What's new in Microsoft Defender for Office 365
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
This article lists new features in the latest release of Microsoft Defender for Office 365. Features that are currently in preview are denoted with (preview).
Learn more by watching this video.
For more information on what's new with other Microsoft Defender security products, see:
- What's new in Microsoft 365 Defender
- What's new in Microsoft Defender for Endpoint
- What's new in Microsoft Defender for Identity
- What's new in Microsoft Defender for Cloud Apps
- Built-in reporting in Outlook on the web supports reporting messages from shared mailboxes or other mailboxes by a delegate.
- Shared mailboxes require Send As or Send On Behalf permission for the user.
- Other mailboxes require Send As or Send On Behalf permission and Read and Manage permissions for the delegate.
- Using machine learning to drive more effective simulations in Attack Simulation and Training: Make use of intelligent predicted compromise rate (PCR) and Microsoft Defender for Office 365 payload recommendations for utilizing high-quality payloads in your simulation.
- Training only campaigns available with an expanded library: You can now directly assign training content to your organization without needing to tie training to a phishing simulation campaign. We have also expanded our training module library to more than 70 different modules.
- Collaboration security for Microsoft Teams: With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using URLs and messages has increased as well. Microsoft Defender for Office 365 is extending its Safelinks protection with increased capabilities for zero-hour auto purge (ZAP), quarantine, and end user reporting of potential malicious messages to their admins. For more information, see Microsoft Defender for Office 365 support for Microsoft Teams (Preview).
- Built-in protection: Safe Links time of click protection enabled for email: Microsoft will now by default protect URLs in email messages at time of click as part of this update to Safe Links settings (EnableSafeLinksForEmail) within the Built-in protection preset security policy. To learn about the specific Safe Links protections in the Built-in protection policy, see Safe Links policy settings.
- Quarantine notifications enabled in preset security policies: If your organization has enabled or will enable the Standard or Strict preset security policies, the policies will be automatically updated to use the new DefaultFullAccessWithNotificationPolicy quarantine policy (notifications enabled) wherever the DefaultFullAccessPolicy (notifications disabled) was used. To learn more about quarantine notifications, see Quarantine notifications. For more information about specific settings in preset security policies, see Microsoft recommendations for EOP and Defender for Office 365 security settings.
- Automatic Tenant Allow/Block List expiration management is now available in Microsoft Defender for Office 365: Microsoft will now automatically remove entries from the allow list once the system has learned from it. Alternatively, Microsoft extends the expiration time of the allows if the system hasn't learned yet. This prevents your legitimate emails from going to junk or quarantine.
- Configuring third-party phishing simulations in Advanced Delivery: We've expanded "Simulation URLs to allow" limit to 30 URLs. To learn how to configure, see Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes
- Enhanced user telemetry in the simulation reports in Attack Simulation Training: As part of our enhanced user telemetry, administrators can now view additional details about how their targeted users are interacting with the phishing payload from phishing simulation campaigns.
The new Microsoft 365 Defender role-based access control (RBAC) model, with support for Microsoft Defender for Office, is now available in public preview. For more information, see Microsoft 365 Defender role-based access control (RBAC).
Use the built-in Report button in Outlook on the web: Use the built-in Report button in Outlook on the web to report messages as phish, junk, and not junk.
Automated Investigations email cluster action de-duplication: We have added additional checks. If the same investigation cluster is already approved during the past hour, new duplicate remediation will not be processed again.
Manage allows and blocks in the Tenant Allow/Block List:
- With allow expiry management (currently in private preview), if Microsoft hasn't learned from the allow, Microsoft will automatically extend the expiry time of allows, which are going to expire soon, by 30 days to prevent legitimate email from going to junk or quarantine again.
- Customers in the government cloud environments will now be able to create allow and block entries for URLs and attachments in the Tenant Allow/Block List using the admin URL and email attachment submissions. The data submitted through the submissions experience won't leave the customer tenant, thus satisfying the data residency commitments for government cloud clients.
Enhancement in URL click alerts:
- With the new lookback scenario, the "A potentially malicious URL click was detected" alert will now include any clicks during the past 48 hours (for emails) from the time the malicious URL verdict is identified.
Anti-spoofing enhancement for internal domains and senders:
- For spoofing protection, the allowed senders or domains defined in the anti-spam policy and within user allow lists must now pass authentication in order for the allowed messages to be honored. The change only impacts messages that are considered to be internal (the sender or sender's domain is in an accepted domain in the organization). All other messages will continue to be handled as they are today.
