This chapter covers Microsoft Defender for Office 365, a cloud-based email security service that protects organizations against sophisticated threats like phishing, business email compromise, and zero-day malware. For the SC-900 exam, understanding Defender for Office 365's core features—Safe Attachments, Safe Links, Anti-Phishing, and Threat Explorer—is critical as it is a major component of the Security Solutions domain (Objective 3.1). Typically, 10-15% of exam questions touch on Microsoft 365 Defender services, with Defender for Office 365 being the most heavily tested email security solution. This chapter provides the depth needed to answer scenario-based questions about protection layers, policy configuration, and threat investigation.
Jump to a section
Defender for Office 365 operates like a high-security mail screening facility for a large corporate campus. Incoming mail first passes through a standard security checkpoint (Exchange Online Protection or EOP) that checks for obvious threats like known malicious attachments and bulk spam. This is like a front gate guard who checks IDs against a watchlist. But sophisticated attackers craft letters that look legitimate, so the facility has a second, deeper inspection layer called Safe Attachments. Here, each letter is opened in a sealed, controlled environment (a virtual sandbox) where the contents are observed for any suspicious movement—like opening a package in a blast chamber to see if it explodes. Meanwhile, Safe Links rewrites every URL in the letter to point to a tracking server; when a recipient clicks a link, they are first routed to that server, which checks the destination against a real-time threat intelligence feed. If the destination has turned malicious since the letter arrived, the click is blocked. The facility also has a time-delay release room (Dynamic Delivery) that holds suspicious attachments for analysis before delivering them, ensuring no employee ever touches a dangerous item. This multi-layer approach means a threat must evade every inspection layer to reach the user, which is extremely difficult for modern attackers.
What is Microsoft Defender for Office 365?
Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or ATP) is a cloud-native email security solution that augments the baseline protection provided by Exchange Online Protection (EOP). EOP is included with all Exchange Online mailboxes and provides anti-malware, anti-spam, and anti-phishing protection. However, EOP is not sufficient against sophisticated, targeted attacks such as zero-day malware, spear-phishing, and business email compromise (BEC). Defender for Office 365 adds layers of advanced protection that use machine learning, behavioral analysis, and detonation in sandboxes to detect and block threats that EOP misses.
Defender for Office 365 is available in two plans: Plan 1 and Plan 2. Plan 1 includes Safe Attachments, Safe Links, and anti-phishing policies. Plan 2 adds Threat Explorer, automated investigation and response (AIR), threat tracking, and attack simulation training. The SC-900 exam expects you to know the capabilities of each plan.
How It Works: The Protection Pipeline
When an email arrives at Microsoft 365, it passes through multiple layers of inspection before reaching the user's inbox. The order of inspection is:
Connection filtering: Checks sender IP reputation.
Anti-malware: Scans attachments for known malware signatures.
Anti-spam: Evaluates bulk mail and spam signals.
Anti-phishing: Detects impersonation attempts and spoofing.
Safe Attachments (Plan 1): Detonates attachments in a sandbox.
Safe Links (Plan 1): Rewrites URLs for real-time click-time verification.
Dynamic Delivery (Plan 1): Delivers email body immediately while holding attachments for analysis.
Zero-hour auto purge (ZAP): Retroactively removes malicious messages already delivered.
Each layer can block or quarantine a message. If a message passes all layers, it is delivered to the user's mailbox. However, Safe Links protection continues even after delivery: when a user clicks a URL, Defender checks the link at click time against the latest threat intelligence.
Key Components
#### Safe Attachments
Safe Attachments is a time-of-detection protection that uses a virtual sandbox environment to detonate email attachments. When an email with an attachment arrives, the attachment is extracted and sent to a sandbox—a hypervisor-isolated environment that mimics a Windows operating system with Office applications. The sandbox opens the file and monitors its behavior: does it attempt to write to the registry, spawn processes, or connect to a command-and-control server? If suspicious behavior is detected, the attachment is marked as malicious, and the email is quarantined.
