What's new in Microsoft Defender for Office 365


Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.

This article lists new features in the latest release of Microsoft Defender for Office 365. Features that are currently in preview are denoted with (preview).

Learn more by watching this video.

To search the Microsoft 365 Roadmap for Defender for Office 365 features, use this link.

For more information on what's new with other Microsoft Defender security products, see:

April 2024

  • Enhanced clarity in submissions results: Admins and security operators now see enhanced results within submissions across email, Microsoft Teams messages, email attachments, URLs, and user-reported messages. These updates aim to eliminate any ambiguity associated with the current submission results. The results are refined to ensure clarity, consistency, and conciseness, making the submission results more actionable for you. Learn more.

March 2024

  • Copy simulation functionality in Attack simulation training: Admins can now duplicate existing simulations and customize them to their specific requirements. This feature saves time and effort by using previously launched simulations as templates when creating new ones. Learn more.
  • Attack simulation training is now available in Microsoft 365 DoD. Learn more.

February 2024

  • Hunting and responding to QR code-based attacks: Security teams are now able to see the URLs extracted from QR codes with QR code as URL source on the URL tab of the Email entity page, and QRCode in the UrlLocation column of EmailUrlInfo table in Advanced Hunting. You can also filter for email with URLs embedded within QR codes using the URL Source filter value QR code in the All email, Malware, and Phish views in Threat Explorer (Explorer).

January 2024

  • New training modules available in Attack Simulation Training: Teach your users to recognize and protect themselves against QR code phishing attacks. For more information, see this blog post.
  • Providing intent while submitting is now generally available: Admins can identify if they're submitting an item to Microsoft for a second opinion or they're submitting the message because it's malicious and was missed by Microsoft. With this change, Microsoft analysis of admin submitted messages (email and Microsoft Teams), URLs, and email attachments is further streamlined and results in a more accurate analysis. Learn more.

December 2023

  • QR code related phishing protection within Exchange Online Protection and Microsoft Defender for Office 365: New detection capabilities using image detection, threat signals, URL analysis now extracts QR codes from URLs and blocks QR code based phishing attacks from the body of an email. To learn more, see our blog.

  • Microsoft Defender XDR Unified RBAC is now generally available: Defender XDR Unified RBAC supports all Defender for Office 365 scenarios that were previously controlled by Email & collaboration permissions and Exchange Online permissions. To learn more about the supported workloads and data resources, see Microsoft Defender XDR Unified role-based access control (RBAC).


    Defender XDR Unified RBAC isn't generally available in Microsoft 365 Government Community Cloud High (GCC High) or Department of Defense (DoD).

November 2023

  • Enhanced Action experience from Email Entity/ Summary Panel: As part of the change security admins can take multiple actions as part of FP/FN flows. Learn more.
  • The Tenant Allow/Block List supports more entries in each category (Domains & email addresses, Files, and URLs:
    • Microsoft Defender for Office 365 Plan 2 supports 10,000 block entries and 5,000 allow entries (via admin submissions) in each category.
    • Microsoft Defender for Office 365 Plan 1 supports 1,000 block entries and 1,000 allow entries (via admin submissions) in each category.
    • Exchange Online Protection remains at 500 block entries and 500 allow entries (via admin submissions) in each category.

October 2023

September 2023

  • URL top-level domain blocking is available in the Tenant allow block list. Learn more.
  • Attack simulation training is now available in Microsoft 365 GCC High. Learn more.

August 2023

  • If the User reported settings in the organization send user reported messages (email and Microsoft Teams) to Microsoft (exclusively or in addition to the reporting mailbox), we now do the same checks as when admins submit messages to Microsoft for analysis from the Submissions page.
  • Default intra-organizational protection: By default, messages sent between internal users that are identified as high confidence phishing are quarantined. Admins change this setting in the default anti-spam policy or in custom policies (opt-out of intra-org protection or include other spam filtering verdicts). For configuration information, see Configure anti-spam policies in EOP.

July 2023

May 2023

  • Built-in reporting in Outlook on the web supports reporting messages from shared mailboxes or other mailboxes by a delegate.
    • Shared mailboxes require Send As or Send On Behalf permission for the user.
    • Other mailboxes require Send As or Send On Behalf permission and Read and Manage permissions for the delegate.

April 2023

March 2023

  • Collaboration security for Microsoft Teams: With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using URLs and messages has increased as well. Microsoft Defender for Office 365 is extending its Safe Links protection with increased capabilities for zero-hour auto purge (ZAP), quarantine, and end user reporting of potential malicious messages to their admins. For more information, see Microsoft Defender for Office 365 support for Microsoft Teams (Preview).
  • Built-in protection: Safe Links time of click protection enabled for email: By default, Microsoft now protects URLs in email messages at time of click as part of this update to Safe Links settings (EnableSafeLinksForEmail) within the Built-in protection preset security policy. To learn about the specific Safe Links protections in the Built-in protection policy, see Safe Links policy settings.
  • Quarantine notifications enabled in preset security policies: If your organization has enabled or will enable the Standard or Strict preset security policies, the policies will be automatically updated to use the new DefaultFullAccessWithNotificationPolicy quarantine policy (notifications enabled) wherever the DefaultFullAccessPolicy (notifications disabled) was used. To learn more about quarantine notifications, see Quarantine notifications. For more information about specific settings in preset security policies, see Microsoft recommendations for EOP and Defender for Office 365 security settings.

January 2023

December 2022

October 2022

  • Automated Investigations email cluster action deduplication: We have added additional checks. If the same investigation cluster is already approved during the past hour, new duplicate remediation isn't processed again.

