This chapter covers Microsoft Defender for Office 365 (MDO), a cloud-based email security service that protects against advanced threats like phishing, malware, and business email compromise (BEC). For the SC-200 exam, MDO is a core topic under domain 'Defender XDR' objective 1.3, typically appearing in 10-15% of questions. You will need to understand its components, configuration, and how to investigate threats using its tools. This chapter provides the depth required to answer exam questions accurately, including specific policy settings, default values, and investigation workflows.
Jump to a section
Imagine a corporate office building with multiple security layers. At the street entrance, a guard checks ID badges against a known list of employees and blocks anyone with a fake or stolen badge (anti-spoofing). Next, a metal detector scans for weapons (malware detection). Then, a receptionist checks the visitor's purpose against a database of approved meetings (phish detection). Inside, security cameras monitor behavior—if someone loiters near a restricted area, an alert is triggered (post-delivery protection). Finally, a security team reviews footage daily to identify patterns (Threat Explorer). This layered approach ensures threats are caught at multiple stages, from pre-delivery to post-delivery, just like Microsoft Defender for Office 365 intercepts malicious emails at various points in the mail flow.
What is Microsoft Defender for Office 365?
Microsoft Defender for Office 365 (MDO) is a cloud-based email filtering service that extends the baseline protection of Exchange Online Protection (EOP) with advanced threat detection and response capabilities. It is part of the Microsoft 365 Defender suite and is available in two plans: Plan 1 (included with E5 or as add-on) and Plan 2 (adds automated investigation and response, threat simulation, and more). MDO protects against zero-day malware, sophisticated phishing attacks, and BEC by using machine learning, detonation in sandboxes, and post-delivery analysis.
How MDO Works Internally
MDO processes inbound email through multiple layers of filtering before delivery to the user's mailbox. The mail flow is as follows:
Connection Filtering – The first layer checks the sending IP against reputation lists (e.g., Microsoft's Smart Network Data Services). Messages from known bad IPs are rejected.
Anti-Malware Protection – EOP scans attachments using multiple anti-malware engines. MDO adds detonation in a sandbox for suspicious attachments.
Anti-Spam Protection – EOP uses spam filtering based on content, bulk mail thresholds, and user preferences. MDO adds more sophisticated spam detection.
Anti-Phishing Protection – MDO provides advanced anti-phishing policies that protect against impersonation of users, domains, and internal domains. It uses machine learning to detect spoofing.
Safe Attachments – This feature detonates attachments in a virtual environment (sandbox) to check for malicious behavior. If the attachment is malicious, it is blocked or replaced with a warning.
Safe Links – URLs in emails are rewritten at the time of delivery. When a user clicks the link, it is checked against a real-time block list; if suspicious, it is detonated in a sandbox.
Post-Delivery Protection – MDO uses Zero-Hour Auto Purge (ZAP) to retroactively remove malicious messages that have already been delivered. It also provides Threat Explorer and attack simulation training.
Key Components and Default Values
Safe Attachments Policy – Default policy is enabled for all recipients. The default action is 'Block' (messages with malicious attachments are blocked before delivery). The 'Monitor' action delivers the message but tracks clicks; 'Replace' delivers but replaces the attachment with a warning text file; 'Dynamic Delivery' delivers the email body but holds the attachment for scanning.
Safe Links Policy – Default policy is enabled. URL scanning is performed on click. The default action for unknown URLs is 'On click' (scan at click time). URL rewrite is enabled by default, but you can disable it. The 'Track clicks' feature is on by default.
Anti-Phishing Policy – Default policy exists for all recipients. Impersonation protection is off by default. You must configure it to protect specific users (e.g., CEO) or domains. The threshold for impersonation detection is adjustable (e.g., 'Aggressive' mode catches more but may false positive).
Anti-Spam Policy – Default policy: spam threshold is set to 'Aggressive' (higher catch rate). Bulk mail threshold is 7 (on a scale of 1-9, lower is more aggressive). Quarantine retention for spam is 30 days.
Quarantine – Messages can be quarantined for up to 30 days. Admins can review and release messages. Users can also access their own quarantine if allowed.
Threat Explorer – Retains data for 30 days for Plan 1, 90 days for Plan 2. It provides near real-time visibility into threats detected by MDO.
Attack Simulation Training – Available in Plan 2. Allows admins to launch simulated phishing attacks to train users. Results are tracked and reported.
