This chapter covers Microsoft 365 threat protection technologies, including Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MDO), Microsoft Defender for Endpoint (MDE), Microsoft Defender for Cloud Apps (MDCA), and Microsoft Defender XDR (formerly Microsoft 365 Defender). These technologies are critical for the MS-102 exam, as they form the core of Microsoft's security stack. Approximately 20–25% of exam questions touch threat protection, making it one of the highest-weighted domains. You must understand how each component works, its default configurations, and how they integrate to provide layered defense.
Jump to a section
Imagine a medieval castle with multiple concentric walls, each with dedicated guards and weapons. The outermost wall is the moat and drawbridge — this is Exchange Online Protection (EOP), which stops obvious threats like phishing and malware at the perimeter. Inside, the second wall has archers and boiling oil — this is Microsoft Defender for Office 365 (MDO), which inspects attachments and links dynamically, detonating suspicious ones in a sandbox (like dropping a rock into oil to test if it's hot). The third wall is the keep's inner guard — this is Microsoft Defender for Endpoint (MDE), which monitors endpoints for suspicious behavior and can isolate compromised machines (like locking a traitor in a cell). The castle's watchtower provides a bird's-eye view — this is Microsoft Defender for Cloud Apps (MDCA), which monitors user activity and can block risky actions like mass downloads (like spotting a servant trying to lower the drawbridge at night). Finally, the king's edicts and threat intelligence reports are like Microsoft Defender XDR (formerly Microsoft 365 Defender), which correlates alerts from all layers to provide a unified incident response. If any layer fails, the next layer can still catch the threat, but the goal is to stop it as early as possible.
Overview of Microsoft 365 Threat Protection
Microsoft 365 threat protection is a multi-layered, integrated security solution that protects identities, endpoints, email, and cloud apps. The MS-102 exam focuses on understanding the architecture, configuration, and management of these services. The key components are:
Exchange Online Protection (EOP): The cloud-based email filtering service that protects against spam, malware, and phishing. It is included with all Exchange Online and Microsoft 365 subscriptions.
Microsoft Defender for Office 365 (MDO): An advanced email security service that provides protection against zero-day malware, phishing attacks, and malicious links. It includes Safe Attachments, Safe Links, and Anti-Phishing policies.
Microsoft Defender for Endpoint (MDE): A unified endpoint security platform that provides next-generation antivirus, endpoint detection and response (EDR), and automated investigation and remediation.
Microsoft Defender for Cloud Apps (MDCA): A Cloud Access Security Broker (CASB) that provides visibility, control, and threat protection for cloud apps. It can discover Shadow IT, enforce policies, and detect anomalous behavior.
Microsoft Defender XDR: The unified incident response and threat hunting solution that correlates alerts from MDO, MDE, MDCA, and Microsoft Defender for Identity (MDI) into a single incident.
Exchange Online Protection (EOP)
EOP is the first line of defense for email. It uses multiple filtering engines to detect spam, malware, and phishing. Key features:
Connection filtering: Blocks email from known bad IP addresses using the IP Allow List and IP Block List. By default, messages from the Block List are rejected with a 5xx SMTP error.
Spam filtering: Uses machine learning (ML) and heuristic rules to classify email as spam, high-confidence spam, or phishing. Default threshold is -5 to 4 (Aggressive).
Malware filtering: Scans attachments using multiple anti-malware engines. Messages with malware are quarantined. Zero-hour auto purge (ZAP) can retroactively move delivered messages that are later found to be malware or phishing.
Transport rules: Can be used to apply custom filtering logic, such as blocking attachments by file type or encryption.
Default timers:
Quarantine retention: 30 days for spam, 15 days for malware.
ZAP: Applied within 2 hours of delivery if a message is reclassified as malware or phishing.
Microsoft Defender for Office 365 (MDO)
MDO builds on EOP with additional protection against sophisticated threats. It is available in Plan 1 and Plan 2. Plan 2 includes Threat Explorer, automated investigation and response (AIR), and attack simulation training.
Safe Attachments:
Attachments are detonated in a virtual sandbox environment to check for malicious behavior.
Policies can be set to: Off, Monitor (deliver after detonation), Block (block if malicious), Replace (replace with a warning text file), or Dynamic Delivery (deliver email body but hold attachment for scanning).
Default policy: Dynamic Delivery for all recipients.
Safe Links:
URLs in email and Office documents are rewritten and scanned at click-time.
When a user clicks a link, it is checked against a block list and evaluated in real-time.
Policies can be applied to email, Microsoft Teams, and Office 365 apps.
Default: Safe Links is enabled for all users.
Anti-Phishing Policies:
Protect against impersonation attacks (e.g., CEO fraud).
Can detect impersonation of internal users, external domains, and custom domains.
Default: Impersonation protection is not enabled by default; you must configure it.
