Microsoft Defender For Office 365

Posted on  by 



-->

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to:

  1. Attack simulation training Generally Available We are pleased to announce the General Availability (GA) of Attack simulation training in Microsoft Defender for Office 365. Delivered in partnership with Terranova Security, Attack simulation training is an intelligent social engineering risk manageme.
  2. Microsoft Defender for Office 365, the new name for Office 365 Advanced Threat Protection. Microsoft Defender Plan 2 cover Office 365 Plan 1 capabilities (Safe Attachments, Safe Links, ATP for SharePoint, OneDrive, and Microsoft Teams, Anti-phishing in Defender for Office 365 protection, Real-time detections) plus Automation, investigation.
  • Microsoft 365 Defender

Important

This telemetry is made up of signals from across Microsoft’s services such as Microsoft Defender ATP, Office 365 ATP and data from Microsoft’s cybersecurity teams and global law enforcement etc. Microsoft call this pool of data the ‘Microsoft Intelligent Security Graph’. Microsoft runs world-class machine learning, AI and big data. Open a service request in the Microsoft 365/Office 365 Admin Center. Premium, Unified and Paid Technical Support Get technical support for on-premise Microsoft products and services. Microsoft Defender for Office 365 builds on top of Exchange Online Protection (EOP) that all users of Exchange in the cloud are protected. EOP provides connection, spam, and malware filtering settings for incoming email, outbound spam settings, and quarantine of questionable emails and Domain Keys Identified Mail (DKIM) settings.

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Microsoft 365 Defender is built on top of an integration-ready platform.

Microsoft Defender For Office 365

Use the Microsoft 365 Defender APIs to automate workflows based on the shared incident and advanced hunting tables.

  • Combined incidents queue - Focus on what's critical by grouping the full attack scope and all impacted assets together under the incident API.

  • Cross-product threat hunting - Leverage your security team's organizational knowledge to hunt for signs of compromise, by creating your own custom queries to sift over raw data collected across multiple protection products.

Microsoft

Along with these Microsoft 365 Defender-specific APIs, each of our other security products expose additional APIs to help you take advantage of their unique capabilities.

Note

The transition to the unified portal should not affect the PowerBi dashboards based on Microsoft Defender for Endpoint APIs. You can continue to work with the existing APIs regardless of the interactive portal transition.

Learn more

Understand how to access the APIs
Learn about API quotas and licensing
Access the Microsoft 365 Defender APIs
Build apps
Create a 'Hello world' app
Create an app to access Microsoft 365 Defender APIs on behalf of a user
Create an app to access Microsoft 365 Defender without a user
Create an app with multi-tenant partner access to Microsoft 365 Defender APIs
Troubleshoot and maintain your apps
Understand API error codes
Manage secrets in your apps with Azure Key Vault
Implement OAuth 2.0 authorization for user sign in
-->

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more layers of security, control, and investigation.

Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Each customer's environment and needs are different, but we believe that these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.

To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.

Note

The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see Configure junk email settings on Exchange Online mailboxes in Office 365.

This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users.

Tip

The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.

Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.

EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in Office 365.

Defender
Security feature nameDefaultStandardStrictComment
Spam detection action

SpamAction

Move message to Junk Email folder

MoveToJmf

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

High confidence spam detection action

HighConfidenceSpamAction

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

Quarantine message

Quarantine

Phishing email detection action

PhishSpamAction

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

Quarantine message

Quarantine

High confidence phishing email detection action

HighConfidencePhishAction

Quarantine message

Quarantine

Quarantine message

Quarantine

Quarantine message

Quarantine

Bulk email detection action

BulkSpamAction

Move message to Junk Email folder

MoveToJmf

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

Bulk email threshold

BulkThreshold

764For details, see Bulk complaint level (BCL) in Office 365.
Quarantine retention period

QuarantineRetentionPeriod

15 days30 days30 days
Safety Tips

InlineSafetyTipsEnabled

On

$true

On

$true

On

$true

Allowed Senders

AllowedSenders

NoneNoneNone
Allowed Sender Domains

AllowedSenderDomains

NoneNoneNoneAdding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out.

Use spoof intelligence in the Security & Compliance Center on the Anti-spam settings page to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.

Blocked Senders

BlockedSenders

NoneNoneNone
Blocked Sender Domains

BlockedSenderDomains

NoneNoneNone
Enable end-user spam notifications

EnableEndUserSpamNotifications

Disabled

$false

Enabled

$true

Enabled

$true

Send end-user spam notifications every (days)

EndUserSpamNotificationFrequency

3 days3 days3 days
Spam ZAP

SpamZapEnabled

Enabled

$true

Enabled

$true

Enabled

$true

Phish ZAP

PhishZapEnabled

Enabled

$true

Enabled

$true

Enabled

$true

MarkAsSpamBulkMailOnOnOnThis setting is only available in PowerShell.

There are several other Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article.

We recommend that you turn these ASF settings Off for both Standard and Strict levels. For more information about ASF settings, see Advanced Spam Filter (ASF) settings in Office 365.