Configuration and Verification Commands
In the Microsoft 365 Defender portal, you configure MDO policies under Email & collaboration > Policies & rules > Threat policies. You can also use PowerShell with Exchange Online Protection cmdlets. For example:
- To get Safe Links policies:
Get-SafeLinksPolicy- To get Safe Attachments policies:
Get-SafeAttachmentsPolicy- To get Anti-Phishing policies:
Get-AntiPhishPolicy- To quarantine a message manually:
Quarantine-Message -Identity <MessageId>- To release a message from quarantine:
Release-QuarantineMessage -Identity <MessageId>Interaction with Related Technologies
MDO integrates tightly with Microsoft Defender for Endpoint (MDE) for advanced threat hunting. Suspicious emails can be linked to endpoint alerts. It also integrates with Azure Active Directory for identity-based protection (e.g., detecting compromised accounts). Microsoft Cloud App Security (MCAS) can extend protection to third-party cloud apps. Microsoft Sentinel can ingest MDO logs for SIEM-level analysis.
Threat Investigation
Threat Explorer shows threats detected by MDO. You can filter by detection technology (e.g., 'Machine Learning', 'Detonation'), message status, and campaign. It is used for hunting and investigation.
Campaign Views group related phishing attacks. You can see the attack technique, target users, and actions taken.
User Reports allow users to report suspicious emails as phishing or junk. Admins can view these reports in the portal.
Automated Investigation and Response (AIR) in Plan 2 automatically investigates and remediates threats. It creates a case in the Action Center.
Performance Considerations
MDO processes millions of emails daily. Latency is minimal because scanning occurs in the cloud before delivery. Safe Links detonation adds a few seconds delay on click. Safe Attachments detonation can delay delivery for a few minutes if Dynamic Delivery is used. Quarantine policies should be tuned to avoid false positives overwhelming admins.
Configure Anti-Phishing Policy
In the Microsoft 365 Defender portal, navigate to Email & collaboration > Policies & rules > Threat policies > Anti-phishing. Create a new policy or edit the default. Under 'Impersonation protection', add users to protect (e.g., CEO, CFO) and domains (e.g., your domain, partner domains). Set the action: 'Quarantine the message' for impersonation. Enable mailbox intelligence to detect impersonation based on user behavior. Set the threshold to 'Aggressive' for higher detection but more false positives. This ensures that emails pretending to be from executives are caught before delivery.
Configure Safe Attachments Policy
Go to Threat policies > Safe Attachments. Create a new policy or edit the default. Specify the policy name and scope (e.g., all recipients). Under 'Safe Attachments unknown malware response', select 'Block' to prevent delivery of malicious attachments. Optionally enable 'Dynamic Delivery' to deliver the email body while the attachment is scanned. For 'Redirect attachments on detection', you can send messages to a security team mailbox. Save the policy. This ensures that attachments are detonated in a sandbox before reaching the user.
Configure Safe Links Policy
Navigate to Threat policies > Safe Links. Create a new policy or edit the default. Under 'URL and click protection settings', enable 'On click' scanning for unknown URLs. Check 'Use Safe Links in Office 365 apps' to protect links in Office documents. Set 'Track clicks' to log user clicks. Under 'URL threat response', choose 'Redirect to the warning page' for malicious links. Specify the policy scope (e.g., all recipients). This ensures that URLs are rewritten and scanned at click time.
Use Threat Explorer for Investigation
After a phishing alert, go to Email & collaboration > Explorer. Set the date range (e.g., last 30 days). Use filters like 'Detection technology: Phish' or 'Malware'. Select a suspicious email to view its details: sender, recipients, IP, and detection details. Use 'Email actions' to quarantine or delete the message. Export the data for reporting. This allows you to investigate threats that bypassed initial filters.
Run Attack Simulation Training
In the Microsoft 365 Defender portal, go to Email & collaboration > Attack simulation training. Create a simulation: choose a technique (e.g., credential harvest, malware). Select a payload (predefined or custom). Target users or groups. Schedule the simulation. After launch, monitor results in the same dashboard. Use the 'Training assignments' tab to assign training to users who failed the simulation. This helps improve user awareness and is tested on the exam as a Plan 2 feature.
Enterprise Scenario 1: Protecting a Financial Institution from CEO Fraud
A bank with 10,000 users deploys MDO Plan 2. They configure anti-phishing policies to protect the CEO and CFO from impersonation. They set the threshold to 'Aggressive' and enable mailbox intelligence. In production, they receive alerts about a spoofed email from the CEO's domain to the finance department. Threat Explorer shows the email was blocked by impersonation detection. The security team uses AIR to automatically quarantine similar emails. They also run an attack simulation for credential harvest to train employees. Performance is smooth, but they must tune the impersonation protection to avoid blocking legitimate emails from external partners that resemble the CEO's name.