Microsoft Defender for Endpoint (MDE)
MDE provides endpoint protection for Windows, macOS, Linux, Android, and iOS. It includes: - Next-generation protection: Microsoft Defender Antivirus (built-in) with cloud-delivered protection, real-time behavior monitoring, and machine learning. - Endpoint detection and response (EDR): Continuously monitors endpoints for suspicious behavior and provides alerts. EDR sensors collect telemetry like process creation, network connections, and registry changes. - Automated investigation and remediation (AIR): Automatically investigates alerts and takes remediation actions like isolating a device, removing a file, or stopping a process. - Threat and vulnerability management (TVM): Identifies vulnerabilities and misconfigurations on endpoints.
Default settings:
Cloud-delivered protection: Enabled by default.
Sample submission: Automatic for file samples.
Tamper protection: Enabled by default on Windows 10/11.
Onboarding methods:
Group Policy, Microsoft Intune, Local script, or Microsoft Defender for Cloud.
Microsoft Defender for Cloud Apps (MDCA)
MDCA provides visibility and control over cloud app usage. Key features: - Cloud Discovery: Uses traffic logs from firewalls and proxies to identify cloud apps in use (Shadow IT). - App connector APIs: Connect to cloud apps (like Salesforce, AWS, Box) to enforce policies and monitor activity. - Conditional Access App Control: Works with Azure AD Conditional Access to enforce session policies (e.g., block download, require MFA) for cloud apps. - Anomaly detection: Uses machine learning to detect unusual behavior, such as impossible travel, mass download, or ransomware activity.
Default policies:
Anomaly detection policies are enabled by default (e.g., impossible travel, activity from anonymous IP addresses).
Policy severity: Low, Medium, High.
Microsoft Defender XDR
Microsoft Defender XDR (formerly Microsoft 365 Defender) is the unified security operations platform. It correlates alerts from MDO, MDE, MDCA, and Microsoft Defender for Identity (MDI) into a single incident. Key features: - Incident management: Provides a single pane of glass for investigating and responding to threats. - Advanced hunting: Allows security teams to query data from all integrated services using Kusto Query Language (KQL). - Automated investigation and response (AIR): Orchestrates playbooks to automatically respond to incidents.
Integration points:
Alerts from MDO, MDE, MDCA, and MDI are automatically correlated.
Threat intelligence from Microsoft is shared across all components.
How They Interact
The components work together to provide layered defense. For example: 1. A phishing email with a malicious link arrives. EOP filters it based on reputation. If it passes, MDO Safe Links rewrites the URL. 2. A user clicks the link. MDO checks the link in real-time and blocks it. The user is redirected to a warning page. 3. If the user's endpoint is compromised, MDE detects the suspicious process and isolates the device. 4. The incident is automatically created in Microsoft Defender XDR, correlating the email and endpoint alerts. 5. MDCA may detect the compromised user's account being used to access cloud apps from an unusual location.
Configuration and Verification Commands
PowerShell for Exchange Online:
- Get-TransportRule to view mail flow rules.
- Get-SafeAttachmentPolicy to view Safe Attachments policies.
- Get-SafeLinksPolicy to view Safe Links policies.
- Get-AntiPhishPolicy to view anti-phishing policies.
PowerShell for Microsoft Defender for Endpoint:
- Get-MpComputerStatus to view antivirus status.
- Start-MpScan to start a scan.
- Add-MpPreference -ExclusionPath to exclude files.
Microsoft 365 Defender portal: - https://security.microsoft.com for EOP and MDO. - https://endpoint.microsoft.com for MDE. - https://portal.cloudappsecurity.com for MDCA.
Key Numbers and Defaults
EOP spam bulk threshold: Default is 5 (Aggressive).
Safe Attachments default action: Dynamic Delivery.
Safe Links URL rewrite: Enabled by default.
MDE cloud-delivered protection timeout: 8 seconds.
MDCA session timeout: 30 minutes of inactivity.
Quarantine retention: 30 days for spam, 15 days for malware (EOP).
Configure EOP Connection Filtering
In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam. Select Connection filter policy (default). You can add IP addresses to the Allow List or Block List. Messages from blocked IPs are rejected with a 550 5.7.1 SMTP error. The default connection filter also uses the Microsoft proprietary list of known bad IPs. This is the first line of defense and should be configured to block known malicious senders.
Enable Safe Attachments Policy
In the same portal, go to Threat policies > Safe Attachments. Create a new policy or edit the default. Choose the action: Dynamic Delivery (recommended) delivers the email body immediately but holds the attachment for scanning. If the attachment is malicious, it is blocked and the user sees a warning. The sandbox detonation process takes up to 30 seconds. The policy can be scoped to specific users, groups, or domains.
