microsoft products and services. Microsoft Defender for Office 365 builds on top of Exchange Online Protection (EOP) that all users of Exchange in the cloud are protected. EOP provides connection, spam, and malware filtering settings for incoming email, outbound spam settings, and quarantine of questionable emails and Domain Keys Identified Mail (DKIM) settings.
Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Microsoft 365 Defender is built on top of an integration-ready platform.
Use the Microsoft 365 Defender APIs to automate workflows based on the shared incident and advanced hunting tables.
Combined incidents queue - Focus on what's critical by grouping the full attack scope and all impacted assets together under the incident API.
Cross-product threat hunting - Leverage your security team's organizational knowledge to hunt for signs of compromise, by creating your own custom queries to sift over raw data collected across multiple protection products.
Along with these Microsoft 365 Defender-specific APIs, each of our other security products expose additional APIs to help you take advantage of their unique capabilities.
Note
The transition to the unified portal should not affect the PowerBi dashboards based on Microsoft Defender for Endpoint APIs. You can continue to work with the existing APIs regardless of the interactive portal transition.
Learn more
| Understand how to access the APIs |
|---|
| Learn about API quotas and licensing |
| Access the Microsoft 365 Defender APIs |
| Build apps |
| Create a 'Hello world' app |
| Create an app to access Microsoft 365 Defender APIs on behalf of a user |
| Create an app to access Microsoft 365 Defender without a user |
| Create an app with multi-tenant partner access to Microsoft 365 Defender APIs |
| Troubleshoot and maintain your apps |
| Understand API error codes |
| Manage secrets in your apps with Azure Key Vault |
| Implement OAuth 2.0 authorization for user sign in |
Important
The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
Applies to
Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more layers of security, control, and investigation.
Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Each customer's environment and needs are different, but we believe that these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.
To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.
Note
The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see Configure junk email settings on Exchange Online mailboxes in Office 365.
This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users.
Tip
The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.
Anti-spam, anti-malware, and anti-phishing protection in EOP
Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.
EOP anti-spam policy settings
To create and configure anti-spam policies, see Configure anti-spam policies in Office 365.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Spam detection action SpamAction | Move message to Junk Email folder
| Move message to Junk Email folder
| Quarantine message
| |
| High confidence spam detection action HighConfidenceSpamAction | Move message to Junk Email folder
| Quarantine message
| Quarantine message
| |
| Phishing email detection action PhishSpamAction | Move message to Junk Email folder
| Quarantine message
| Quarantine message
| |
| High confidence phishing email detection action HighConfidencePhishAction | Quarantine message
| Quarantine message
| Quarantine message
| |
| Bulk email detection action BulkSpamAction | Move message to Junk Email folder
| Move message to Junk Email folder
| Quarantine message
| |
| Bulk email threshold BulkThreshold | 7 | 6 | 4 | For details, see Bulk complaint level (BCL) in Office 365. |
| Quarantine retention period QuarantineRetentionPeriod | 15 days | 30 days | 30 days | |
| Safety Tips InlineSafetyTipsEnabled | On
| On
| On
| |
| Allowed Senders AllowedSenders | None | None | None | |
| Allowed Sender Domains AllowedSenderDomains | None | None | None | Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. Use spoof intelligence in the Security & Compliance Center on the Anti-spam settings page to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains. |
| Blocked Senders BlockedSenders | None | None | None | |
| Blocked Sender Domains BlockedSenderDomains | None | None | None | |
| Enable end-user spam notifications EnableEndUserSpamNotifications | Disabled
| Enabled
| Enabled
| |
| Send end-user spam notifications every (days) EndUserSpamNotificationFrequency | 3 days | 3 days | 3 days | |
| Spam ZAP SpamZapEnabled | Enabled
| Enabled
| Enabled
| |
| Phish ZAP PhishZapEnabled | Enabled
| Enabled
| Enabled
| |
| MarkAsSpamBulkMail | On | On | On | This setting is only available in PowerShell. |
There are several other Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article.
