This chapter covers Microsoft Defender for Office 365 policy configuration, a critical skill for the SC-200 exam. You will learn how to configure anti-spam, anti-malware, anti-phishing, Safe Attachments, and Safe Links policies to protect Exchange Online mailboxes. Approximately 15-20% of exam questions touch on Defender for Office 365, with policy configuration being a key subdomain. Mastering these policies is essential for passing the exam and for real-world security operations.
Jump to a section
Defender for Office 365 policy configuration is like a corporate mailroom that processes all incoming and outgoing mail with multiple layers of security. The mailroom has a set of rules: some mail is automatically rejected (blocked senders), some is flagged for inspection (quarantine), and some is delivered but with a warning label (spam headers). Each piece of mail goes through several stations: first, a basic check against a known 'bad sender' list (anti-spam policy); then, a more sophisticated scan for malicious attachments (anti-malware policy); next, a check for dangerous links (Safe Links); and finally, a scan for phishing attempts (anti-phishing policy). The mailroom manager (security admin) configures these policies in the Microsoft 365 Defender portal, adjusting thresholds like the spam confidence level (SCL) from -1 (skip filtering) to 9 (definitely spam). Policies are applied to specific recipients based on policy filters (e.g., domain, group, user). When a message triggers a policy, it may be quarantined, have its subject prefixed with 'Spam Notice', or be silently dropped. The mailroom also handles outgoing mail to prevent data leaks (outbound spam filter). Just as a mailroom must balance security with delivery speed, Defender policies must balance false positives against missed threats. The exam tests your ability to configure these policies in the correct order and understand which policy takes precedence when conflicts arise.
Overview of Defender for Office 365 Policies
Defender for Office 365 (formerly Office 365 Advanced Threat Protection) provides layered protection against email-borne threats. The policies you configure are part of the 'Threat Management' section in the Microsoft 365 Defender portal (security.microsoft.com). The main policy types are:
Anti-spam policy: Filters inbound and outbound spam, bulk mail, and phishing attempts.
Anti-malware policy: Scans attachments and messages for malware.
Anti-phishing policy: Protects against spear-phishing, spoofing, and impersonation.
Safe Attachments policy: Detonates attachments in a sandbox environment before delivery.
Safe Links policy: Scans URLs in messages and Office documents in real-time.
Each policy type has default policies that apply to all recipients, but you can create custom policies with specific conditions and exceptions.
Policy Architecture and Processing Order
When an email arrives, it goes through the following processing pipeline:
Connection filtering (not part of Defender policies per se, but uses IP Allow/Block lists).
Anti-spam filtering (Exchange Online Protection - EOP) – applies SCL and bulk complaint level (BCL).
Anti-malware filtering – scans for known malware signatures.
Anti-phishing filtering – checks for impersonation and spoofing.
Safe Attachments – detonates attachments (if enabled).
Safe Links – rewrites URLs for scanning on click.
Policies are applied based on the recipient's domain or user. Each policy has a priority (lower number = higher priority). Default policies have priority 'Lowest', meaning custom policies take precedence. If multiple custom policies match a recipient, the one with the lowest priority number is applied.
Key Components and Defaults
#### Anti-spam Policy
Spam confidence level (SCL): -1 (skip filtering) to 9 (definitely spam). Default is 5 or 6 for spam, 7 or higher for high-confidence spam.
Bulk complaint level (BCL): 0 to 9. Default threshold is 7 (high).
Actions: Move to Junk Email folder, Quarantine, Add X-Header, Prepend subject line, Redirect to email address, Delete message, No action.
Spam quarantine: Quarantine policies control how long messages are held (default 15 days for spam, 30 days for malware and phishing).
Outbound spam filter: Prevents users from sending spam. Default action is 'Send a copy of each undeliverable message to the sender' and 'Send a copy of each message that exceeds the outbound spam policy threshold to the sender'.
#### Anti-malware Policy
Malware detection response: Quarantine message (default), Delete message, No action.
Common attachment types filter: Blocks attachments by file extension (e.g., .exe, .scr). Default list includes 60+ extensions.
Zero-hour auto purge (ZAP): Retroactively moves messages after delivery if malware is detected later. Enabled by default.
#### Anti-phishing Policy
Impersonation protection: Protects against domain or user impersonation. You must specify protected users (e.g., CEO) and domains (e.g., your company domain).
