L3. Defender for Office 365: Email Threat Protection
Video generating
Check back soon for the video lesson on Defender for Office 365: Email Threat Protection
Defender for Office 365 protects against phishing, business email compromise, and malicious attachments. This lesson covers Safe Attachments, Safe Links, anti-phishing policies, and Threat Explorer for the SC-200 exam.
Defender for Office 365 Overview
Microsoft Defender for Office 365 (MDO) protects Exchange Online, SharePoint Online, OneDrive, and Microsoft Teams against email-based and collaboration-based threats. It comes in two plans:
| Feature | Plan 1 | Plan 2 |
|---|---|---|
| Safe Attachments | Yes | Yes |
| Safe Links | Yes | Yes |
| Anti-phishing policies | Yes | Yes |
| Threat Explorer | No | Yes |
| Automated Investigation | No | Yes |
| Attack Simulation Training | No | Yes |
| Campaign Views | No | Yes |
Safe Attachments
Safe Attachments detonates email attachments in a sandbox (Microsoft calls this "detonation") before delivery. Policy actions include:
- Block: Quarantine the attachment and prevent delivery
- Replace: Deliver the email with the attachment removed and a notification
- Dynamic Delivery: Deliver the email body immediately, replace attachment with a placeholder until scanning completes
- Monitor: Track detections without blocking (not recommended for production)
Safe Attachments also protects files in SharePoint, OneDrive, and Teams when enabled globally.
Safe Links
Safe Links rewrites URLs in emails and Office documents to route through Microsoft's scanning service. When a user clicks a rewritten URL:
- The URL is checked against a blocklist of known malicious sites
- If not blocked, a real-time reputation scan runs
- If the URL is safe, the user is redirected to the destination
- If the URL is malicious, a warning page is displayed
Key configuration options:
- Track user clicks: Required for reporting and investigation
- Do not rewrite URLs, but check against known malicious links: Preserves original URL appearance
- Do not rewrite specific URLs: Use for trusted internal applications
Anti-Phishing Policies
Anti-phishing policies use mailbox intelligence and impersonation detection:
- User impersonation protection: Detects emails impersonating specific high-value users (executives, finance team)
- Domain impersonation protection: Detects emails from domains that visually resemble your trusted domains
- Mailbox intelligence: Uses the recipient's email patterns to identify anomalous senders
- Spoof intelligence: Evaluates email authentication (SPF, DKIM, DMARC) to detect spoofing
Actions for detected impersonation: quarantine, move to Junk, deliver with a safety tip, or redirect to a specific mailbox. Exam tip: Mailbox intelligence requires the mailbox to be hosted in Exchange Online. It does not work with on-premises mailboxes.
Threat Explorer
Threat Explorer (Plan 2 only) is the primary investigation tool for email-based threats. Key views:
- All email: Complete view of inbound and outbound mail flow
- Malware: Emails detected with malicious attachments
- Phish: Emails identified as phishing attempts
- Content malware: Malicious files in SharePoint, OneDrive, and Teams
From Threat Explorer, analysts can:
- Soft delete or hard delete emails from mailboxes
- Trigger automated investigations
- Review email headers and delivery details
- Submit messages to Microsoft for analysis
Zero-Hour Auto Purge (ZAP)
ZAP retroactively removes malicious emails that were already delivered to user mailboxes. If threat intelligence updates identify a previously delivered email as malicious, ZAP moves it to Junk or Quarantine. ZAP works for phishing, spam, and malware verdicts.
- ✓Plan 2 (included in M365 E5) adds Threat Explorer, automated investigation, and attack simulation training.
- ✓Safe Attachments detonates files in a sandbox. Dynamic Delivery sends the email body immediately while the attachment is scanned.
- ✓Safe Links rewrites URLs and performs real-time scanning at time of click.
- ✓Anti-phishing policies include user impersonation, domain impersonation, mailbox intelligence, and spoof intelligence.
- ✓Zero-Hour Auto Purge (ZAP) retroactively removes malicious emails already delivered to mailboxes.
- ✓Threat Explorer allows analysts to soft delete or hard delete emails across the organization.
1. A user needs to receive an urgent email immediately but the attachment requires scanning. Which Safe Attachments action should be configured?
2. An email passed all security checks at delivery time, but later threat intelligence identifies it as a phishing message. Which feature removes it from the mailbox?
3. Which Defender for Office 365 feature requires the mailbox to be hosted in Exchange Online to function?