We recommend that you turn these ASF settings Off for both Standard and Strict levels. For more information about ASF settings, see Advanced Spam Filter (ASF) settings in Office 365.
| Security feature name | Comment |
|---|---|
| Image links to remote sites (IncreaseScoreWithImageLinks) | |
| Numeric IP address in URL (IncreaseScoreWithNumericIps) | |
| UL redirect to other port (IncreaseScoreWithRedirectToOtherPort) | |
| URL to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls) | |
| Empty messages (MarkAsSpamEmptyMessages) | |
| JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml) | |
| Frame or IFrame tags in HTML (MarkAsSpamFramesInHtml) | |
| Object tags in HTML (MarkAsSpamObjectTagsInHtml) | |
| Embed tags in HTML (MarkAsSpamEmbedTagsInHtml) | |
| Form tags in HTML (MarkAsSpamFormTagsInHtml) | |
| Web bugs in HTML (MarkAsSpamWebBugsInHtml) | |
| Apply sensitive word list (MarkAsSpamSensitiveWordList) | |
| SPF record: hard fail (MarkAsSpamSpfRecordHardFail) | |
| Conditional Sender ID filtering: hard fail (MarkAsSpamFromAddressAuthFail) | |
| NDR backscatter (MarkAsSpamNdrBackscatter) |
EOP outbound spam policy settings
To create and configure outbound spam policies, see Configure outbound spam filtering in Office 365.
For more information about the default sending limits in the service, see Sending limits.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Maximum number of recipients per user: External hourly limit RecipientLimitExternalPerHour | 0 | 500 | 400 | The default value 0 means use the service defaults. |
| Maximum number of recipients per user: Internal hourly limit RecipientLimitInternalPerHour | 0 | 1000 | 800 | The default value 0 means use the service defaults. |
| Maximum number of recipients per user: Daily limit RecipientLimitPerDay | 0 | 1000 | 800 | The default value 0 means use the service defaults. |
| Action when a user exceeds the limits ActionWhenThresholdReached | Restrict the user from sending mail till the following day
| Restrict the user from sending mail
| Restrict the user from sending mail
|
EOP anti-malware policy settings
To create and configure anti-malware policies, see Configure anti-malware policies in Office 365.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Do you want to notify recipients if their messages are quarantined? Action | No DeleteMessage | No DeleteMessage | No DeleteMessage | If malware is detected in an email attachment, the message is quarantined and can be released only by an admin. |
| Common Attachment Types Filter EnableFileFilter | Off
| On
| On
| This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content. |
| Malware Zero-hour Auto Purge ZapEnabled | On
| On
| On
| |
| Notify internal senders of the undelivered message EnableInternalSenderNotifications | Disabled
| Disabled
| Disabled
| |
| Notify external senders of the undelivered message EnableExternalSenderNotifications | Disabled
| Disabled
| Disabled
|
EOP default anti-phishing policy settings
For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Enable anti-spoofing protection EnableSpoofIntelligence | On
| On
| On
| |
| Enable Unauthenticated Sender EnableUnauthenticatedSender | On
| On
| On
| Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies. |
| If email is sent by someone who's not allowed to spoof your domain AuthenticationFailAction | Move message to the recipients' Junk Email folders
| Move message to the recipients' Junk Email folders
| Quarantine the message
| This setting applies to blocked senders in spoof intelligence. |
Microsoft Defender for Office 365 security
Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.
Important
The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.
There are no default Safe Links policies or Safe Attachments policies that automatically protect all recipients in the organization. To get the protections, you need to create at least one Safe Links Policy and Safe Attachments policy.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection have no dependencies on Safe Links policies.
If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.
Anti-phishing policy settings in Microsoft Defender for Office 365
EOP customers get basic anti-phishing as previously described, but Microsoft Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.
Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Protected users: Add users to protect EnableTargetedUserProtection TargetedUsersToProtect | Off
none | On
<list of users> | On
<list of users> | Depending on your organization, we recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors. |
| Protected domains: Automatically include the domains I own EnableOrganizationDomainsProtection | Off
| On
| On
| |
| Protected domains: Include custom domains EnableTargetedDomainsProtection TargetedDomainsToProtect | Off
none | On
<list of domains> | On
<list of domains> | Depending on your organization, we recommend adding domains (sender domains) that you don't own, but you frequently interact with. |
| Protected users: If email is sent by an impersonated user TargetedUserProtectionAction | Don't apply any action
| Quarantine the message
| Quarantine the message
| |
| Protected domains: If email is sent by an impersonated domain TargetedDomainProtectionAction | Don't apply any action
| Quarantine the message
| Quarantine the message
| |
| Show tip for impersonated users EnableSimilarUsersSafetyTips | Off
| On
| On
| |
| Show tip for impersonated domains Mtk p35. EnableSimilarDomainsSafetyTips | Off
| On
| On
| |
| Show tip for unusual characters EnableUnusualCharactersSafetyTips | Off
| On
| On
| |
| Enable Mailbox intelligence? EnableMailboxIntelligence | On
| On
| On
| |
| Enable Mailbox intelligence based impersonation protection? EnableMailboxIntelligenceProtection | Off
| On
| On
| |
| If email is sent by an impersonated user protected by mailbox intelligence MailboxIntelligenceProtectionAction | Don't apply any action
| Move message to the recipients' Junk Email folders
| Quarantine the message
| |
| Trusted senders ExcludedSenders | None | None | None | Depending on your organization, we recommend adding users that incorrectly get marked as phishing due to impersonation only and not other filters. |
| Trusted domains ExcludedDomains | None | None | None | Depending on your organization, we recommend adding domains that incorrectly get marked as phishing due to impersonation only and not other filters. |
Spoof settings in anti-phishing policies in Microsoft Defender for Office 365
Note that these are the same settings that are available in anti-spam policy settings in EOP.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Enable anti-spoofing protection EnableSpoofIntelligence | On
| On
| On
| |
| Enable Unauthenticated Sender EnableUnauthenticatedSender | On
| On
| On
| Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies. |
| If email is sent by someone who's not allowed to spoof your domain AuthenticationFailAction | Move message to the recipients' Junk Email folders
| Move message to the recipients' Junk Email folders
| Quarantine the message
| This setting applies to blocked senders in spoof intelligence. |
Advanced settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Advanced phishing thresholds PhishThresholdLevel | 1 - Standard
| 2 - Aggressive
| 3 - More aggressive
|
Safe Links settings
Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see Safe Links in Defender for Office 365.