Spoof intelligence: Automatically allows or blocks senders based on SPF, DKIM, DMARC.
Mailbox intelligence: Learns user communication patterns to detect impersonation.
Actions: Quarantine message, Redirect to another email address, Move to Junk, Deliver with modifications (e.g., prepend 'External' tag).
#### Safe Attachments Policy
Safe Attachments unknown malware response: Allow, Block, Replace (default), Dynamic Delivery (delivers body but checks attachments).
Dynamic Delivery: Delivers the email body immediately but holds attachments for scanning. User sees a placeholder.
Safe Attachments for SharePoint, OneDrive, and Teams: Scans files in these services (requires additional licensing).
#### Safe Links Policy
Action for unknown URLs: On (default) – rewrites URLs and checks on click. Off – no rewriting.
Apply real-time URL scanning: Scans URLs at time of click.
Wait for URL scanning to complete before delivering message: Delays delivery until scan finishes.
Do not track user clicks: Disables logging of click-throughs.
Do not allow users to click through to original URL: Prevents bypass.
Safe Links for Office apps: Protects links in Office documents (Word, Excel, PowerPoint).
Configuration and Verification Commands
You can configure policies via the Defender portal or PowerShell (Exchange Online PowerShell).
PowerShell examples:
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# Get anti-spam policy
Get-HostedContentFilterPolicy -Identity "Default"
# Create a custom anti-spam policy
New-HostedContentFilterPolicy -Name "StrictSpam" -SpamAction Quarantine -HighConfidenceSpamAction Quarantine -PhishSpamAction Quarantine -BulkThreshold 4 -IncreaseScoreWithImageLinks $true -IncreaseScoreWithNumericIps $true -MarkAsSpamFromAddressAuthFail $true
New-HostedContentFilterRule -Name "StrictSpamRule" -Policy "StrictSpam" -RecipientDomainIs @("contoso.com") -Priority 1
# Get anti-malware policy
Get-MalwareFilterPolicy -Identity "Default"
# Create custom anti-malware policy
New-MalwareFilterPolicy -Name "StrictMalware" -Action Quarantine -CustomNotifications $true -EnableFileFilter $true -FileTypes @(".exe",".scr",".ps1")
New-MalwareFilterRule -Name "StrictMalwareRule" -Policy "StrictMalware" -RecipientDomainIs @("contoso.com")
# Create anti-phishing policy
New-AntiPhishPolicy -Name "ExecutivePhishing" -EnableOrganizationDomainsProtection $true -EnableTargetedUserProtection $true -TargetedUsersToProtect @("ceo@contoso.com","cfo@contoso.com") -EnableMailboxIntelligence $true -EnableSpoofIntelligence $true -PhishThresholdLevel 2 -TargetedUserProtectionAction Quarantine
New-AntiPhishRule -Name "ExecutivePhishingRule" -Policy "ExecutivePhishing" -RecipientDomainIs @("contoso.com")
# Create Safe Attachments policy
New-SafeAttachmentPolicy -Name "SandboxAll" -Enable $true -Action Replace -Redirect $true -RedirectAddress "security@contoso.com"
New-SafeAttachmentRule -Name "SandboxAllRule" -Policy "SandboxAll" -RecipientDomainIs @("contoso.com")
# Create Safe Links policy
New-SafeLinksPolicy -Name "ProtectAllLinks" -EnableSafeLinksForEmail $true -EnableSafeLinksForOffice $true -TrackClicks $true -AllowClickThrough $false -ScanUrls $true -DeliverMessageAfterScan $true
New-SafeLinksRule -Name "ProtectAllLinksRule" -Policy "ProtectAllLinks" -RecipientDomainIs @("contoso.com")Verification:
Use Get-HostedContentFilterPolicy, Get-MalwareFilterPolicy, Get-AntiPhishPolicy, Get-SafeAttachmentPolicy, Get-SafeLinksPolicy to view settings.
Use Get-HostedContentFilterRule, Get-MalwareFilterRule, Get-AntiPhishRule, Get-SafeAttachmentRule, Get-SafeLinksRule to view rules.
Check message trace in the Defender portal to see which policy acted on a message.
Interaction with Related Technologies
Exchange Online Protection (EOP): Base filtering that is included with all Exchange Online licenses. Defender for Office 365 adds advanced protection.
Microsoft Defender for Endpoint: For unified investigation, email alerts can trigger device remediation.