- Default setting: Safe Attachments is not enabled by default; you must create a Safe Attachments policy. - Policy options: - Off: No Safe Attachments scanning. - Monitor: Delivers email with attachments and tracks detonation results (used for testing). - Block: Blocks email if attachment is found malicious (recommended). - Replace: Replaces malicious attachment with a warning text file. - Dynamic Delivery: Delivers email body immediately and holds attachment until analysis completes. - File types scanned: Executables (.exe, .scr), Office documents (.docx, .xlsx, .pptx), PDFs, archives (.zip, .rar), and many more. - Timeouts: The sandbox has a timeout of approximately 10 minutes per attachment. If analysis takes longer, the action specified by the policy is taken (e.g., block or deliver).
#### Safe Links
Safe Links provides click-time protection by rewriting all URLs in email messages (and in some cases, Office documents and Teams messages). When a URL is rewritten, it becomes a link that points to the Safe Links service. When the user clicks the link, the service checks the destination URL against a real-time threat intelligence feed. If the URL is malicious, the user is blocked and shown a warning page. If the URL is safe, the user is redirected to the original destination.
URL rewrite: Original URL http://evil.com becomes https://nam01.safelinks.protection.outlook.com/?url=http://evil.com&data=....
Scan at click: The service does a real-time reputation check using Microsoft's threat intelligence, which includes machine learning models that analyze the destination page's behavior.
Block list: Admins can maintain a custom block list of URLs or domains.
Time-of-delivery vs. time-of-click: Safe Links protects at click time, meaning even if a URL was benign when the email arrived, it can be blocked later if it becomes malicious.
Supported apps: Outlook for Windows, Mac, iOS, Android, Outlook on the web, Teams, and Office documents (Word, Excel, PowerPoint) when protected view is enabled.
#### Anti-Phishing Policies
Defender for Office 365 includes advanced anti-phishing policies that go beyond EOP's anti-spoofing. These policies use machine learning to detect impersonation of users, domains, and internal senders. Key features:
Impersonation protection: Admins can define a list of users to protect (e.g., CEO, CFO) and domains (e.g., the company's own domain or partner domains). The system learns normal email patterns and flags anomalies.
Spoof intelligence: Automatically detects and blocks spoofed domains.
Mailbox intelligence: Learns a user's normal communication patterns to detect anomalous sender behavior.
Thresholds: Admins can set the aggressiveness of the phishing filter (Low, Medium, High).
Safety tips: When a suspicious email is detected, a banner is added to the email warning the user.
#### Threat Explorer and Real-Time Detections
Available in Plan 2, Threat Explorer is a powerful investigation tool that allows security analysts to search for threats across email, Teams, and SharePoint Online. It provides a time-travel view of all threats detected in the last 30 days (or longer with custom retention). Real-Time Detections is a lighter version available in Plan 1 that shows detections in near real-time.
Filters: By sender, recipient, subject, message ID, threat type (malware, phishing, spam), delivery action (blocked, quarantined, delivered), etc.
Export: Results can be exported to CSV for further analysis.
Integration: Works with Microsoft 365 Defender and Microsoft Sentinel.
#### Automated Investigation and Response (AIR)
Also Plan 2, AIR automatically investigates threats when an alert is triggered. It examines the email, related entities (like URLs and attachments), and decides if the threat is real. If confirmed, it can automatically remediate by deleting emails, blocking URLs, or disabling accounts. This reduces the workload on security teams.
#### Attack Simulation Training
Plan 2 includes a built-in attack simulation tool that allows admins to send simulated phishing attacks to users. The tool tracks who clicks the link and provides training materials. This is useful for security awareness programs.
