This chapter covers Microsoft Defender for Office 365, a cloud-based email security service that protects organizations from advanced threats like phishing, malware, and business email compromise. For the MS-900 exam, this topic appears in 5-8% of questions, often testing your ability to distinguish between Defender for Office 365 plans and features. You will learn the core components—Safe Attachments, Safe Links, anti-phishing policies, and threat intelligence—and how they work together to secure email and collaboration tools like SharePoint, OneDrive, and Teams.
Jump to a section
Imagine a corporate mailroom that receives thousands of letters and packages daily. The mailroom has a multi-layered security team. First, a guard at the loading dock checks every package against a known list of dangerous senders and suspicious shapes—this is like the connection and reputation filtering in Microsoft Defender for Office 365. Next, each envelope is scanned by an X-ray machine that looks for known malicious patterns, such as specific bomb designs or chemical traces—this is equivalent to anti-malware and anti-spam filters using signature-based detection. Then, a team of analysts opens each envelope and reads the contents, looking for deceptive language, urgent requests, or fake logos—this mimics anti-phishing and spoof intelligence. Finally, before delivery, a supervisor reviews any flagged items and may detonate suspicious packages in a safe container (safe attachments) or rewrite links to redirect through a verification service (safe links). If a package passes all checks, it is delivered. If it fails any, it is quarantined or rejected. The mailroom also learns from each incident: if a new type of threat is discovered, the guard, scanner, and analysts update their procedures—this mirrors the automated investigation and response capabilities. Just as no single layer is perfect, Microsoft Defender for Office 365 uses multiple layers to catch threats that slip past one layer.
What is Microsoft Defender for Office 365?
Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or ATP) is a cloud-native email filtering service that provides advanced protection against sophisticated threats that bypass standard Exchange Online Protection (EOP). EOP is included with all Exchange Online mailboxes and filters for spam, malware, and known threats using signature-based detection. Defender for Office 365 adds layers of machine learning, behavioral analysis, and time-of-click protection to catch zero-day malware, spear-phishing, and business email compromise (BEC) attacks.
How It Works Internally
Defender for Office 365 operates in a multi-layered pipeline that processes each email through several inspection stages:
Connection and Reputation Filtering: Inbound email arrives at Microsoft's edge network. The sending IP is checked against real-time reputation lists (e.g., sender reputation, domain reputation). Messages from known bad actors are rejected before any content inspection.
Anti-Malware and Anti-Spam (EOP): The message headers, body, and attachments are scanned by multiple anti-malware engines using signature and heuristic detection. Spam filtering uses machine learning classifiers to assign a spam confidence level (SCL) from -1 to 9. Messages with SCL >= 5 are sent to Junk Email folder; SCL >= 9 is typically marked as high-confidence spam.
3. Anti-Phishing (Defender for Office 365): This layer uses machine learning models trained on billions of signals to detect phishing attempts. It analyzes sender identity, email content, URL patterns, and user behavior. Features include: - Spoof Intelligence: Detects forged senders by analyzing SPF, DKIM, and DMARC authentication results. - Impersonation Protection: Identifies attempts to impersonate domain users, custom domains, or internal executives. The administrator can define a list of users to protect (e.g., CEO, CFO) and domains to watch. - Mailbox Intelligence: Uses AI to learn each user's normal communication patterns and flags anomalies, such as a user receiving an email from a domain they've never contacted.
Safe Attachments: Before delivery, email attachments are detonated in a virtual sandbox environment. The sandbox runs the attachment (e.g., a PDF or Office document) in a clean virtual machine and monitors its behavior for malicious actions like registry changes, file writes, or network connections. If the sandbox detects malicious activity, the attachment is blocked and the email is quarantined. The process typically takes less than 30 seconds. Administrators can configure policies to block specific file types or apply different actions (e.g., deliver with warning, block, replace with a notification).