Automatic redirection from Office action center to unified action center: The action center in the Email & Collaboration section Email & Collaboration > Review > Action center (https://security.microsoft.com/threatincidents) is automatically redirected to Actions & Submissions > Action center > History (https://security.microsoft.com/action-center/history).
Automatic redirection from Office 365 Security & Compliance Center to Microsoft 365 Defender portal: Automatic redirection begins for users accessing the security solutions in Office 365 Security & Compliance center (protection.office.com) to the appropriate solutions in Microsoft 365 Defender portal (security.microsoft.com). This is for all security workflows like: Alerts, Threat Management, and Reports.
- Redirection URLs:
- GCC Environment:
- From Office 365 Security & Compliance Center URL: protection.office.com
- To Microsoft 365 Defender URL: security.microsoft.com
- GCC-High Environment:
- From Office 365 Security & Compliance Center URL: scc.office365.us
- To Microsoft 365 Defender URL: security.microsoft.us
- DoD Environment:
- From Office 365 Security & Compliance Center URL: scc.protection.apps.mil
- To Microsoft 365 Defender URL: security.apps.mil
- GCC Environment:
- Redirection URLs:
Items in the Office 365 Security & Compliance Center that aren't related to security aren't redirected to Microsoft 365 Defender. For compliance solutions redirection to Microsoft 365 Compliance Center, see Message Center post 244886.
This is a continuation of Microsoft 365 Defender delivers unified XDR experience to GCC, GCC High and DoD customers - Microsoft Tech Community, announced in March 2022.
This change enables users to view and manage additional Microsoft 365 Defender security solutions in one portal.
This change impacts all customers who use the Office 365 Security & Compliance Center (protection.office.com), including Microsoft Defender for Office (Plan 1 or Plan 2), Microsoft 365 E3 / E5, Office 365 E3/ E5, and Exchange Online Protection. For the full list, see Microsoft 365 guidance for security & compliance
This change impacts all users who log in to the Office 365 Security and Compliance portal (protection.office.com), including security teams and end-users who access the Email Quarantine experience, at the Microsoft Defender Portal > Review > Quarantine.
Redirection is enabled by default and impacts all users of the Tenant.
Global Administrators and Security Administrators can turn on or off redirection in the Microsoft 365 Defender portal by navigating to Settings > Email & collaboration > Portal redirection and switch the redirection toggle.
Built-in protection: A profile that enables a base level of Safe Links and Safe Attachments protection that's on by default for all Defender for Office 365 customers. To learn more about this new policy and order of precedence, see Preset security policies and to learn about the specific Safe Links and Safe Attachment controls set, see Safe Attachments settings and Safe Links policy settings.
Bulk Complaint Level is now available in the EmailEvents table in Advanced Hunting with numeric BCL values from 0 to 9. A higher BCL score indicates that bulk message is more likely to generate complaints and is more likely to be spam.
- Introducing actions into the email entity page: Admins can take preventative, remediation, and submission actions from the email entity page.
Use the Microsoft 365 Defender portal to create allow entries for spoofed senders on the Submissions page: Create allowed spoofed sender entries using the Tenant Allow/Block List.
Impersonation allows using admin submission: Add allows for impersonated senders using the Submissions page in Microsoft 365 Defender.
View converted admin submission from user reported messages: Configure a reporting mailbox to intercept user-reported messages without sending the messages to Microsoft for analysis.
View associated alert for user and admin submissions: View the corresponding alert for each user reported phish message and admin email submission.
Configurable impersonation protection custom users and domains and increased scope within Preset policies:
- (Choose to) Apply Preset Strict/Standard policies to entire organization and avoid the hassle of selecting specific recipient users, groups, or domains, thereby securing all recipient users of your organization.
- Configure impersonation protection settings for custom users and custom domains within Preset Strict/Standard policies and automatically protect your targeted users and targeted domain against impersonation attacks.
Simplifying the quarantine experience (part two) in Microsoft 365 Defender for office 365: Highlights additional features to make the quarantine experience even easier to use.
Introducing differentiated protection for priority accounts in Microsoft Defender for Office 365: Introducing GCC, GCC-H, and DoD availability of differentiated protection for priority accounts.