Configure Safe Links Policy
In Threat policies > Safe Links. Create a new policy. You can enable Safe Links for email, Teams, and Office 365 apps. The default action is to rewrite URLs to point to the Safe Links service. When a user clicks, the URL is checked against a block list and scanned in real-time. If malicious, the user is blocked with a warning page. You can also set a custom blocked URLs list.
Set Up Anti-Phishing Impersonation Protection
In Anti-phishing policies, you can add users to protect (e.g., CEO, CFO) and domains to protect (e.g., your own domain or partner domains). When an email impersonates a protected user, the system checks the sender's display name and email address. If a match is found, the message is flagged as phishing. The default policy does not include impersonation protection; you must create a custom policy.
Onboard Endpoints to MDE
In Microsoft 365 Defender portal, go to Endpoints > Device management > Onboarding. Choose the appropriate method (Group Policy, Intune, local script). Download the onboarding package and deploy it to endpoints. The package contains a unique workspace ID and key. After onboarding, the endpoint sends telemetry to the MDE backend. You can verify onboarding by running `Get-MpComputerStatus | select OnboardingState` in PowerShell.
In a typical enterprise deployment, the security team first configures EOP connection filtering to block known malicious IPs and set the bulk threshold to Aggressive. They then create MDO policies for Safe Attachments and Safe Links, often starting with Dynamic Delivery and URL rewrite enabled for all users. For high-value targets (e.g., executives), they enable impersonation protection in anti-phishing policies and add those users to the protected users list.
For endpoints, the team uses Intune to deploy MDE onboarding scripts to all Windows 10/11 devices. They also configure attack surface reduction (ASR) rules to block common malware behaviors, such as blocking executable content from email and webmail. In production, MDE can handle thousands of endpoints with minimal performance impact, but false positives from ASR rules can occur, requiring careful tuning.
A common misconfiguration is not enabling Safe Links for Teams or Office 365 apps, leaving those channels unprotected. Another issue is failing to configure custom anti-phishing policies for impersonation, leaving the organization vulnerable to CEO fraud. When misconfigured, attackers can bypass email defenses by using legitimate services like SharePoint or OneDrive to host malicious links.
Performance considerations: Safe Attachments sandboxing can delay email delivery by up to 30 seconds. Dynamic Delivery mitigates this by delivering the email body immediately. For large organizations, the MDE cloud service scales automatically, but network bandwidth for telemetry should be considered. In a breach scenario, MDE's automated investigation can isolate a compromised device within minutes, preventing lateral movement.
The MS-102 exam tests threat protection under objective 3.2: Implement and manage threat protection. You must know:
EOP filtering order: Connection filter -> spam filter -> malware filter -> transport rules. The exam may ask what happens to a message from a blocked IP.
Safe Attachments actions: Know the difference between Monitor, Block, Replace, and Dynamic Delivery. Dynamic Delivery is the default for Plan 1 and Plan 2.
Safe Links behavior: URLs are rewritten only if the policy is enabled. The rewrite is transparent to the user but visible in the email source. The exam may ask what happens when a user clicks a malicious link.
Anti-phishing impersonation: Must be configured manually. Default policy does not protect against impersonation. The exam may ask which policy type protects against CEO fraud.
MDE onboarding: Methods include Group Policy, Intune, local script, and Microsoft Defender for Cloud. The exam may ask which method is recommended for Azure VMs.
Common wrong answers:
Choosing "Block" as the default Safe Attachments action (it's Dynamic Delivery).
Thinking Safe Links rewrites URLs in all Office 365 apps by default (it's only for email, but can be enabled for Teams and Office apps).
Believing that anti-phishing impersonation protection is enabled by default (it's not).
Confusing EOP malware filtering with MDO Safe Attachments (EOP uses static scanning; MDO uses dynamic sandboxing).
Edge cases: The exam may test that Safe Attachments can be applied to SharePoint, OneDrive, and Teams in MDO Plan 2. Also, ZAP (zero-hour auto purge) can retroactively remove delivered malicious messages from user inboxes. Know that ZAP works for malware and phishing, but not for spam by default.
To eliminate wrong answers, focus on the mechanism: If a question asks about blocking a link at click-time, it's Safe Links. If it's about attachment sandboxing, it's Safe Attachments. If it's about blocking email from a known bad IP, it's EOP connection filtering.
EOP is the baseline email protection; MDO adds advanced sandboxing and URL protection.
Safe Attachments default action is Dynamic Delivery (deliver body, hold attachment).
Safe Links rewrites URLs in email by default; can be enabled for Teams and Office apps.
Anti-phishing impersonation protection must be manually configured; not enabled by default.
MDE onboarding can be done via Group Policy, Intune, local script, or Microsoft Defender for Cloud.
Microsoft Defender XDR correlates alerts from MDO, MDE, MDCA, and MDI into a single incident.
ZAP (zero-hour auto purge) can remove delivered malicious messages within 2 hours of detection.
