Microsoft Defender for Office 365

Microsoft Defender for Office 365 is a cloud-based email filtering solution that offers strong zero-day protection to help shield your business against unidentified malware and viruses. It has tools that may instantly protect your business from hazardous links. Administrators may learn more about the types of attacks taking place in their business thanks to Microsoft Defender for Office 365’s robust reporting and URL tracing features.

The following advantages are offered by Microsoft Defender for Office 365:

  • Leading-edge Protection. Microsoft Defender for Office 365 leverages 6.5 trillion signals each day from email alone to identify threats fast and precisely, shielding users from complex assaults like phishing and zero-day malware, and prevent them. In 2018, Microsoft Defender for Office 365 protected 4 million unique users from sophisticated attacks by blocking 5 billion phishing emails and reviewing 300,000 phishing operations.
  • Practical Information. Correlating signals from a variety of data sources yields actionable insights that security managers may use to assist detect, prioritize, and suggest solutions for possible issues. The suggestions include corrective measures that provide administrators the ability to proactively safeguard their organization.
  • Automated reaction in post-breach settings, investigation and remediation can be challenging, expensive, and time-consuming. The majority of businesses lack the knowledge and tools necessary for an efficient inquiry. Security operators may use the sophisticated automatic response options offered by Microsoft Defender for Office 365 to significantly reduce their costs in terms of time, money, and resources.

The main methods for protecting messages while using Microsoft Defender for Office 365 are as follows:

  • Microsoft Defender for Office 365 offers cloud-based email security for your on-premises Exchange Server environment or any other on-premises SMTP email solution in a Microsoft Defender for Office 365 filtering-only scenario.
  • Cloud-hosted mailboxes for Exchange Online may be safeguarded by turning on Microsoft Defender for Office 365.
  • When you have a mixture of on-premises and cloud mailboxes with Exchange Online Protection for incoming email filtering, Microsoft Defender for Office 365 may be set to safeguard your messaging environment and govern mail routing.

Automate, investigate, and remediate

Utilize automated inquiry and reaction to save time.

Time is of the importance when looking into a suspected cyberattack. The quicker dangers are identified and reduced, the better off your firm will be. Security playbooks that may be launched manually or automatically, such as via a view in Explorer, are part of the automated investigation and response (AIR) capabilities. Your security operations team’s time and effort may be reduced by using AIR to effectively and efficiently mitigate attacks.


First, let’s look at a native alert produced by Office 365. The majority of the time, these alarms are now examined manually. This is where AIR comes in. Attackers commonly use innocent URLs in emails to get past security software and then weaponize them once they’ve been sent to launch their assault. See how the notice in the accompanying screenshot indicates that a newly weaponized URL was found by Microsoft Defender for Office 365 using Safe Links URL detonation (under Details on the right-hand side).

The Office 365 Threat Intelligence Summary Investigation Graph may be accessed by clicking on the alert’s investigation deep link. This graph displays all the many things that the triggered alert has automatically looked into, including emails, people (and their behaviours), and devices.

Specifically, note that:

  • Based on sender, IP, domain, URL, and other email attributes, there were a number of emails (23) that were identified as being pertinent to this investigation. A subset of those emails (6) were also identified as being malicious and sent from an internal user within the company, which is a strong indication of a compromised user.
  • On this investigation, a user pivot also discovers abnormalities for one user (Jeff) in relation to a suspect login and bulk document downloads.
  • Microsoft Defender for Office 365 has also taken some auto remediations in response to the compromised user, user anomalies, and compromised device threats identified in this investigation, including blocking the URL, deleting any emails in mailboxes related to this URL, and triggering the AAD workflows for password reset and MFA for the compromised user. Core components of AIR include the capacity to initiate remediations automatically or with manual approval in accordance with policy.

Certain corrective measures are included in AIR in Microsoft Defender for Office 365. You will normally notice one or more remedial actions that need permission from your security operations team to move forward whenever an automated investigation is running or has finished. Such corrective measures comprise the following:

  • Softly erase any email threads or messages.
  • Delete URL (time-of-click)
  • Stop forwarding of external mail
  • Disable delegation

The following screenshot illustrates where to find these activities under the chosen investigation’s Actions tab:

Configure, protect, and detect

The security team at your company may set up protection with Microsoft Defender for Office 365 by creating policies on the Microsoft 365 Defender site. The behaviour and level of protection for preset threats are determined by the policies that are defined for your company. Options for policy are open-ended. For instance, the security team at your company may configure fine-grained threat protection at the level of the user, organisation, receiver, and domain. Because new dangers and difficulties arise every day, it is crucial to frequently examine your policies.

Safe Attachments

Microsoft Defender for Office 365 Safe Attachments guards your messaging system from unknown malware and viruses and offers zero-day protection. Microsoft Defender for Office 365 routes all messages and attachments without a known virus or malware signature to a separate environment where it employs a number of machine learning and analytical techniques to identify harmful intent. The message is allowed to be sent to the mailbox if no suspicious behaviour is found.

The upcoming choices may be chosen while implementing a Safe Attachments policy:

  • In the Attachment’s Action for Unknown Malware section:
  • Off: Malware checks will not be performed on attachments.
  • Monitor: After malware is found, the message is still being delivered, and the scanning findings are being followed.
  • Block: blocks all emails and attachments containing known malware, both current and future.
  • Replace: blocks any attachments that have malware identified but keeps sending the user’s message content.
  • fluid supply. provides the message body alone right away; if the attachments are safe, they are reattached after being scanned.

Dynamic delivery. Immediately delivers the message body without attachments and reattaches attachments after scanning if they are found to be safe.

  • Check the Enable redirect checkbox and input an email address if you wish to send banned, replaced, or monitored attachments to a security administrator in your company for more research.
  • By using the Apply the aforementioned choices if malware scanning for attachments times out or errors occurs checkbox, you may also have certain attachments sent if the scanning process should fail.

Professional Labs is the best cloud managed service provider in Qatar; for more information, please contact us.          Contact Us | Professional labs (