Safe Links: URLs in emails and Office documents are rewritten to point to Microsoft's Safe Links service. When a user clicks a link, the service checks the URL against a real-time block list and performs a dynamic analysis if the URL is not known. If the URL is malicious, the user is blocked and shown a warning page. If safe, they are redirected to the original URL. Safe Links also scans links in SharePoint Online, OneDrive for Business, and Microsoft Teams. The URL rewriting process uses the format: https://nam01.safelinks.protection.outlook.com/?url=.... Administrators can configure policies to apply to specific recipients, enable URL scanning in Teams, and set time-of-click protection.
Automated Investigation and Response (AIR): When a threat is detected, AIR automatically investigates related emails, mailboxes, and user accounts. It uses playbooks to identify the scope of the attack, such as how many users received a malicious email, whether any users clicked a malicious link, and if any mailboxes were compromised. It can automatically remediate threats by deleting malicious emails, disabling compromised accounts, and blocking malicious senders. The investigation results are presented in the Microsoft 365 Defender portal under Incidents & Alerts.
Key Components, Defaults, and Timers
Plan Comparison: Defender for Office 365 has two plans: Plan 1 (included with E5 or as add-on) and Plan 2 (included with E5 Security or as add-on). Plan 1 includes Safe Attachments, Safe Links, anti-phishing policies, and threat intelligence. Plan 2 adds automated investigation and response, threat hunting, and attack simulation training.
Safe Attachments Policy: Default policy applies to all users. Unknown attachments are detonated. The default action is "Block" — the email is quarantined. Administrators can set the action to "Replace" (deliver email with attachment removed and a warning text file) or "Dynamic Delivery" (deliver email body immediately, hold attachment for scanning).
Safe Links Policy: Default policy applies to all users. URLs are scanned at click time. The default action is "On" for email and Office apps. The URL scanning timeout is 4-5 seconds; if the scan times out, the URL is treated as safe.
Anti-Phishing Policy: Default policy applies to all users. Impersonation protection is off by default; administrators must enable it and specify users/domains to protect. Mailbox intelligence is on by default.
Quarantine: Malicious emails are held in quarantine for 30 days by default. Administrators can release or delete messages. Users can view their own quarantined messages if the admin enables user access.
Attack Simulation Training: Available in Plan 2, allows admins to simulate phishing attacks to train users. The simulation can use built-in payloads or custom templates.
Configuration and Verification Commands
Administrators configure Defender for Office 365 policies in the Microsoft 365 Defender portal (https://security.microsoft.com) under Email & Collaboration > Policies & Rules > Threat Policies. For PowerShell, the Exchange Online PowerShell module is used. Example commands:
- To view Safe Attachments policies:
Get-SafeAttachmentPolicy- To create a Safe Links policy:
New-SafeLinksPolicy -Name "Executives" -EnableSafeLinksForEmail $true -EnableSafeLinksForTeams $true -DoNotTrackUserClicks $false- To assign a policy to a user:
Set-SafeLinksPolicy -Identity "Executives" -RecipientFilter {RecipientType -eq 'UserMailbox'}- To view anti-phish policy:
Get-AntiPhishPolicyInteraction with Related Technologies
Defender for Office 365 integrates with: - Exchange Online Protection (EOP): EOP is the base filter; Defender for Office 365 adds advanced layers. EOP handles spam and known malware; Defender handles zero-day and targeted attacks. - Microsoft Defender for Identity: Detects compromised accounts and lateral movement using on-premises Active Directory signals. If Defender for Identity detects a compromised account, Defender for Office 365 can block that user from sending email. - Microsoft Defender for Cloud Apps: Provides visibility into cloud app usage and can apply session policies to control file download or sharing based on user risk. - Microsoft Sentinel: Can ingest Defender for Office 365 alerts for advanced correlation and orchestration.
Key Concepts for MS-900
Defender for Office 365 is a post-breach solution? No — it is pre-breach (prevention and detection). Automated investigation is post-breach detection.
Safe Links protects at time-of-click, not just time-of-delivery.
Safe Attachments uses detonation in a sandbox.
Anti-phishing policies include impersonation protection and mailbox intelligence.