Configuration and Verification
Defender for Office 365 policies are configured in the Microsoft 365 Defender portal (https://security.microsoft.com). The main policy areas are:
- Email & collaboration > Policies & rules > Threat policies - Safe Attachments - Safe Links - Anti-phishing - Anti-spam (EOP) - Anti-malware (EOP)
Policies can be scoped to specific users, groups, or domains. They have a priority order; the most specific policy wins.
Verification: Use the Threat Explorer to see detections. For example, to see all Safe Links blocks in the last 7 days, go to Threat Explorer, set the date range, and filter by Detection technology = 'Safe Links'.
Interaction with Related Technologies
Defender for Office 365 integrates with: - Microsoft 365 Defender: Provides unified visibility across email, endpoints, identity, and cloud apps. - Azure Active Directory: Identity protection signals feed into anti-phishing. - Microsoft Sentinel: Can ingest Defender for Office 365 logs for advanced SIEM analysis. - Exchange Online Protection: EOP is the baseline; Defender for Office 365 adds layers on top.
Specific Numbers, Defaults, and Timers
Safe Attachments sandbox timeout: ~10 minutes.
Safe Links URL rewrite: All URLs in email are rewritten by default (can be scoped).
Anti-phishing policy priority: Lower number = higher priority.
ZAP (Zero-hour auto purge): Runs every few minutes, can delete messages already delivered if they are later found malicious.
Threat Explorer data retention: 30 days by default (can be extended with add-ons).
Dynamic Delivery: Email body delivered immediately; attachment held until analysis complete (typically within minutes).
Command Examples
While Defender for Office 365 is primarily GUI-based, some operations can be done via PowerShell with the Exchange Online PowerShell module. For example:
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com
# Get Safe Links policies
Get-SafeLinksPolicy | Format-Table Name, IsEnabled
# Create a Safe Links policy
New-SafeLinksPolicy -Name "BlockAll" -IsEnabled $true -DoNotAllowClickThrough $true
# Get Safe Attachments policies
Get-SafeAttachmentPolicy | Format-Table Name, ActionHowever, for SC-900, you do not need to memorize PowerShell commands; focus on concepts and features.
Exam-Relevant Details
Plan 1 vs Plan 2: Plan 1 includes Safe Attachments, Safe Links, and anti-phishing; Plan 2 adds Threat Explorer, AIR, and attack simulation.
Safe Attachments action options: Off, Monitor, Block, Replace, Dynamic Delivery.
Safe Links does NOT scan attachments; it only rewrites URLs.
Anti-phishing policies can protect against impersonation of specific users (like the CEO) and domains.
ZAP works retroactively: If a message was delivered and later found malicious, ZAP moves it to quarantine or deletes it.
Threat Explorer shows detections from all layers (EOP and Defender for Office 365).
Attack simulation training is Plan 2 only.
Email Arrives at Exchange Online
An inbound email arrives at the Exchange Online transport service. The first layer, connection filtering, checks the sending IP against reputation lists (e.g., Microsoft's proprietary reputation feed and third-party block lists). If the IP is known for sending spam or malware, the connection is rejected at the SMTP level, and no further processing occurs. This step reduces load from known bad senders.
EOP Anti-Malware and Anti-Spam
The email passes through Exchange Online Protection (EOP) anti-malware engine, which scans attachments for known malware signatures using multiple engines. Then the anti-spam filter evaluates the message using machine learning models and content filters. The message gets a spam confidence level (SCL) rating from -1 to 9; values 5-6 are considered spam, 7-8 are high-confidence spam, and 9 is phishing. Based on policy, messages may be delivered to Junk Email folder or quarantined.
Anti-Phishing Policy Evaluation
If the email survives EOP, it is evaluated against Defender for Office 365 anti-phishing policies. The system checks for impersonation of protected users (e.g., CEO) and domains. It uses machine learning to compare the sender's behavior against historical patterns. If an impersonation is detected, the email may be quarantined or have a safety tip added. The policy also checks for spoofed intra-org senders.