MDCA provides Cloud Discovery, app connectors, and Conditional Access App Control.
The default spam threshold in EOP is 5 (Aggressive).
Quarantine retention: 30 days for spam, 15 days for malware.
These come up on the exam all the time. Here's how to tell them apart.
Exchange Online Protection (EOP)
Included with all Exchange Online licenses
Uses static malware scanning and ML spam filtering
Connection filtering based on IP reputation
No sandboxing or URL detonation
Default quarantine for malware and spam
Microsoft Defender for Office 365 (MDO)
Requires MDO Plan 1 or Plan 2 license
Adds dynamic sandboxing (Safe Attachments) and URL detonation (Safe Links)
Anti-phishing impersonation protection
Plan 2 includes Threat Explorer, AIR, and attack simulation training
Can retroactively remove malicious messages via ZAP
Mistake
Safe Attachments scans all attachments in real-time before delivery.
Correct
Safe Attachments uses Dynamic Delivery by default, which delivers the email body immediately but holds the attachment for scanning. The user sees a placeholder attachment until scanning completes. Only if the action is set to 'Block' or 'Replace' is delivery delayed.
Mistake
EOP connection filtering is the only way to block email from specific IPs.
Correct
You can also use mail flow rules (transport rules) to block or reject messages based on sender IP. However, connection filtering is the most efficient because it rejects the connection before receiving the message.
Mistake
Microsoft Defender for Endpoint automatically isolates any device with a detected threat.
Correct
Isolation is an automated action that can be set in the automated investigation and remediation policies. By default, MDE may not automatically isolate; it may recommend isolation or require manual approval. The policy must be configured to automatically isolate devices.
Mistake
Microsoft Defender for Cloud Apps only monitors Microsoft cloud apps.
Correct
MDCA can monitor thousands of third-party cloud apps (e.g., Salesforce, Dropbox, AWS). It uses app connectors and Cloud Discovery to provide visibility across all cloud apps used in the organization.
Mistake
Microsoft Defender XDR is just a new name for the Microsoft 365 Defender portal.
Correct
Microsoft Defender XDR is the unified security operations platform that integrates alerts from MDO, MDE, MDCA, and MDI. It provides incident correlation, advanced hunting, and automated response. The portal is the interface, but XDR is the product that includes the correlation engine.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
EOP is the basic email filtering service included with Exchange Online, providing spam, malware, and connection filtering. MDO is an add-on that provides advanced protection like Safe Attachments (sandboxing), Safe Links (URL detonation), and anti-phishing impersonation protection. MDO Plan 2 adds Threat Explorer, automated investigation and response, and attack simulation training. On the exam, know that EOP is always present, but MDO is required for advanced threat protection.
To protect Teams, you need to create or edit a Safe Links policy and enable the option 'Scan URLs in Microsoft Teams'. This rewrites URLs in Teams messages and checks them when clicked. The policy can be scoped to specific users or groups. Note that this feature requires MDO Plan 1 or Plan 2. The exam may ask where to configure this: in the Safe Links policy, not in Teams admin center.
The default action for the default Safe Attachments policy is 'Dynamic Delivery'. This delivers the email body immediately but holds the attachment for scanning. If the attachment is malicious, it is blocked and the user sees a warning. If the attachment is safe, it is delivered after scanning. The other options are: Off, Monitor, Block, and Replace. Dynamic Delivery is recommended to avoid email delivery delays.
Yes, MDE supports Windows, macOS, Linux, Android, and iOS. For macOS and Linux, you install the MDE agent. For Android and iOS, you use the Microsoft Defender app. The capabilities vary by platform; for example, macOS has full EDR support, while iOS focuses on phishing protection and network protection. The exam may test that MDE is not limited to Windows.
Microsoft Defender XDR (formerly Microsoft 365 Defender) unifies security signals from MDO, MDE, MDCA, and Microsoft Defender for Identity. It correlates alerts into incidents, provides automated investigation and response, and offers advanced hunting with KQL. Its goal is to give security teams a single pane of glass to detect, investigate, and respond to threats across the entire Microsoft 365 environment.
ZAP retroactively moves delivered messages that are later found to be malware, phishing, or spam (if enabled). It runs automatically every 2 hours. If a message was delivered and later a signature update or ML model identifies it as malicious, ZAP moves it to quarantine. ZAP is enabled by default for malware and phishing; spam ZAP is optional. The exam may ask about ZAP's capabilities and default settings.
EOP malware filtering uses static signatures and heuristics to detect known malware. Safe Attachments detonates attachments in a sandbox to analyze behavior, catching zero-day malware. Safe Attachments is more thorough but introduces a delay. EOP filtering is faster but less effective against new threats. On the exam, know that Safe Attachments is part of MDO and is not available in EOP alone.
You've just covered Threat Protection in M365 — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?