Security feature nameComment
Image links to remote sites (IncreaseScoreWithImageLinks)
Numeric IP address in URL (IncreaseScoreWithNumericIps)
UL redirect to other port (IncreaseScoreWithRedirectToOtherPort)
URL to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls)
Empty messages (MarkAsSpamEmptyMessages)
JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml)
Frame or IFrame tags in HTML (MarkAsSpamFramesInHtml)
Object tags in HTML (MarkAsSpamObjectTagsInHtml)
Embed tags in HTML (MarkAsSpamEmbedTagsInHtml)
Form tags in HTML (MarkAsSpamFormTagsInHtml)
Web bugs in HTML (MarkAsSpamWebBugsInHtml)
Apply sensitive word list (MarkAsSpamSensitiveWordList)
SPF record: hard fail (MarkAsSpamSpfRecordHardFail)
Conditional Sender ID filtering: hard fail (MarkAsSpamFromAddressAuthFail)
NDR backscatter (MarkAsSpamNdrBackscatter)

EOP outbound spam policy settings

To create and configure outbound spam policies, see Configure outbound spam filtering in Office 365.

For more information about the default sending limits in the service, see Sending limits.

Security feature nameDefaultStandardStrictComment
Maximum number of recipients per user: External hourly limit

RecipientLimitExternalPerHour

0500400The default value 0 means use the service defaults.
Maximum number of recipients per user: Internal hourly limit

RecipientLimitInternalPerHour

01000800The default value 0 means use the service defaults.
Maximum number of recipients per user: Daily limit

RecipientLimitPerDay

01000800The default value 0 means use the service defaults.
Action when a user exceeds the limits

ActionWhenThresholdReached

Restrict the user from sending mail till the following day

BlockUserForToday

Restrict the user from sending mail

BlockUser

Restrict the user from sending mail

BlockUser

EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in Office 365.

Security feature nameDefaultStandardStrictComment
Do you want to notify recipients if their messages are quarantined?

Action

No

DeleteMessage

No

DeleteMessage

No

DeleteMessage

If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.
Common Attachment Types Filter

EnableFileFilter

Off

$false

On

$true

On

$true

This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.
Malware Zero-hour Auto Purge

ZapEnabled

On

$true

On

$true

On

$true

Notify internal senders of the undelivered message

EnableInternalSenderNotifications

Disabled

$false

Disabled

$false

Disabled

$false

Notify external senders of the undelivered message

EnableExternalSenderNotifications

Disabled

$false

Disabled

$false

Disabled

$false

EOP default anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.

Security feature nameDefaultStandardStrictComment
Enable anti-spoofing protection

EnableSpoofIntelligence

On

$true

On

$true

On

$true

Enable Unauthenticated Sender

EnableUnauthenticatedSender

On

$true

On

$true

On

$true

Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain

AuthenticationFailAction

Move message to the recipients' Junk Email folders

MoveToJmf

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

This setting applies to blocked senders in spoof intelligence.

Microsoft Defender for Office 365 security

Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.

Important

  • The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.

  • There are no default Safe Links policies or Safe Attachments policies that automatically protect all recipients in the organization. To get the protections, you need to create at least one Safe Links Policy and Safe Attachments policy.

  • Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection have no dependencies on Safe Links policies.

If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.

Anti-phishing policy settings in Microsoft Defender for Office 365

EOP customers get basic anti-phishing as previously described, but Microsoft Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.

Security feature nameDefaultStandardStrictComment
Protected users: Add users to protect

EnableTargetedUserProtection

TargetedUsersToProtect

Off

$false

none

On

$true

<list of users>

On

$true

<list of users>

Depending on your organization, we recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.
Protected domains: Automatically include the domains I own

EnableOrganizationDomainsProtection

Off

$false

On

$true

On

$true

Protected domains: Include custom domains

EnableTargetedDomainsProtection

TargetedDomainsToProtect

Off

$false

none

On

$true

<list of domains>

On

$true

<list of domains>

Depending on your organization, we recommend adding domains (sender domains) that you don't own, but you frequently interact with.
Protected users: If email is sent by an impersonated user

TargetedUserProtectionAction

Don't apply any action

NoAction

Quarantine the message

Quarantine

Quarantine the message

Quarantine

Protected domains: If email is sent by an impersonated domain

TargetedDomainProtectionAction

Don't apply any action

NoAction

Quarantine the message

Quarantine

Quarantine the message

Quarantine

Show tip for impersonated users

EnableSimilarUsersSafetyTips

Off

$false

On

$true

On

$true

Show tip for impersonated domains

Mtk p35. EnableSimilarDomainsSafetyTips

Off

$false

On

$true

On

$true

Show tip for unusual characters

EnableUnusualCharactersSafetyTips

Off

$false

On

$true

On

$true

Enable Mailbox intelligence?

EnableMailboxIntelligence

On

$true

On

$true

On

$true

Enable Mailbox intelligence based impersonation protection?