Safe Attachments Detonation
If the email has an attachment and a Safe Attachments policy applies, the attachment is extracted and sent to the sandbox environment. The sandbox opens the file in a virtual machine with Office applications. The behavior is monitored for 10 minutes: file system writes, process creation, network connections. If malicious activity is detected, the attachment is marked as malware. Based on the policy action (Block, Replace, etc.), the email is handled accordingly. If Dynamic Delivery is enabled, the email body is delivered immediately, and the attachment is held until analysis completes.
Safe Links URL Rewriting
After Safe Attachments (or if no attachment), Safe Links policies rewrite all URLs in the email body. The original URL is replaced with a Safe Links URL that points to `safelinks.protection.outlook.com`. This happens at delivery time. The rewritten URL includes encrypted metadata about the original link and the recipient. The email is then delivered to the user's mailbox. The user sees the original URL text, but the underlying hyperlink points to the Safe Links service.
User Clicks a Link (Click-Time Protection)
When the user clicks a rewritten URL, their browser sends a request to the Safe Links service. The service decrypts the metadata and checks the original URL against the latest threat intelligence feeds. This includes dynamic reputation checks and machine learning analysis of the destination page. If the URL is determined to be malicious, the user is shown a warning page (blocked) with an option to proceed at their own risk (if policy allows). If safe, the user is redirected to the original URL. The click event is logged for reporting.
Enterprise Deployment Scenario 1: Protecting Against CEO Fraud
A multinational corporation with 50,000 employees frequently faces business email compromise (BEC) attacks where attackers impersonate the CEO to request wire transfers. The security team configures Defender for Office 365 anti-phishing policies to protect the CEO and other executives as 'protected users'. They also add the company's domain and partner domains to the impersonation protection list. The policy is set to 'Quarantine' for impersonation detections. Additionally, they enable mailbox intelligence to learn normal communication patterns. When an attacker sends an email with a display name matching the CEO but a different email address, the system flags it and quarantines it. The security team uses Threat Explorer to review impersonation detections weekly. A common pitfall is forgetting to add all executives to the protected users list; attackers then target unprotected names. The team also enables Safe Links to block malicious URLs in case the email includes a link to a credential harvesting page.
Enterprise Deployment Scenario 2: Handling Zero-Day Malware Attachments
A financial services firm receives many emails with PDF and Office attachments from external clients. They enable Safe Attachments with the 'Block' action and also enable Dynamic Delivery to avoid delaying legitimate email. When a client sends a PDF containing a zero-day exploit, Safe Attachments detonates it in the sandbox. The exploit attempts to download a payload from a new domain. The sandbox detects the outbound connection and flags the attachment as malware. The email is blocked, and the sender receives a non-delivery report. The security team is alerted via the incident queue. They investigate using Threat Explorer and see the detonation details. If they had used 'Monitor' instead, the malicious attachment would have been delivered, potentially infecting a user. Performance consideration: Dynamic Delivery adds latency for the attachment but not the email body, which keeps productivity high. Misconfiguration: Setting Safe Attachments to 'Off' for a pilot group accidentally exposes them to threats.
Enterprise Deployment Scenario 3: Phishing Campaign with Malicious Links
A retail company with 10,000 employees is targeted by a phishing campaign that uses links to fake login pages. The company has Safe Links enabled with 'Do not allow users to click through to original URL' and 'Scan URLs in email messages' set. When employees receive the phishing email, the links are rewritten. When an employee clicks, Safe Links checks the destination URL and finds it in the malicious URL block list (fed by Microsoft's threat intelligence). The user sees a warning page: 'This link is blocked. It may contain malicious content.' The click is logged. The security team uses the Safe Links report in the Defender portal to see the number of clicks blocked. They also use Attack Simulation Training (Plan 2) to send simulated phishing emails to employees and track who clicks, then enforce training. A common issue: if Safe Links is not enabled for Teams, attackers can share links in Teams chats that bypass email protection. So the team also enables Safe Links for Teams and Office documents.
