What's new in Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to:

This article lists new features in the latest release of Microsoft Defender for Office 365. Features that are currently in preview are denoted with (preview).

Learn more by watching this video.

For more information on what's new with other Microsoft Defender security products, see:

January 2023

December 2022

October 2022

  • Manage your allows and blocks in the Tenant Allow/Block List:
    • With allow expiry management (currently in private preview), if Microsoft hasn't learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again.
    • Customers in the government cloud environments will now be able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using the admin URL and email attachment submissions. The data submitted through the submissions experience won't leave the customer tenant, thus satisfying the data residency commitments for government cloud clients.
  • Enhancement in URL click alerts:
    • With the new lookback scenario, the "A potentially malicious URL click was detected" alert will now include any clicks during the past 48 hours (for emails) from the time the malicious URL verdict is identified.

September 2022

  • Anti-spoofing enhancement for internal domains and senders:
    • For spoofing protection, the allowed senders or domains defined in the anti-spam policy and within user allow lists must now pass authentication in order for the allowed messages to be honored. The change only impacts messages that are considered to be internal (the sender or sender's domain is in an accepted domain in the organization). All other messages will continue to be handled as they are today.

Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365 Defender portal: Automatic redirection begins for users accessing the security solutions in Office 365 Security & Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all security workflows like: Alerts, Threat Management, and Reports.

  • Redirection URLs:
    • GCC Environment:
      • From Office 365 Security & Compliance Center URL: protection.office.com
      • To Microsoft 365 Defender URL: security.microsoft.com
    • GCC-High Environment:
      • From Office 365 Security & Compliance Center URL: scc.office365.us
      • To Microsoft 365 Defender URL: security.microsoft.us
    • DoD Environment:
      • From Office 365 Security & Compliance Center URL: scc.protection.apps.mil
      • To Microsoft 365 Defender URL: security.apps.mil
  • Items in the Office 365 Security & Compliance Center that aren't related to security aren't redirected to Microsoft 365 Defender. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.
  • This is a continuation of Microsoft 365 Defender delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community, announced in March 2022.
  • This change enables users to view and manage additional Microsoft 365 Defender security solutions in one portal.
  • This change impacts all customers who use the Office 365 Security & Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see Security & Compliance Center - Service Descriptions | Microsoft Docs
  • This change impacts all users who log in to the Office 365 Security and Compliance portal (protection.office.com), including security teams and end-users who access the Email Quarantine experience, at the Microsoft Defender Portal > Review > Quarantine.
  • Redirection is enabled by default and impacts all users of the Tenant.
  • Global Administrators and Security Administrators can turn on or off redirection in the Microsoft 365 Defender portal by navigating to Settings > Email & collaboration > Portal redirection and switch the redirection toggle.
  • Built-in protection: A profile that enables a base level of Safe Links and Safe Attachments protection that's on by default for all Defender for Office 365 customers. To learn more about this new policy and order of precedence, see Preset security policies and to learn about the specific Safe Links and Safe Attachment controls set, see Safe Attachments settings and Safe Links settings.
  • Bulk Complaint Level is now available in the EmailEvents table in Advanced Hunting with numeric BCL values from 0 to 9. A higher BCL score indicates that bulk message is more likely to generate complaints and is more likely to be spam.

July 2022

June 2022

April 2022

March 2022

January 2022

October 2021

September 2021

August 2021

July 2021

  • Email analysis improvements in automated investigations
  • Advanced Delivery: Introducing a new capability for configuring the delivery of third-party phishing simulations to users and unfiltered messages to security operation mailboxes.
  • Safe Links for Microsoft Teams
  • New alert policies for the following scenarios: compromised mailboxes, Forms phishing, malicious mails delivered due to overrides and rounding out ZAP
    • Suspicious email forwarding activity
    • User restricted from sharing forms and collecting responses
    • Form blocked due to potential phishing attempt
    • Form flagged and confirmed as phishing
    • New alert policies for ZAP
  • Microsoft Defender for Office 365 alerts is now integrated into Microsoft 365 Defender - Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue
  • User Tags are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies.
    • Tags are also available in the unified alerts queue in the Microsoft 365 Defender portal (Microsoft Defender for Office 365 Plan 2)

June 2021

April/May 2021

  • Email entity page: A unified 360-degree view of an email with enriched information around threats, authentication and detections, detonation details, and a brand-new email preview experience.
  • Office 365 Management API: Updates to EmailEvents (RecordType 28) to add delivery action, original and latest delivery locations, and updated detection details.
  • Threat Analytics for Defender for Office 365: View active threat actors, popular techniques and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.

February/March 2021

  • Alert ID integration (search using Alert ID and Alert-Explorer navigation) in hunting experiences
  • Increasing the limits for Export of records from 9990 to 200,000 in hunting experiences
  • Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 (previous limit) to 30 days in hunting experiences
  • New hunting pivots called Impersonated domain and Impersonated user within the Explorer (and Real-time detections) to search for impersonation attacks against protected users or domains. For more information, see details. (Microsoft Defender for Office 365 Plan 1 or Plan 2)

Microsoft Defender for Office 365 Plan 1 and Plan 2

Did you know that Microsoft Defender for Office 365 is available in two plans? Learn more about what each plan includes.

See also