Plan 2 includes automated investigation and response and threat hunting.
Attack simulation training is a Plan 2 feature.
Default quarantine retention is 30 days.
Safe Links can protect links in email, Office apps, Teams, and SharePoint Online.
Spoof intelligence is based on SPF, DKIM, and DMARC authentication.
The URL rewrite format uses safelinks.protection.outlook.com.
Common Misunderstandings
Defender for Office 365 does NOT replace EOP; it builds on it.
Safe Attachments does NOT scan all attachments — only those that match policy (e.g., specific file types).
Safe Links does NOT block all URLs; it blocks known malicious and dynamically analyzed malicious URLs.
Automated investigation is not available in Plan 1.
Exam Tips
Know the difference between Plan 1 and Plan 2 features.
Remember that Safe Links and Safe Attachments are the two signature features of Defender for Office 365.
Anti-phishing policies include impersonation protection, which must be enabled manually.
The default action for Safe Attachments is Block (quarantine).
Attack simulation training is only in Plan 2.
Be able to identify which scenario requires Defender for Office 365 vs. EOP (e.g., zero-day malware protection requires Defender for Office 365).
Inbound email arrives at Microsoft edge
An email message is sent from an external server to a recipient in your organization. The message first reaches Microsoft's edge network, where it undergoes connection filtering. The sending IP address is checked against real-time block lists (RBLs) and reputation databases. If the IP is known for sending spam or malware, the connection is rejected immediately with a 550 SMTP error. This step reduces load on downstream filters by blocking obvious threats at the network perimeter. The reputation check includes factors like the sending domain's age, volume of mail, and history of abuse.
EOP scans for spam and malware
After passing connection filtering, the message is processed by Exchange Online Protection (EOP). Multiple anti-malware engines scan attachments using signature-based and heuristic detection. The message is also classified by spam filtering using machine learning classifiers. The system assigns a spam confidence level (SCL) from -1 to 9. Messages with SCL >= 5 are sent to the user's Junk Email folder; SCL >= 9 is high-confidence spam. EOP also checks for bulk email and applies a bulk complaint level (BCL). EOP provides a baseline of protection; however, it may miss zero-day malware and sophisticated phishing.
Defender for Office 365 anti-phishing inspection
If the organization has Defender for Office 365, the message is then inspected by anti-phishing policies. The system checks for spoofed senders by analyzing SPF, DKIM, and DMARC authentication results. It also looks for impersonation attempts against protected users and domains (e.g., CEO impersonation). Mailbox intelligence compares the email's sender and content against the recipient's typical communication patterns. If a threat is detected, the system can take action such as moving the message to quarantine, adding a warning banner, or delivering it to junk. The anti-phishing layer uses machine learning models trained on billions of signals to detect advanced phishing techniques like URL obfuscation and social engineering language.
Safe Attachments sandbox detonation
If the email contains attachments that match a Safe Attachments policy (e.g., file types like .exe, .pdf, .docx), the attachment is extracted and sent to a virtual sandbox environment. The sandbox runs the attachment in a clean virtual machine and monitors its behavior for malicious actions such as writing to the registry, creating files, or making network connections. The detonation process typically takes less than 30 seconds. Based on the policy configuration, the email may be held until analysis completes (Block action), delivered with the attachment removed (Replace action), or delivered with the body first and attachment held (Dynamic Delivery). If malicious, the email is quarantined.
Safe Links URL rewriting and time-of-click protection
All URLs in the email body are rewritten to point to Microsoft's Safe Links service (e.g., `https://nam01.safelinks.protection.outlook.com/?url=...`). When the user clicks the link, the Safe Links service checks the original URL against a dynamic block list. If the URL is unknown, it performs a real-time analysis—checking the page content, reputation, and behavior. If the URL is malicious, the user is shown a warning page. If safe, the user is redirected to the original destination. This protects against links that were benign at delivery time but later turned malicious. Safe Links also scans URLs in SharePoint, OneDrive, and Teams.