What SC-900 Tests on Defender for Office 365
The SC-900 exam covers Defender for Office 365 under Objective 3.1: 'Describe the capabilities of Microsoft 365 Defender'. You should be able to:
Describe the purpose and key features of Defender for Office 365 (Safe Attachments, Safe Links, anti-phishing policies).
Differentiate between Plan 1 and Plan 2 capabilities.
Understand how Safe Attachments and Safe Links protect against threats.
Explain the role of Threat Explorer and automated investigation and response.
Identify which protection layer handles specific threats (e.g., Safe Links for URLs, Safe Attachments for files).
Common Wrong Answers and Why Candidates Choose Them
'Safe Attachments scans URLs in email bodies.' This is false. Safe Attachments scans attachments (files). Safe Links scans URLs. Candidates confuse the two because both have 'Safe' in the name. Remember: Attachments = files, Links = URLs.
'Safe Links scans attachments for malware.' Wrong again. Safe Links rewrites and checks URLs, not attachments. Attachments are handled by Safe Attachments.
'Anti-phishing policies are part of EOP.' While EOP has basic anti-phishing (anti-spoofing), the advanced impersonation protection is a feature of Defender for Office 365 (Plan 1 or 2). The exam tests that advanced anti-phishing is part of Defender for Office 365, not EOP.
'Threat Explorer is available in Plan 1.' No, Threat Explorer is Plan 2 only. Plan 1 has Real-Time Detections, which is a lighter version. The exam loves to test Plan 1 vs Plan 2 distinctions.
'Dynamic Delivery delivers the entire email (body and attachment) immediately.' False. Dynamic Delivery delivers the email body immediately but holds the attachment for analysis. The attachment is delivered later if safe.
Specific Numbers and Terms That Appear on the Exam
Safe Attachments action options: Monitor, Block, Replace, Dynamic Delivery, Off.
Safe Links: Rewrites URLs, blocks at click time.
Anti-phishing: Protects against user and domain impersonation.
ZAP (Zero-hour auto purge): Retroactively removes malicious messages.
Attack Simulation Training: Plan 2 only.
Threat Explorer: Plan 2, 30-day retention.
Edge Cases and Exceptions
What if a user is on Plan 1 but needs AIR? They need to upgrade to Plan 2.
What if an email passes all layers but later a URL becomes malicious? Safe Links will block it at click time.
What if an attachment is too large for the sandbox? It may be skipped; policy action determines outcome.
What about internal emails? Safe Links and Safe Attachments can be applied to internal messages if configured.
How to Eliminate Wrong Answers
If the question mentions 'attachment' and 'malware', think Safe Attachments.
If the question mentions 'URL' or 'link', think Safe Links.
If the question mentions 'impersonation of CEO', think anti-phishing.
If the question mentions 'investigation' or 'automated response', think Plan 2 (Threat Explorer, AIR).
If the question mentions 'simulated phishing', think Plan 2 (Attack Simulation Training).
Defender for Office 365 builds on EOP; it is not a replacement.
Safe Attachments scans attachments using a sandbox; actions include Block, Monitor, Replace, Dynamic Delivery, and Off.
Safe Links rewrites URLs and blocks malicious links at click time.
Anti-phishing policies protect against user and domain impersonation.
Plan 2 adds Threat Explorer, AIR, and Attack Simulation Training.
ZAP (Zero-hour auto purge) retroactively removes malicious messages already delivered.
Dynamic Delivery delivers email body immediately while holding attachments for analysis.
Threat Explorer retains data for 30 days by default.
Attack Simulation Training is Plan 2 only.
Safe Links can also protect URLs in Teams and Office documents.
These come up on the exam all the time. Here's how to tell them apart.
Safe Attachments
Scans email attachments (files) by detonating them in a sandbox.