Enterprise Scenario 2: Healthcare Provider Handling Malware Campaigns
A hospital with 5,000 users uses MDO Plan 1. They configure Safe Attachments with 'Dynamic Delivery' to avoid delaying patient-critical emails. However, this causes occasional delays when attachments are large. They set up a redirect mailbox for suspicious attachments to be reviewed by the security team. During a malware campaign, Safe Attachments blocks a malicious PDF with a ransomware payload. The security team uses Threat Explorer to identify all recipients of similar emails and manually purges them using ZAP. They also create a custom block list for the malicious sender domain.
Scenario 3: Misconfiguration Leading to False Positives
A retail company configures anti-phishing with 'Aggressive' threshold without enabling mailbox intelligence. They receive hundreds of false positive reports from users complaining that legitimate emails from partners are being quarantined. The security team spends hours releasing messages. They learn to enable mailbox intelligence and adjust the threshold to 'Standard'. They also create allow lists for trusted partner domains. The lesson is that aggressive settings must be tested and tuned, especially in environments with many external communications.
Common Pitfalls
Not enabling impersonation protection – Many admins leave it off, missing BEC attacks.
Using 'Replace' instead of 'Block' for Safe Attachments – 'Replace' still delivers a warning file, which may confuse users.
Ignoring user-reported messages – The portal shows user reports, but admins often forget to review them.
Over-relying on default policies – Custom policies are needed for specific user groups like executives or VIPs.
Not using attack simulation – Even with MDO, users are the weakest link; simulation training is crucial.
Exactly What SC-200 Tests on MDO
The SC-200 exam objective 1.3 covers 'Manage Microsoft Defender for Office 365'. Expect questions on: - Safe Attachments vs Safe Links – Know the difference: Safe Attachments scans attachments before delivery; Safe Links scans URLs at click time. Both use detonation. - Default actions – For Safe Attachments, the default action is 'Block' (not 'Replace' or 'Dynamic Delivery'). For Safe Links, URL scanning is 'On click'. - Anti-Phishing impersonation – You must know that impersonation protection is off by default and must be explicitly configured for users and domains. - ZAP (Zero-Hour Auto Purge) – ZAP retroactively removes malicious messages after delivery. It works for phishing, malware, and spam. - Threat Explorer vs Attack Simulator – Threat Explorer is for investigation; Attack Simulator is for training. - Plan 1 vs Plan 2 – Plan 2 adds AIR, Threat Explorer (90-day retention), and Attack Simulation Training.
Common Wrong Answers and Why Candidates Choose Them
'Safe Links scans attachments' – Candidates confuse Safe Links with Safe Attachments. Safe Links scans URLs only, not attachments.
'Anti-phishing impersonation protection is enabled by default' – It is not; you must configure it. Many think it's automatic.
'Dynamic Delivery is the default Safe Attachments action' – The default is 'Block'. Dynamic Delivery is an option but not default.
'ZAP only works for malware' – ZAP also works for phishing and spam.
'Attack simulation requires Plan 1' – It requires Plan 2.
Specific Numbers and Values
Quarantine retention: 30 days.
Threat Explorer retention: 30 days (Plan 1), 90 days (Plan 2).
Bulk mail threshold default: 7.
Spam threshold default: 'Aggressive'.
Safe Attachments default action: Block.
Safe Links default: URL scanning on click.
Edge Cases and Exceptions
Mailbox intelligence – If enabled, the system learns user communication patterns. If a user never emails the CEO, an email claiming to be from the CEO is more likely flagged.
Spoof intelligence – Admins can allow or block spoofed senders based on authentication results.
User impersonation vs domain impersonation – Both can be configured separately.
Third-party phishing simulations – MDO may block them unless you configure the 'third-party phishing simulation' exemption in anti-spam policy.
How to Eliminate Wrong Answers
Focus on the mechanism: is the question about pre-delivery or post-delivery? Pre-delivery: Safe Attachments, anti-phishing. Post-delivery: ZAP, Threat Explorer. If the question mentions 'detonation', it's Safe Attachments or Safe Links. If it mentions 'at click time', it's Safe Links. For impersonation, look for 'configure users/domains'. For automated response, look for 'Plan 2' or 'AIR'. Always check the default values; the exam loves to test whether you know the default is not the most secure (e.g., impersonation off).
MDO Plan 2 includes automated investigation and response (AIR) and attack simulation training.
Safe Attachments default action is 'Block' – not 'Dynamic Delivery' or 'Replace'.