Automated investigation and response (Plan 2)
If a threat is detected by any layer, Defender for Office 365 Plan 2 automatically triggers an investigation. The system uses playbooks to determine the scope—identifying all recipients of the malicious email, users who clicked a malicious link, and any affected mailboxes. It can automatically take remediation actions such as deleting the email from all mailboxes, disabling a compromised user account, and blocking the sender. The investigation is logged as an incident in the Microsoft 365 Defender portal, where security analysts can review and approve or modify the actions. This step reduces the time to respond from hours to minutes.
Enterprise Scenario 1: Protecting Against Business Email Compromise
A multinational corporation with 10,000 employees uses Microsoft 365 E5, which includes Defender for Office 365 Plan 2. The security team configures anti-phishing policies to protect the CEO, CFO, and other executives from impersonation. They enable mailbox intelligence and set up custom impersonation domains. One day, an attacker sends an email that appears to be from the CEO requesting an urgent wire transfer to a new vendor. The email uses a lookalike domain (e.g., ceo@company-legal.com). Defender for Office 365's anti-phishing layer detects the domain mismatch and flags the email as impersonation. The email is quarantined, and the security team is alerted. The automated investigation checks if any user clicked a similar link or replied to the email. Because the policy is configured correctly, the attack is blocked before any financial loss occurs. The team uses Attack Simulation Training (Plan 2) to run a phishing simulation to educate employees about lookalike domains.
Enterprise Scenario 2: Zero-Day Malware via Email Attachment
A mid-sized company uses Defender for Office 365 Plan 1. An employee receives an email with a PDF attachment that contains a zero-day exploit. The attachment passes EOP's signature-based scanning because the malware is new. However, Safe Attachments policy is configured to detonate all PDF files. The sandbox environment executes the PDF and detects it attempting to download additional payload from a known malicious IP. The attachment is blocked, and the email is quarantined. The security admin reviews the quarantine and releases a clean version (if any) or deletes the email. The threat intelligence feed is updated with the new malware hash. Without Safe Attachments, the employee would have opened the PDF and potentially compromised the workstation.
Common Misconfigurations and Pitfalls
Impersonation protection not enabled: Many organizations leave impersonation protection at default (off), leaving executives vulnerable to BEC attacks. Administrators must explicitly add users and domains to protect.
Safe Links policy not applied to Teams: URLs shared in Teams chats are not protected by default. Administrators must enable Safe Links for Teams in the policy settings.
Dynamic Delivery delays: If Dynamic Delivery is used, users receive the email body immediately but the attachment is held. This can cause confusion if users expect the attachment right away. The scanning time is usually under 30 seconds, but in rare cases may take longer.
Overly permissive policies: Some organizations set Safe Attachments to "Replace" (deliver with warning text file) instead of "Block" to avoid false positives. This reduces security because users may still open the text file and ignore warnings.
Not using automated investigation: Plan 2 includes AIR, but some organizations disable automatic remediation due to fear of false positives. This defeats the purpose of the feature and increases response times.
MS-900 Exam Focus: Objective 3.1 – Describe the capabilities of Microsoft Defender for Office 365
The exam tests your ability to identify the core features, differentiate between Plan 1 and Plan 2, and understand how Defender for Office 365 complements Exchange Online Protection. Specific objective codes under 3.1 include: describe Safe Attachments, Safe Links, anti-phishing policies, and automated investigation and response.
Most Common Wrong Answers & Why Candidates Choose Them
"Defender for Office 365 replaces Exchange Online Protection." This is false. Defender for Office 365 is an add-on that works on top of EOP. EOP provides basic spam and malware filtering; Defender adds advanced protection. Candidates often assume that since Defender is more advanced, it must replace the basic service. The exam expects you to know they work together.
"Safe Links scans attachments." This is false. Safe Links scans URLs; Safe Attachments scans attachments. Candidates confuse the two because both start with "Safe." Remember: Safe Links = Links; Safe Attachments = Attachments.