Protects at time of delivery (time-of-detection).
Actions: Monitor, Block, Replace, Dynamic Delivery, Off.
Can hold attachment delivery until analysis completes.
Does not rewrite URLs.
Safe Links
Scans URLs in email bodies, Teams, and Office documents.
Protects at time of click (time-of-click).
Rewrites URLs to point to Safe Links service.
Blocks malicious URLs when user clicks.
Does not scan attachments.
Defender for Office 365 Plan 1
Includes Safe Attachments, Safe Links, anti-phishing policies.
Includes Real-Time Detections for investigation.
No automated investigation and response (AIR).
No Threat Explorer (limited to 7-day lookback in Real-Time Detections).
No Attack Simulation Training.
Defender for Office 365 Plan 2
Includes all Plan 1 features.
Includes Threat Explorer (30-day retention, advanced hunting).
Includes automated investigation and response (AIR).
Includes Attack Simulation Training.
Includes Threat Trackers and campaign views.
Mistake
Defender for Office 365 replaces Exchange Online Protection (EOP).
Correct
Defender for Office 365 builds on top of EOP. EOP provides baseline protection; Defender adds advanced layers. Both are needed.
Mistake
Safe Links scans attachments for malware.
Correct
Safe Links only rewrites and checks URLs. Attachments are scanned by Safe Attachments and EOP anti-malware.
Mistake
Safe Attachments scans all email attachments immediately without delay.
Correct
Safe Attachments detonates in a sandbox, which takes up to 10 minutes. Dynamic Delivery can deliver the email body immediately while the attachment is analyzed.
Mistake
Threat Explorer is available in Defender for Office 365 Plan 1.
Correct
Threat Explorer is only in Plan 2. Plan 1 has Real-Time Detections, which is a simpler view.
Mistake
Anti-phishing policies in Defender for Office 365 only protect against external spoofing.
Correct
They also protect against internal impersonation (e.g., a user impersonating the CEO) and can protect specific users and domains.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Safe Attachments scans email attachments by detonating them in a sandbox environment to detect malware. Safe Links rewrites URLs in email and other apps, checking them at click time against real-time threat intelligence. Safe Attachments protects against malicious files; Safe Links protects against malicious URLs. They are complementary features. For the exam, remember: attachments = Safe Attachments; links = Safe Links.
No, Threat Explorer is only available in Plan 2. Plan 1 includes Real-Time Detections, which provides a limited view of recent threats. Plan 2's Threat Explorer offers advanced hunting with 30-day retention. The exam often tests this distinction.
Dynamic Delivery delivers the email body to the recipient immediately while holding the attachment for analysis in the sandbox. Once analysis is complete and the attachment is deemed safe, it is delivered. If malicious, the attachment is blocked or replaced. This minimizes delay for the user while still providing protection.
Safe Links rewrites all URLs in email (and other apps) to point to the Safe Links service. When a user clicks, the service checks the original URL against Microsoft's threat intelligence feeds, which include dynamic reputation and machine learning. If the URL is malicious, the user sees a warning page and is blocked from accessing the site. If safe, they are redirected.
Zero-hour auto purge (ZAP) is a feature that retroactively removes messages from user mailboxes if they are later determined to be malicious or phishing. It runs periodically and can move messages to quarantine or delete them. ZAP works on already delivered messages, providing protection after delivery if threat intelligence updates.
Yes, policies can be configured to apply to internal messages as well. For example, Safe Links can rewrite URLs in internal emails, and anti-phishing policies can detect impersonation of internal users. However, by default, some protections may only apply to external emails. Admins can extend coverage to internal messages.
Attack Simulation Training is a Plan 2 feature that allows security teams to send simulated phishing attacks to users. It tracks who clicks the malicious link or opens the attachment, and provides training materials to educate users. This helps improve security awareness and reduce real phishing success rates.
You've just covered Microsoft Defender for Office 365 — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?