Safe Links scans URLs on click by default; URL rewrite is enabled.
Anti-phishing impersonation protection is off by default – must be configured for specific users/domains.
Zero-Hour Auto Purge (ZAP) retroactively removes phishing, malware, and spam after delivery.
Threat Explorer retains data for 30 days (Plan 1) or 90 days (Plan 2).
Quarantine retention for spam is 30 days.
Mailbox intelligence in anti-phishing learns user communication patterns to detect impersonation.
Attack simulation training is a Plan 2 feature used for user awareness.
User-reported messages appear in the Microsoft 365 Defender portal for review.
These come up on the exam all the time. Here's how to tell them apart.
Safe Attachments
Scans email attachments before delivery.
Uses detonation in a sandbox to detect malware.
Default action is 'Block' (malicious attachments are not delivered).
Can be configured to redirect attachments for review.
Works on attachments in emails and Office documents (if enabled).
Safe Links
Scans URLs in emails and Office documents at click time.
Rewrites URLs to point to Microsoft's scanning service.
Default action is 'On click' scanning for unknown URLs.
Provides click tracking and threat reporting.
Can block or warn users if URL is malicious.
Mistake
Safe Links scans attachments for malware.
Correct
Safe Links scans URLs, not attachments. Safe Attachments handles attachment scanning and detonation.
Mistake
Anti-phishing impersonation protection is enabled by default for all users.
Correct
Impersonation protection is off by default. You must explicitly add users and domains to protect.
Mistake
The default action for Safe Attachments is 'Dynamic Delivery'.
Correct
The default action is 'Block'. Dynamic Delivery is an optional setting that delays attachment delivery.
Mistake
Zero-Hour Auto Purge (ZAP) only removes malware.
Correct
ZAP removes phishing, malware, and spam messages retroactively after delivery.
Mistake
Attack simulation training is available in both Plan 1 and Plan 2.
Correct
Attack simulation training is only available in Plan 2. Plan 1 does not include it.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Exchange Online Protection (EOP) is the baseline email security included with all Exchange Online mailboxes. It provides anti-spam, anti-malware, and connection filtering. Microsoft Defender for Office 365 (MDO) builds on EOP with advanced protections: Safe Attachments, Safe Links, anti-phishing impersonation, and post-delivery protection like ZAP. MDO also includes Threat Explorer and attack simulation (Plan 2). For the exam, remember that EOP is basic, MDO is advanced.
Go to the Microsoft 365 Defender portal > Email & collaboration > Policies & rules > Threat policies > Safe Attachments. The default policy applies to all recipients. You can edit it to change the action (e.g., Block, Monitor, Replace, Dynamic Delivery). Ensure the policy is enabled and has the appropriate settings. You can also create custom policies for specific users or groups.
ZAP is a post-delivery protection feature that retroactively removes malicious messages that were delivered to users' mailboxes. It detects phishing, malware, and spam after delivery by re-evaluating messages based on updated threat intelligence. ZAP moves the message to quarantine or junk folder. It works within a few minutes to hours after delivery. For the exam, know that ZAP is automatic and applies to already delivered messages.
Yes, MDO can protect on-premises Exchange servers if you have a hybrid deployment with Exchange Online Protection. You need to route your on-premises email through Exchange Online for filtering. MDO policies apply to messages that pass through the cloud. However, some features like Safe Links may not work on on-premises Outlook clients unless they are configured to use the cloud service.
In the Microsoft 365 Defender portal, go to Email & collaboration > Explorer. Set the date range. Use filters like 'Phish' under 'Detection technology'. You can filter by sender, recipient, subject, etc. Select a suspicious email to view details. Use 'Email actions' to quarantine or delete. You can also export the list. Threat Explorer helps identify the scope of an attack and take action.
MDO Plan 1 is included in Microsoft 365 E5, Office 365 E5, and as an add-on for E3. Plan 2 is included in Microsoft 365 E5, Office 365 E5, and as an add-on for Plan 1. Standalone licenses are available. For the exam, know that Plan 2 adds automated investigation and response (AIR), Threat Explorer with 90-day retention, and attack simulation training.
Go to the Microsoft 365 Defender portal > Email & collaboration > Review > Quarantine. Find the message by filtering by type (e.g., phishing, malware, spam). Select the message and click 'Release message'. You can also choose to release to specific recipients or all. Alternatively, use PowerShell: `Release-QuarantineMessage -Identity <MessageId>`. Users can also release their own quarantined messages if allowed by policy.
You've just covered Microsoft Defender for Office 365 — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?