  • Manage allows and blocks in the Tenant Allow/Block List:

    • With allow expiry management (currently in Private Preview), if Microsoft hasn't learned from the allow, Microsoft automatically extends the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again.
    • Customers in government cloud environments are now able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using admin submissions for URLs and email attachments. The data submitted through the submissions experience doesn't leave the customer tenant, thus satisfying the data residency commitments for government cloud clients.
  • Enhancement in URL click alerts:

    • With the new lookback scenario, the "A potentially malicious URL click was detected" alert now includes any clicks during the past 48 hours (for email) from the time the malicious URL verdict is identified.

September 2022

  • Anti-spoofing enhancement for internal domains and senders:

    • For spoofing protection, the allowed senders or domains defined in the anti-spam policy and within user allow lists must now pass authentication in order for the allowed messages to be honored. The change only affects messages that are considered to be internal (the sender or sender's domain is in an accepted domain in the organization). All other messages continue to be handled as they are today.
  • Automatic redirection from Office action center to unified action center: The action center in the Email & Collaboration section Email & Collaboration > Review > Action center (https://security.microsoft.com/threatincidents) is automatically redirected to Actions & Submissions > Action center > History (https://security.microsoft.com/action-center/history).

  • Automatic redirection from Office 365 Security & Compliance Center to Microsoft Defender portal: Automatic redirection begins for users accessing the security solutions in Office 365 Security & Compliance center (protection.office.com) to the appropriate solutions in Microsoft Defender portal (security.microsoft.com). This change is for all security workflows like (for example, Alerts, Threat Management, and Reports).

    • Redirection URLs:
      • GCC Environment:
        • From Office 365 Security & Compliance Center URL: protection.office.com
        • To Microsoft Defender XDR URL: security.microsoft.com
      • GCC-High Environment:
        • From Office 365 Security & Compliance Center URL: scc.office365.us
        • To Microsoft Defender XDR URL: security.microsoft.us
      • DoD Environment:
        • From Office 365 Security & Compliance Center URL: scc.protection.apps.mil
        • To Microsoft Defender XDR URL: security.apps.mil
  • Items in the Office 365 Security & Compliance Center that aren't related to security aren't redirected to Microsoft Defender XDR. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.

  • This change is a continuation of Microsoft Defender XDR delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community, announced in March 2022.

  • This change enables users to view and manage additional Microsoft Defender XDR security solutions in one portal.

  • This change impacts all customers who use the Office 365 Security & Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see Microsoft 365 guidance for security & compliance

  • This change impacts all users who sign in to the Office 365 Security and Compliance portal (protection.office.com), including security teams and end-users who access the Email Quarantine experience, at the Microsoft Defender Portal > Review > Quarantine.

  • Redirection is enabled by default and impacts all users of the Tenant.

  • Global Administrators and Security Administrators can turn on or off redirection in the Microsoft Defender portal by navigating to Settings > Email & collaboration > Portal redirection and switch the redirection toggle.

  • Built-in protection: A profile that enables a base level of Safe Links and Safe Attachments protection that's on by default for all Defender for Office 365 customers. To learn more about this new policy and order of precedence, see Preset security policies. To learn about the specific Safe Links and Safe Attachment controls that are set, see Safe Attachments settings and Safe Links policy settings.

  • Bulk Complaint Level is now available in the EmailEvents table in Advanced Hunting with numeric BCL values from 0 to 9. A higher BCL score indicates that bulk message is more likely to generate complaints and is more likely to be spam.

July 2022

June 2022

April 2022

March 2022

January 2022

October 2021

September 2021

August 2021

  • Admin review for reported messages: Admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well.
  • You can now add allow entries to the Tenant Allow/Block List if the blocked message was submitted as part of the admin submission process. Depending on the nature of the block, the submitted URL, file, and/or sender allow will be added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you. For more information, see:

July 2021

  • Email analysis improvements in automated investigations
  • Advanced Delivery: Introducing a new capability for configuring the delivery of third-party phishing simulations to users and unfiltered messages to security operation mailboxes.
  • Safe Links for Microsoft Teams
  • New alert policies for the following scenarios: compromised mailboxes, Forms phishing, malicious mails delivered due to overrides and rounding out ZAP
    • Suspicious email forwarding activity
    • User restricted from sharing forms and collecting responses
    • Form blocked due to potential phishing attempt
    • Form flagged and confirmed as phishing
    • New alert policies for ZAP
  • Microsoft Defender for Office 365 alerts is now integrated into Microsoft Defender XDR - Microsoft Defender XDR Unified Alerts Queue and Unified Alerts Queue
  • User Tags are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies.
    • Tags are also available in the unified alerts queue in the Microsoft Defender portal (Microsoft Defender for Office 365 Plan 2)

June 2021

April/May 2021

  • Email entity page: A unified 360-degree view of an email with enriched information around threats, authentication and detections, detonation details, and a brand-new email preview experience.
  • Office 365 Management API: Updates to EmailEvents (RecordType 28) to add delivery action, original and latest delivery locations, and updated detection details.
  • Threat Analytics for Defender for Office 365: View active threat actors, popular techniques and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.

February/March 2021

  • Alert ID integration (search using Alert ID and Alert-Explorer navigation) in hunting experiences
  • Increasing the limits for Export of records from 9990 to 200,000 in hunting experiences
  • Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 (previous limit) to 30 days in hunting experiences
  • New hunting pivots called Impersonated domain and Impersonated user within Explorer and Real-time detections to search for impersonation attacks against protected users or domains. For more information, see Phish view in Threat Explorer and Real-time detections.

Microsoft Defender for Office 365 Plan 1 and Plan 2

Did you know that Microsoft Defender for Office 365 is available in two plans? Learn more about what each plan includes.

See also