Getting the best security value from Microsoft Defender for Office 365 when you have third party email filtering

This guide is for you if:

  • You're licensed for Microsoft Defender for Office 365 and host your mailboxes in Office 365
  • You're also using a third party for your email security

The following information details how to get the most out of your investment, broken down into easy to follow steps.

What you need

  • Mailboxes hosted in Office 365
  • One or more of:
    • Microsoft Defender for Office 365 Plan 1 for protection features
    • Microsoft Defender for Office 365 Plan 2 for most other features (included in E5 plans)
    • Microsoft Defender for Office 365 Trial (available to all customers at aka.ms/tryMDO)
  • Sufficient permissions to configure the features discussed below

Step 1 – Understand the value you already have

Built-in protection features

  • Built-in protection offers a base level of unobtrusive protection, and includes malware, zero day (Safe Attachments), and URL protection (Safe Links) in email (including internal email), SharePoint Online, OneDrive, and Teams. URL protection provided in this state is via API call only. It doesn't wrap or rewrite URLs but does require a supported Outlook client. You can create your own custom policies to expand your protection.

Read more & watch an overview video of Safe Links here: Complete Safe Links overview

Read more about Safe Attachments here: Safe Attachments

Detection, investigation, response, and hunting features

  • When alerts fire in Microsoft Defender for Office 365, they're automatically correlated, and combined into Incidents to help reduce the alert fatigue on security staff. Automated Investigation and Response (AIR) triggers investigations to help remediate and contain threats.

Read more, watch an overview video and get started here : Incident response with Microsoft Defender XDR

  • Threat Analytics is our in-product, detailed threat intelligence solution from expert Microsoft security researchers. Threat Analytics contains detailed reports that are designed to get you up to speed on the latest threat groups, attack techniques, how to protect your organization with Indicators of Compromise (IOC) and much more.

Read more, watch an overview video and get started here : Threat analytics in Microsoft Defender XDR

  • Explorer can be used to hunt threats, visualize mail flow patterns, spot trends, and identify the impact of changes you make during tuning Defender for Office 365. You can also quickly delete messages from your organization with a few simple clicks.

Read more, and get started here: Threat Explorer and Real-time detections

Step 2 – Enhance the value further with these simple steps

Additional protection features

  • Consider enabling policies beyond the built-in Protection. Enabling time-of-click protection, or impersonation protection, for example, to add extra layers or fill gaps missing from your third party protection. If you have a mail flow rule (also known as a transport rule) or connection filter that overrides verdicts (also known as an SCL=-1 rule) you need to address this configuration before turning on other protection features.

Read more here: Anti-phishing policies

  • If your current security provider is configured to modify messages in any way, it's important to note that authentication signals can impact the ability for Defender for Office 365 to protect you against attacks such as spoofing. If your third party supports Authenticated Received Chain (ARC), then enabling this is a highly recommended step in your journey to advanced dual filtering. Moving any message modification configuration to Defender for Office 365 is also an alternative.

Read more here: Configure trusted ARC sealers.

  • Enhanced Filtering for connectors allows IP address and sender information to be preserved through the third party. This feature improves accuracy for the filtering (protection) stack, post breach capabilities & authentication improvements.

Read more here: Enhanced filtering for connectors in Exchange Online

  • Priority account protection offers enhanced visibility for accounts in tooling, along with additional protection when in an advanced defense in-depth configuration state.

Read more here: Priority account protection

  • Advanced Delivery should be configured to deliver any third party phish simulations correctly, and if you have a Security Operations mailbox, consider defining it as a SecOps mailbox to ensure emails don't get removed from the mailbox due to threats.

Read more here: Advanced delivery

  • You can configure user reported settings to allow users to report good or bad messages to Microsoft, to a designated reporting mailbox (to integrate with current security workflows) or both. Admins can use the User reported tab on the Submissions page to triage false positives and false negative user reported messages.

Read more here: Deploy and configure the report message add-in to users.

Detection, investigation, response, and hunting features

  • Advanced hunting can be used to proactively hunt for threats in your organization, using shared queries from the community to help you get started. You can also use custom detections to set up alerts when personalized criteria are met.

Read more, watch an overview video and get started here: Overview - Advanced hunting

Education features

  • Attack simulation training allows you to run realistic but benign cyber-attack scenarios in your organization. If you don't already have phishing simulation capabilities from your primary email security provider, Microsoft's simulated attacks can help you identify and find vulnerable users, policies, and practices. This capability contains important knowledge to have and correct before a real attack impacts your organization. Post simulation we assign in product or custom training to educate users about the threats they missed, ultimately reducing your organization's risk profile. With Attack simulation training, we deliver messages directly into the inbox, so the user experience is rich. This also means no security changes such as overrides needed to get simulations delivered correctly.

Get started here: Get started using Attack simulation.

Jump right into delivering a simulation here: How to setup automated attacks and training within Attack simulation training

Step 3 and beyond, becoming a dual use hero

  • Many of the detection, investigation, response, and hunting activities as previously described should be repeated by your security teams. This guidance offers a detailed description of tasks, cadence, and team assignments we would recommend.

Read More: Security Operations Guide for Defender for Office 365

  • Consider user experiences such as accessing multiple quarantines, or the submission / reporting of false positives and false negatives. You can mark messages detected by the third party service with a custom X header. For example, you can use mail flow rules to detect and quarantine email that contains the X header. This result also gives users a single place to access quarantined mail.

Read More: How to configure quarantine permissions and policies

  • The Migration guide contains lots of useful guidance on preparing and tuning your environment to ready it for a migration. But many of the steps are also applicable to a dual-use scenario. Simply ignore the MX switch guidance in the final steps.

Read it here: Migrate from a third-party protection service to Microsoft Defender for Office 365 - Office 365 | Microsoft Docs.

More information

Migrate from a third-party protection service to Microsoft Defender for Office 365

Security Operations Guide for Defender for Office 365

Get more out of Microsoft Defender for Office 365 with Microsoft Defender XDR.