Microsoft Sentinel: Can ingest email logs for advanced hunting.
Azure AD Conditional Access: Controls access to email apps.
Data Loss Prevention (DLP): Works alongside email policies to prevent data leaks.
Exam Tips
Understand the priority of policies: custom policies have higher priority than defaults. If multiple custom policies match, the one with the lowest priority number wins.
Know the default actions for each policy type.
ZAP (Zero-hour auto purge) is critical for retroactive protection.
Safe Attachments Dynamic Delivery is a common exam point – it delivers body but holds attachments.
Safe Links rewrites URLs by wrapping them in https://nam01.safelinks.protection.outlook.com/.
Anti-phishing impersonation requires explicit configuration of protected users/domains.
Spoof intelligence is automatic, but you can override with allow/block entries.
Outbound spam filtering is enabled by default and cannot be disabled.
The exam may ask about policy scoping: policies can be scoped to specific users, groups, or domains.
Common Misconfigurations
Setting SCL threshold too low causes false positives.
Not configuring impersonation protection leaves executives vulnerable.
Using Safe Attachments 'Allow' action bypasses scanning.
Forgetting to enable Safe Links for Office apps leaves documents unprotected.
Not setting outbound spam notifications can lead to undetected compromised accounts.
Troubleshooting
Use Message Trace in the Defender portal to see why a message was filtered.
Check Threat Explorer for details on malware or phishing detections.
Review Quarantine to release false positives.
Use Spam Confidence Level (SCL) and Bulk Complaint Level (BCL) headers to diagnose.
Summary of Exam-Relevant Numbers
SCL range: -1 to 9
Default spam SCL threshold: 5 or 6
Default high-confidence spam SCL: 7 or higher
BCL range: 0 to 9, default threshold 7
Quarantine retention: 15 days for spam, 30 days for malware/phishing
Safe Attachments Dynamic Delivery: holds attachments, delivers body
Safe Links URL rewrite prefix: nam01.safelinks.protection.outlook.com
Anti-phish threshold levels: 1 (standard) to 4 (aggressive)
Conclusion
Configuring Defender for Office 365 policies is a core responsibility for security analysts. The SC-200 exam tests your ability to choose the right policy type, set appropriate thresholds, and understand the processing order. Use the Microsoft 365 Defender portal and PowerShell to manage these policies effectively.
Assess existing security posture
Before configuring policies, review the current security posture using the Microsoft 365 Defender portal's 'Threat analytics' and 'Secure Score' sections. Identify which policies are already in place (default policies) and which require customization. For example, default anti-spam policy may be too lenient, causing spam to reach inboxes. Also, check if users are licensed for Defender for Office 365 Plan 1 or Plan 2, as Safe Attachments and Safe Links require Plan 1 or 2, while anti-phishing impersonation requires Plan 2. This assessment will guide which policies to create or modify.
Create custom anti-spam policy
Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-spam. Click 'Create policy' and choose 'Custom'. Set a name like 'Strict Spam Filter'. Configure conditions: apply to all recipients or specific domains. Set spam action to 'Quarantine message', bulk threshold to 4 (more aggressive than default 7). Enable advanced options like 'Increase spam score' for image links or numeric IPs. The policy will be assigned a priority; ensure it is lower than default (higher priority). Use PowerShell to set `-MarkAsSpamFromAddressAuthFail $true` to mark messages with SPF/DKIM failures as spam.
Configure anti-malware policy
Under Threat policies > Anti-malware, create a custom policy. Set malware detection response to 'Quarantine message'. Enable the common attachment types filter and add extensions like .exe, .scr, .ps1. Enable ZAP (zero-hour auto purge) to retroactively clean messages after delivery. For outbound malware, enable notification to security team. This policy works by scanning attachments with multiple engines; if a match is found, the message is quarantined. The default policy already exists, but custom policies allow stricter settings for sensitive users.
Set up anti-phishing policy
Under Threat policies > Anti-phishing, create a policy. Enable impersonation protection: add protected users (e.g., CEO, CFO) and protected domains (e.g., contoso.com). Set action to 'Quarantine the message' for impersonation. Enable mailbox intelligence to learn user communication patterns. Enable spoof intelligence to automatically handle spoofed senders. Set phishing threshold to 2 (aggressive) to catch more phishing attempts. The policy will analyze sender addresses and headers for signs of impersonation or spoofing.