"Anti-phishing policies are enabled by default." This is partially true. The default anti-phishing policy exists but impersonation protection is OFF by default. Candidates think all features are on by default. The exam tests that you must manually configure impersonation protection.
"Automated investigation and response is available in Plan 1." This is false. AIR is only in Plan 2. Candidates may assume all advanced features are in both plans. Plan 1 includes Safe Attachments, Safe Links, and anti-phishing; Plan 2 adds AIR, threat hunting, and attack simulation training.
Specific Numbers, Values, and Terms
Quarantine retention: 30 days (default)
Safe Links URL rewrite domain: safelinks.protection.outlook.com
Spam confidence level (SCL): -1 to 9; threshold for junk is >=5
Safe Attachments default action: Block (quarantine)
Plan 2 exclusive features: Automated investigation and response, threat hunting (advanced hunting), attack simulation training
Attack simulation training: Only in Plan 2
Impersonation protection: Requires manual configuration of protected users and domains
Mailbox intelligence: On by default
Edge Cases and Exceptions
Safe Links in Teams: Must be enabled separately; not on by default.
Safe Attachments for SharePoint, OneDrive, and Teams: Available but requires additional configuration. In SharePoint and OneDrive, files are scanned when they are uploaded or modified. In Teams, links are scanned.
User reported messages: Users can report phishing using the Report Message add-in, which sends the message to Microsoft for analysis and can trigger automated actions.
Third-party email protection: If you use a third-party email security gateway before Exchange Online, Defender for Office 365 can still be used but may have reduced effectiveness because the third-party gateway may strip headers or modify content.
How to Eliminate Wrong Answers
If a question mentions "sandbox detonation" or "attachment detonation," the answer is Safe Attachments.
If a question mentions "time-of-click protection" or "URL rewrite," the answer is Safe Links.
If a question mentions "automated investigation" or "attack simulation," the answer is Plan 2.
If a question mentions "impersonation" or "spoof intelligence," the answer is anti-phishing policies.
If a question asks about basic spam/malware protection, the answer is EOP, not Defender for Office 365.
Remember: Defender for Office 365 is for advanced threats; EOP is for basic threats.
Defender for Office 365 is an add-on to Exchange Online Protection, not a replacement.
Safe Attachments detonates email attachments in a sandbox to detect zero-day malware.
Safe Links rewrites URLs to provide time-of-click protection against malicious links.
Anti-phishing policies include impersonation protection (must be manually enabled) and mailbox intelligence.
Plan 1 includes Safe Attachments, Safe Links, and anti-phishing; Plan 2 adds automated investigation and response and attack simulation training.
Default quarantine retention period is 30 days.
Safe Links can protect URLs in email, Office apps, Teams, and SharePoint Online (with configuration).
Attack simulation training is only available in Plan 2.
Spoof intelligence uses SPF, DKIM, and DMARC to detect forged senders.
Automated investigation and response can automatically delete malicious emails and disable compromised accounts.
These come up on the exam all the time. Here's how to tell them apart.
Exchange Online Protection (EOP)
Included with all Exchange Online mailboxes
Provides basic spam and malware filtering using signature-based detection
No sandbox detonation or time-of-click URL protection
No impersonation protection or mailbox intelligence
No automated investigation or attack simulation
Microsoft Defender for Office 365
Add-on (included in E5) or standalone license
Provides advanced protection: sandbox detonation (Safe Attachments), time-of-click URL protection (Safe Links)
Includes anti-phishing with impersonation protection and mailbox intelligence
Plan 2 adds automated investigation and response, threat hunting, attack simulation
Builds on top of EOP; both are needed for layered defense
Defender for Office 365 Plan 1
Includes Safe Attachments, Safe Links, anti-phishing policies
Includes threat intelligence and reporting
Does NOT include automated investigation and response
Does NOT include attack simulation training
Suitable for organizations needing advanced email protection without automated response
Defender for Office 365 Plan 2
Includes all Plan 1 features
Adds automated investigation and response (AIR)
Adds threat hunting (advanced hunting in Microsoft 365 Defender)
Adds attack simulation training
Suitable for organizations with dedicated security teams that need full incident response automation
Mistake
Defender for Office 365 is a standalone product that replaces Exchange Online Protection.