Global settings for Safe Links
To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.
In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Use Safe Links in: Office 365 applications EnableSafeLinksForO365Clients | On
| On
| On
| Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office 365 apps. |
| Do not track when users click Safe Links TrackClicks | On
| Off
| Off
| Turning off this setting (setting TrackClicks to $true) tracks user clicks in supported Office 365 apps. |
| Do not let users click through Safe Links to original URL AllowClickThrough | On
| On
| On
| Turning on this setting (setting AllowClickThrough to $false) prevents click through to the original URL in supported Office 365 apps. |
Safe Links policy settings
To configure these settings, see Set up Safe Links policies in Microsoft Defender for Office 365.
Microsoft Defender For Office 365 (plan 1)
In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.
Note
As described earlier, there is no default Safe Links policy. The values in the Default column are the default values in new Safe Links policies that you create.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Select the action for unknown potentially malicious URLs in messages IsEnabled | Off
| On
| On
| |
| Select the action for unknown or potentially malicious URLs within Microsoft Teams EnableSafeLinksForTeams | Off
| On
| On
| |
| Apply real-time URL scanning for suspicious links and links that point to files ScanUrls | Off
| On
| On
| |
| Wait for URL scanning to complete before delivering the message DeliverMessageAfterScan | Off
| On
| On
| |
| Apply Safe Links to email messages sent within the organization EnableForInternalSenders | Off
| On
| On
| |
| Do not track user clicks DoNotTrackUserClicks | Off
| Off
| Off
| Turning off this setting (setting DoNotTrackUserClicks to $false) tracks users clicks. |
| Do not allow users to click through to original URL DoNotAllowClickThrough | Off
| On
| On
| Turning on this setting (setting DoNotAllowClickThrough to $true) prevents click through to the original URL. |
Safe Attachments settings
Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.
Global settings for Safe Attachments
To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.
In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams EnableATPForSPOTeamsODB | On
| On
| ||
| Turn on Safe Documents for Office clients EnableSafeDocs | On
| On
| This setting is only available with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. For more information, see Safe Documents in Microsoft Defender for Office 365. | |
| Allow people to click through Protected View even if Safe Documents identified the file as malicious AllowSafeDocsOpen | Off
| Off
| This setting is related to Safe Documents. |
Safe Attachments policy settings
To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.
In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.
Note
As described earlier, there is no default Safe Attachments policy. The values in the Default column are the default values in new Safe Attachments policies that you create.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Safe Attachments unknown malware response Action | Block
| Block
| Block
| |
| Redirect attachment on detection : Enable redirect Redirect RedirectAddress | Off, and no email address specified.
none | On, and specify an email address.
an email address | On, and specify an email address.
an email address | Redirect messages to a security admin for review. |
| Apply the above selection if malware scanning for attachments times out or error occurs. ActionOnError | On
| On
| On
|
Related articles
Microsoft Defender For Office 365 E3
Are you looking for best practices for Exchange mail flow rules (also known as transport rules)? See Best practices for configuring mail flow rules in Exchange Online.
Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see Report messages and files to Microsoft.
Use these links for info on how to set up your EOP service, and configureMicrosoft Defender for Office 365. Don't forget the helpful directions in 'Protect Against Threats in Office 365'.
Security baselines for Windows can be found here: Where can I get the security baselines? for GPO/on-premises options, and Use security baselines to configure Windows 10 devices in Intune for Intune-based security. Finally, a comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines.