Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Defender for Office 365 explained

What Defender for Office 365 adds on top of EOP — Safe Links, Safe Attachments, AIR, and attack simulation.

Microsoft Defender for Office 365 is the advanced threat-protection layer for Exchange Online, Teams, SharePoint, OneDrive, and Office apps. It builds on Exchange Online Protection (EOP) — the baseline anti-spam, anti-malware, and basic anti-phishing — and adds defences against modern phishing, zero-day malware, and targeted attacks.

What Defender for Office 365 adds

The headline features:

  • Safe Links — URLs in incoming email and Teams messages are rewritten to a Microsoft proxy. At click time, the link is checked against current threat intelligence; if it's been weaponised since delivery, the user is blocked.
  • Safe Attachments — unknown attachments are detonated in a sandbox before delivery. Dynamic Delivery sends the message text immediately and the attachment after scanning completes.
  • Anti-phishing (advanced) — impersonation protection for specific users and domains, mailbox-intelligence-based detection (using your typical communication patterns), spoof intelligence.
  • Automated Investigation and Response (AIR) — automated playbooks that triage detected phishing campaigns, quarantine, soft-delete malicious mail across all affected mailboxes, and produce an investigation report.
  • Attack Simulation Training — controlled phishing simulations and embedded training modules for users who fall for them.
  • Threat Explorer / Real-time detections — analyst surface for hunting and investigating threats.
  • Campaign views — clusters related phishing into single campaign units rather than thousands of individual events.

Plan 1 vs Plan 2

  • Plan 1 — Safe Links, Safe Attachments, advanced anti-phishing, real-time detections.
  • Plan 2 — adds AIR, Attack Simulation Training, Threat Explorer, Campaign Views, advanced hunting.

Plan 2 is included with Microsoft 365 E5 and Office 365 E5; both plans are also sold standalone.

Integration with Defender XDR

Detections from Defender for Office 365 flow into Microsoft Defender XDR at security.microsoft.com, where they correlate with Defender for Endpoint and Defender for Identity signals. A phishing message that delivers credentials, leads to a sign-in from a suspicious location, and then to lateral movement appears as a single incident with the full attack chain.

Tuning matters

Out-of-the-box defaults are decent, but tuning helps:

  • Mark VIPs for impersonation protection.
  • Add trusted senders and domains for legitimate partners.
  • Set Safe Attachments policy to "Dynamic Delivery" rather than "Block" for low-disruption.
  • Configure end-user spam notifications so users can self-release low-risk messages without admin help.
  • Use preset security policies (Standard or Strict) as a starting baseline.

Most organisations get more value from Defender for Office 365 in the first month than from any other Microsoft 365 security product.