- Introducing the URLClickEvents table in Microsoft 365 Defender Advanced Hunting: Introducing the UrlClickEvents table in advanced hunting with Microsoft Defender for Office 365.
- Manual email remediation enhancements: Bringing manual email purge actions taken in Microsoft Defender for Office 365 to the Microsoft 365 Defender (M365D) unified Action Center using a new action-focused investigation.
- Introducing differentiated protection for priority accounts in Microsoft Defender for Office 365: Introducing the general availability of differentiated protection for priority accounts.
- Streamlined the submission experience in Microsoft Defender for Office 365: Introducing the new unified and streamlined submission process to make your experience simpler.
- Updated Hunting and Investigation Experiences for Microsoft Defender for Office 365: Introducing the email summary panel for experiences in Defender for Office 365, along with experience updates for Threat Explorer and Real-time detections.
- Advanced Delivery DKIM enhancement: Added support for DKIM domain entry as part of third-party phishing simulation configuration.
- Secure by Default: Extended Secure by Default for Exchange mail flow rules (also known as transport rules).
- Improved reporting experience in Defender for Office 365
- Quarantine policies: Admins can configure granular control for recipient access to quarantined messages and customize end-user spam notifications.
- Video of admin experience
- Video of end-user experience
- Other new capabilities coming to the quarantine experience are described in this blog post: Simplifying the Quarantine experience.
- Portal redirection by default begins, redirecting users from Security & Compliance to Microsoft 365 Defender https://security.microsoft.com. For more on this, see: Redirecting accounts from Office 365 Security & Compliance Center to Microsoft 365 Defender
- Admin review for reported messages: Admins can now send templated messages back to end users after they review reported messages. The templates can be customized for your organization and based on your admin's verdict as well.
- You can now add allow entries to the Tenant Allow/Block List if the blocked message was submitted as part of the admin submission process. Depending on the nature of the block, the submitted URL, file, and/or sender allow will be added to the Tenant Allow/Block List. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you. For more information, see:
- Use the Microsoft 365 Defender portal to create allow entries for URLs on the Submissions page
- Use the Microsoft 365 Defender portal to create allow entries for files on the Submissions page
- Use the Microsoft 365 Defender portal to create allow entries for domains and email addresses on the Submissions page
- Email analysis improvements in automated investigations
- Advanced Delivery: Introducing a new capability for configuring the delivery of third-party phishing simulations to users and unfiltered messages to security operation mailboxes.
- Safe Links for Microsoft Teams
- New alert policies for the following scenarios: compromised mailboxes, Forms phishing, malicious mails delivered due to overrides and rounding out ZAP
- Suspicious email forwarding activity
- User restricted from sharing forms and collecting responses
- Form blocked due to potential phishing attempt
- Form flagged and confirmed as phishing
- New alert policies for ZAP
- Microsoft Defender for Office 365 alerts is now integrated into Microsoft 365 Defender - Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue
- User Tags are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies.
- Tags are also available in the unified alerts queue in the Microsoft 365 Defender portal (Microsoft Defender for Office 365 Plan 2)
- New first contact safety tip setting within anti-phishing policies. This safety tip is shown when recipients first receive an email from a sender or don't often receive email from a sender. For more information on this setting and how to configure it, see the following articles:
- Email entity page: A unified 360-degree view of an email with enriched information around threats, authentication and detections, detonation details, and a brand-new email preview experience.
- Office 365 Management API: Updates to EmailEvents (RecordType 28) to add delivery action, original and latest delivery locations, and updated detection details.
- Threat Analytics for Defender for Office 365: View active threat actors, popular techniques and attack surfaces, along with extensive reporting from Microsoft researchers around ongoing campaigns.
- Alert ID integration (search using Alert ID and Alert-Explorer navigation) in hunting experiences
- Increasing the limits for Export of records from 9990 to 200,000 in hunting experiences
- Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 (previous limit) to 30 days in hunting experiences
- New hunting pivots called Impersonated domain and Impersonated user within the Explorer (and Real-time detections) to search for impersonation attacks against protected users or domains. For more information, see details. (Microsoft Defender for Office 365 Plan 1 or Plan 2)
Microsoft Defender for Office 365 Plan 1 and Plan 2
Did you know that Microsoft Defender for Office 365 is available in two plans? Learn more about what each plan includes.
Submit and view feedback for