EnableMailboxIntelligenceProtection

Off

$false

On

$true

On

$true

If email is sent by an impersonated user protected by mailbox intelligence

MailboxIntelligenceProtectionAction

Don't apply any action

NoAction

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

Trusted senders

ExcludedSenders

NoneNoneNoneDepending on your organization, we recommend adding users that incorrectly get marked as phishing due to impersonation only and not other filters.
Trusted domains

ExcludedDomains

NoneNoneNoneDepending on your organization, we recommend adding domains that incorrectly get marked as phishing due to impersonation only and not other filters.

Spoof settings in anti-phishing policies in Microsoft Defender for Office 365

Note that these are the same settings that are available in anti-spam policy settings in EOP.

Security feature nameDefaultStandardStrictComment
Enable anti-spoofing protection

EnableSpoofIntelligence

On

$true

On

$true

On

$true

Enable Unauthenticated Sender

EnableUnauthenticatedSender

On

$true

On

$true

On

$true

Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain

AuthenticationFailAction

Move message to the recipients' Junk Email folders

MoveToJmf

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

This setting applies to blocked senders in spoof intelligence.

Advanced settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.

Security feature nameDefaultStandardStrictComment
Advanced phishing thresholds

PhishThresholdLevel

1 - Standard

1

2 - Aggressive

2

3 - More aggressive

3

Safe Links settings

Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see Safe Links in Defender for Office 365.

Global settings for Safe Links

To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature nameDefaultStandardStrictComment
Use Safe Links in: Office 365 applications

EnableSafeLinksForO365Clients

On

$true

On

$true

On

$true

Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office 365 apps.
Do not track when users click Safe Links

TrackClicks

On

$false

Off

$true

Off

$true

Turning off this setting (setting TrackClicks to $true) tracks user clicks in supported Office 365 apps.
Do not let users click through Safe Links to original URL

AllowClickThrough

On

$false

On

$false

On

$false

Turning on this setting (setting AllowClickThrough to $false) prevents click through to the original URL in supported Office 365 apps.

Safe Links policy settings

To configure these settings, see Set up Safe Links policies in Microsoft Defender for Office 365.

Microsoft Defender For Office 365 (plan 1)

In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.

Note

As described earlier, there is no default Safe Links policy. The values in the Default column are the default values in new Safe Links policies that you create.

Security feature nameDefaultStandardStrictComment
Select the action for unknown potentially malicious URLs in messages

IsEnabled

Off

$false

On

$true

On

$true

Select the action for unknown or potentially malicious URLs within Microsoft Teams

EnableSafeLinksForTeams

Off

$false

On

$true

On

$true

Apply real-time URL scanning for suspicious links and links that point to files

ScanUrls

Off

$false

On

$true

On

$true

Wait for URL scanning to complete before delivering the message

DeliverMessageAfterScan

Off

$false

On

$true

On

$true

Apply Safe Links to email messages sent within the organization

EnableForInternalSenders

Off

$false

On

$true

On

$true

Do not track user clicks

DoNotTrackUserClicks

Off

$false

Off

$false

Off

$false

Turning off this setting (setting DoNotTrackUserClicks to $false) tracks users clicks.
Do not allow users to click through to original URL

DoNotAllowClickThrough

Off

$false

On

$true

On

$true

Turning on this setting (setting DoNotAllowClickThrough to $true) prevents click through to the original URL.

Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.

Global settings for Safe Attachments

To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature nameDefaultStandardStrictComment
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams

EnableATPForSPOTeamsODB

On

$true

On

$true

Turn on Safe Documents for Office clients

EnableSafeDocs

On

$true

On

$true

This setting is only available with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. For more information, see Safe Documents in Microsoft Defender for Office 365.
Allow people to click through Protected View even if Safe Documents identified the file as malicious

AllowSafeDocsOpen

Off

$false

Off

$false

This setting is related to Safe Documents.

Safe Attachments policy settings

To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.

In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.

Note

As described earlier, there is no default Safe Attachments policy. The values in the Default column are the default values in new Safe Attachments policies that you create.

Security feature nameDefaultStandardStrictComment
Safe Attachments unknown malware response

Action

Block

Block

Block

Block

Block

Block

Redirect attachment on detection : Enable redirect

Redirect

RedirectAddress

Off, and no email address specified.

$true

none

On, and specify an email address.

$true

an email address

On, and specify an email address.

$true

an email address

Redirect messages to a security admin for review.
Apply the above selection if malware scanning for attachments times out or error occurs.

ActionOnError

On

$true

On

$true

On

$true

Related articles

Microsoft Defender For Office 365 E3

  • Are you looking for best practices for Exchange mail flow rules (also known as transport rules)? See Best practices for configuring mail flow rules in Exchange Online.

  • Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see Report messages and files to Microsoft.

  • Use these links for info on how to set up your EOP service, and configureMicrosoft Defender for Office 365. Don't forget the helpful directions in 'Protect Against Threats in Office 365'.

  • Security baselines for Windows can be found here: Where can I get the security baselines? for GPO/on-premises options, and Use security baselines to configure Windows 10 devices in Intune for Intune-based security. Finally, a comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines.





Coments are closed