Deploy Safe Attachments policy
Under Threat policies > Safe Attachments, create a policy. Set 'Safe Attachments unknown malware response' to 'Dynamic Delivery' – this delivers the email body immediately but holds attachments for scanning. Users see a placeholder attachment until scan completes. Enable redirect if scanning fails. Apply the policy to all recipients or specific groups. This policy detonates attachments in a sandbox environment (a virtual machine) to observe behavior. If malicious, the attachment is replaced with a warning text file.
Implement Safe Links policy
Under Threat policies > Safe Links, create a policy. Enable 'Use Safe Links in email' and 'Apply real-time URL scanning'. Set 'Wait for URL scanning to complete before delivering message' to ensure links are checked before delivery. Disable 'Allow users to click through to original URL' to prevent bypass. Enable Safe Links for Office apps to protect links in documents. The policy rewrites URLs in messages and documents to point to Microsoft's scanning proxy. When a user clicks, the proxy checks the URL against block lists and scans in real-time.
Verify and monitor policies
After deploying policies, verify they are applied using the 'Message trace' tool. Send test emails with known spam, malware, or phishing indicators to ensure correct action. Monitor quarantine for false positives. Use Threat Explorer to investigate incidents. Review policy reports in the Defender portal to see how many messages were filtered. Adjust thresholds if needed. For example, if too many legitimate emails are quarantined, increase the SCL threshold or add allow entries. Also, set up alerts for policy violations.
In a large enterprise with 10,000 users, a security team configures Defender for Office 365 policies to protect against business email compromise (BEC). They create an anti-phishing policy that protects the CEO and CFO from impersonation, with quarantine action. They also enable mailbox intelligence to detect anomalies. For anti-spam, they set bulk threshold to 5 to reduce newsletter spam. Safe Attachments is configured with Dynamic Delivery to avoid email delays. Safe Links is enabled for all email and Office documents, with real-time scanning and click tracking. The team uses PowerShell to export policy configurations for backup. Performance considerations: Dynamic Delivery may cause user confusion if attachments are delayed; they educate users with a placeholder message. Common issues: false positives from Safe Links blocking legitimate URLs; they maintain an allow list for trusted domains. Misconfiguration example: setting anti-spam action to 'Delete message' instead of 'Quarantine' results in permanent loss of email; they always use quarantine for review. Another scenario: a financial institution must comply with regulations; they set outbound spam filtering to notify security when a user sends bulk emails, preventing data leaks. They also enable ZAP to retroactively remove malware from inboxes. In a hybrid deployment, they ensure policies apply to on-premises mailboxes via Exchange Online Protection. The key lesson: start with default policies, then create custom policies with higher priority for sensitive groups. Regularly review reports and adjust thresholds to balance security and usability.
The SC-200 exam tests your ability to configure and manage Defender for Office 365 policies under objective 1.3 'Configure and manage Microsoft Defender for Office 365'. Expect questions on policy types, default actions, priority, and specific settings. Common wrong answers include: confusing Safe Attachments 'Replace' with 'Dynamic Delivery' – candidates often choose 'Replace' when the question asks for immediate delivery; the correct answer is 'Dynamic Delivery'. Another trap: thinking anti-spam policies apply to internal messages – they apply to inbound and outbound, but not internal unless specified. Candidates often select 'Quarantine' for malware when the question asks for 'Delete message' – know the default action is quarantine. Numbers to memorize: SCL range -1 to 9, BCL threshold default 7, quarantine retention 15 days for spam, 30 days for malware/phishing, Safe Links URL prefix. Edge cases: if a user is in multiple custom policies, the one with lowest priority number wins. The exam loves to test that custom policies have higher priority than default. Also, know that anti-phishing impersonation protection requires explicit configuration; it is not automatic. Another edge case: outbound spam filter cannot be disabled, only configured. To eliminate wrong answers, focus on the mechanism: if a question mentions 'sandbox', think Safe Attachments; if 'URL rewrite', think Safe Links; if 'spoof intelligence', think anti-phishing. Use process of elimination: actions like 'Delete message' are irreversible and rarely used except for high-confidence spam. The exam also tests PowerShell cmdlets: New-HostedContentFilterPolicy for anti-spam, New-MalwareFilterPolicy for anti-malware, etc. Know that -Action parameter values are case-sensitive. Finally, remember that ZAP works for malware, spam, and phishing, but only after delivery.