Correct
Defender for Office 365 builds on top of EOP. EOP is included with all Exchange Online mailboxes and provides basic spam and malware filtering. Defender adds advanced protection like sandbox detonation and time-of-click URL scanning. Both are required for comprehensive protection.
Mistake
Safe Links scans email attachments for malware.
Correct
Safe Links scans URLs in emails and documents. Safe Attachments scans email attachments by detonating them in a sandbox. They are two separate features with different purposes.
Mistake
Anti-phishing policies are fully enabled by default, including impersonation protection.
Correct
The default anti-phishing policy exists, but impersonation protection (for users and domains) is OFF by default. Administrators must manually add users and domains to protect. Mailbox intelligence is on by default.
Mistake
Automated investigation and response is available in both Plan 1 and Plan 2.
Correct
Automated investigation and response (AIR) is only available in Defender for Office 365 Plan 2. Plan 1 includes Safe Attachments, Safe Links, and anti-phishing, but not AIR or attack simulation training.
Mistake
Safe Links and Safe Attachments protect all files and links in SharePoint, OneDrive, and Teams by default.
Correct
Safe Links protection for Teams must be enabled separately in the policy. Safe Attachments for SharePoint, OneDrive, and Teams is available but requires additional configuration and is not on by default. In SharePoint and OneDrive, files are scanned at upload time.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Exchange Online Protection (EOP) is the built-in email filtering service for all Exchange Online mailboxes. It provides basic spam and malware protection using signature-based detection. Microsoft Defender for Office 365 is an add-on that provides advanced protection against sophisticated threats, including zero-day malware via Safe Attachments sandbox detonation, time-of-click URL protection via Safe Links, and anti-phishing with impersonation protection. Defender for Office 365 works on top of EOP; both are needed for layered security.
By default, Safe Links does not protect URLs in Teams. Administrators must enable Safe Links for Teams in the Safe Links policy settings. Once enabled, URLs shared in Teams chats and channels are scanned at click time. The protection works similarly to email: when a user clicks a link, it is checked against Microsoft's block list and dynamically analyzed if necessary.
Yes, you can use Defender for Office 365 with a third-party gateway, but effectiveness may be reduced. The third-party gateway may modify headers or strip content that Defender relies on for detection. To maximize protection, Microsoft recommends using Defender for Office 365 as the primary email security layer, with the third-party gateway either disabled or placed after Defender. However, Microsoft supports a scenario where the third-party gateway is first, then Defender, but this may cause false positives or missed detections.
The default action for Safe Attachments is "Block" — the email is quarantined and the attachment is not delivered. Administrators can change this to "Replace" (deliver the email with the attachment removed and a warning text file attached) or "Dynamic Delivery" (deliver the email body immediately while the attachment is scanned, then deliver the attachment if safe). The Block action is the most secure and recommended.
By default, quarantined messages are retained for 30 days. After that, they are automatically deleted. Administrators can change the retention period in the quarantine policy settings. Users can view and release their own quarantined messages if the administrator enables user access to quarantine.
Attack simulation training is a feature in Defender for Office 365 Plan 2 that allows administrators to create and send simulated phishing attacks to users. The goal is to train users to recognize and report phishing attempts. The training includes built-in payloads (e.g., credential harvest, malware attachment) and custom templates. After the simulation, administrators can track which users clicked the link or opened the attachment and assign follow-up training.
Yes, Defender for Office 365 protects against ransomware delivered via email through multiple layers. Safe Attachments can detect ransomware payloads by detonating attachments in a sandbox. Safe Links can block malicious URLs that lead to ransomware download sites. Anti-phishing policies can detect emails that attempt to trick users into enabling macros or clicking links. Additionally, automated investigation and response (Plan 2) can automatically contain compromised accounts and delete malicious emails.
You've just covered Microsoft Defender for Office 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?