Custom policies have higher priority than default policies; priority is determined by a numeric value (lower number = higher priority).
Anti-spam policy uses SCL (-1 to 9) and BCL (0-9) to determine spam likelihood; default BCL threshold is 7.
Anti-malware policy default action is to quarantine; ZAP retroactively removes malware after delivery.
Anti-phishing impersonation protection requires explicit configuration of protected users and domains.
Safe Attachments Dynamic Delivery delivers email body immediately but holds attachments for scanning.
Safe Links rewrites URLs with a prefix like 'nam01.safelinks.protection.outlook.com'.
Outbound spam filter is always enabled and cannot be disabled.
Quarantine retention: 15 days for spam, 30 days for malware and phishing.
These come up on the exam all the time. Here's how to tell them apart.
Safe Attachments
Scans email attachments in a sandbox environment before delivery.
Actions: Allow, Block, Replace, Dynamic Delivery.
Requires Defender for Office 365 Plan 1 or 2.
Can be enabled for SharePoint, OneDrive, and Teams.
Default action is 'Replace' for unknown malware.
Safe Links
Scans URLs in email and Office documents at time of click.
Rewrites URLs to point to Microsoft's scanning proxy.
Requires Defender for Office 365 Plan 1 or 2.
Can be enabled for Office apps (Word, Excel, PowerPoint).
Default action is to rewrite URLs and scan on click.
Mistake
Default policies cannot be modified.
Correct
Default policies can be modified, but it is recommended to create custom policies instead because custom policies have higher priority. Modifying the default policy affects all recipients who are not covered by a custom policy.
Mistake
Safe Links rewrites all URLs in all Office documents.
Correct
Safe Links only rewrites URLs in Office documents if the policy has 'Enable Safe Links for Office apps' enabled. By default, it is not enabled for all documents; you must explicitly configure it.
Mistake
Anti-phishing impersonation protection automatically protects all users.
Correct
Impersonation protection must be explicitly configured by adding protected users and domains. Without configuration, only spoof intelligence and mailbox intelligence are active.
Mistake
Safe Attachments 'Replace' action delivers the attachment unchanged.
Correct
The 'Replace' action replaces the file with a text file indicating the attachment was scanned. The original attachment is not delivered. 'Dynamic Delivery' delivers the body but holds the attachment for scanning.
Mistake
Outbound spam filter can be disabled.
Correct
Outbound spam filtering is always enabled and cannot be disabled. You can only configure its actions and notifications.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
'Replace' replaces the attachment with a text file indicating the original was scanned; the original is not delivered. 'Dynamic Delivery' delivers the email body immediately but holds the attachment for scanning; once scanned, the attachment is delivered if safe. Use 'Dynamic Delivery' to avoid delaying email delivery while still scanning attachments.
Yes, you can create custom policies with conditions such as recipient domain, user, or group. Each policy has a priority; if multiple policies match, the one with the lowest priority number is applied. For example, you can create a strict policy for executives and a standard policy for regular users.
Safe Links rewrites URLs in email messages and Office documents to point to Microsoft's scanning proxy. When a user clicks the link, the proxy checks it against known malicious URL lists and performs real-time scanning. If the URL is malicious, the user is blocked and shown a warning page.
ZAP is a feature that retroactively moves or deletes messages that were already delivered to a user's inbox if a threat is detected later. It works for malware, spam, and phishing. For example, if a message passes initial scanning but later is identified as malware, ZAP moves it to quarantine.
Yes, you must explicitly add protected users (e.g., executives) and protected domains (e.g., your company domain) to the anti-phishing policy. Without configuration, only spoof intelligence and mailbox intelligence are active. Impersonation protection is a key exam topic.
The policy with the lowest priority number is applied. Custom policies have higher priority than default policies. If two custom policies have the same priority, the one with the oldest creation date takes precedence. The exam tests that you understand priority order.
Yes, you can use Exchange Online PowerShell cmdlets like `New-HostedContentFilterPolicy`, `New-MalwareFilterPolicy`, `New-AntiPhishPolicy`, `New-SafeAttachmentPolicy`, and `New-SafeLinksPolicy`. You must first connect using `Connect-ExchangeOnline`. The exam may ask about PowerShell commands.
You've just covered Defender for Office 365 Policy Configuration — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?