Recommended settings for EOP and Microsoft Defender for Office 365 security
Tip
Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.
Applies to
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more layers of security, control, and investigation.
Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Although customer environments and needs are different, these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.
To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.
This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft 365 Defender portal and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).
Note
The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.
In Microsoft 365 organizations, we recommend that you leave the Junk Email Filter in Outlook set to No automatic filtering to prevent unnecessary conflicts (both positive and negative) with the spam filtering verdicts from EOP. For more information, see the following articles:
Anti-spam, anti-malware, and anti-phishing protection in EOP
Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.
EOP anti-spam policy settings
To create and configure anti-spam policies, see Configure anti-spam policies in EOP.
Wherever you select Quarantine message as the action for a spam filter verdict, a Select quarantine policy box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
If you change the action of a spam filtering verdict to Quarantine message when you create anti-spam policies the the Defender portal, the Select quarantine policy box is blank by default. A blank value means the default quarantine policy for that spam filtering verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table here. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown.
Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft 365 Defender portal.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Bulk email threshold & spam properties | ||||
| Bulk email threshold BulkThreshold |
7 | 6 | 5 | For details, see Bulk complaint level (BCL) in EOP. |
| MarkAsSpamBulkMail | On |
On |
On |
This setting is only available in PowerShell. |
| Increase spam score settings | Off | Off | Off | All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the ASF settings in anti-spam policies section in this article. |
| Mark as spam settings | Off | Off | Off | Most of these settings are part of ASF. For more information, see the ASF settings in anti-spam policies section in this article. |
| Contains specific languages EnableLanguageBlockList LanguageBlockList |
Off $false Blank |
Off $false Blank |
Off $false Blank |
We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs. |
| From these countries EnableRegionBlockList RegionBlockList |
Off $false Blank |
Off $false Blank |
Off $false Blank |
We have no specific recommendation for this setting. You can block messages from specific countries based on your business needs. |
| Test mode (TestModeAction) | None | None | None | This setting is part of ASF. For more information, see the ASF settings in anti-spam policies section in this article. |
| Actions | ||||
| Spam detection action SpamAction |
Move message to Junk Email folder MoveToJmf |
Move message to Junk Email folder MoveToJmf |
Quarantine message Quarantine |
|
| Quarantine policy for Spam SpamQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if spam detections are quarantined. |
| High confidence spam detection action HighConfidenceSpamAction |
Move message to Junk Email folder MoveToJmf |
Quarantine message Quarantine |
Quarantine message Quarantine |
|
| Quarantine policy for Hight confidence spam HighConfidenceSpamQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessWithNotificationPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if high confidence spam detections are quarantined. |
| Phishing detection action PhishSpamAction |
Move message to Junk Email folder* MoveToJmf |
Quarantine message Quarantine |
Quarantine message Quarantine |
* The default value is Move message to Junk Email folder in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is Quarantine message in new anti-spam policies that you create in the Microsoft 365 Defender portal. |
| Quarantine policy for Phishing PhishQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessWithNotificationPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if phishing detections are quarantined. |
| High confidence phishing detection action HighConfidencePhishAction |
Quarantine message Quarantine |
Quarantine message Quarantine |
Quarantine message Quarantine |
Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined high-confidence phishing messages. |
| Quarantine policy for High confidence phishing HighConfidencePhishQuarantineTag |
AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | |
| Bulk detection action BulkSpamAction |
Move message to Junk Email folder MoveToJmf |
Move message to Junk Email folder MoveToJmf |
Quarantine message Quarantine |
|
| Quarantine policy for Bulk BulkQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if bulk detections are quarantined. |
| Retain spam in quarantine for this many days QuarantineRetentionPeriod |
15 days | 30 days | 30 days | This value also affects messages that are quarantined by anti-phishing policies. For more information, see Quarantined email messages in EOP. |
| Enable spam safety tips InlineSafetyTipsEnabled |
Selected $true |
Selected $true |
Selected $true |
|
| Enable zero-hour auto purge (ZAP) for phishing messages PhishZapEnabled |
Selected $true |
Selected $true |
Selected $true |
|
| Enable ZAP for spam messages SpamZapEnabled |
Selected $true |
Selected $true |
Selected $true |
|
| Allow & block list | ||||
| Allowed senders AllowedSenders |
None | None | None | |
| Allowed sender domains AllowedSenderDomains |
None | None | None | Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. Use the spoof intelligence insight and the Tenant Allow/Block List to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains. |
| Blocked senders BlockedSenders |
None | None | None | |
| Blocked sender domains BlockedSenderDomains |
None | None | None |
¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
ASF settings in anti-spam policies
For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see Advanced Spam Filter (ASF) settings in EOP.
| Security feature name | Default | Recommended Standard |
Recommended Strict |
Comment |
|---|---|---|---|---|
| Image links to remote sites IncreaseScoreWithImageLinks |
Off | Off | Off | |
| Numeric IP address in URL IncreaseScoreWithNumericIps |
Off | Off | Off | |
| URL redirect to other port IncreaseScoreWithRedirectToOtherPort |
Off | Off | Off | |
| Links to .biz or .info websites IncreaseScoreWithBizOrInfoUrls |
Off | Off | Off | |
| Empty messages MarkAsSpamEmptyMessages |
Off | Off | Off | |
| Embed tags in HTML MarkAsSpamEmbedTagsInHtml |
Off | Off | Off | |
| JavaScript or VBScript in HTML MarkAsSpamJavaScriptInHtml |
Off | Off | Off | |
| Form tags in HTML MarkAsSpamFormTagsInHtml |
Off | Off | Off | |
| Frame or iframe tags in HTML MarkAsSpamFramesInHtml |
Off | Off | Off | |
| Web bugs in HTML MarkAsSpamWebBugsInHtml |
Off | Off | Off | |
| Object tags in HTML MarkAsSpamObjectTagsInHtml |
Off | Off | Off | |
| Sensitive words MarkAsSpamSensitiveWordList |
Off | Off | Off | |
| SPF record: hard fail MarkAsSpamSpfRecordHardFail |
Off | Off | Off | |
| Sender ID filtering hard fail MarkAsSpamFromAddressAuthFail |
Off | Off | Off | |
| Backscatter MarkAsSpamNdrBackscatter |
Off | Off | Off | |
| Test mode TestModeAction) |
None | None | None | For ASF settings that support Test as an action, you can configure the test mode action to None, Add default X-Header text, or Send Bcc message (None, AddXHeader, or BccMessage). For more information, see Enable, disable, or test ASF settings. |
Note
ASF adds X-CustomSpam: X-header fields to messages after the messages have been processed by Exchange mail flow rules (also known as transport rules), so you can't use mail flow rules to identify and act on messages that were filtered by ASF.
EOP outbound spam policy settings
To create and configure outbound spam policies, see Configure outbound spam filtering in EOP.
For more information about the default sending limits in the service, see Sending limits.
Note
Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you create.
| Security feature name | Default | Recommended Standard |
Recommended Strict |
Comment |
|---|---|---|---|---|
| Set an external message limit RecipientLimitExternalPerHour |
0 | 500 | 400 | The default value 0 means use the service defaults. |
| Set an internal message limit RecipientLimitInternalPerHour |
0 | 1000 | 800 | The default value 0 means use the service defaults. |
| Set a daily message limit RecipientLimitPerDay |
0 | 1000 | 800 | The default value 0 means use the service defaults. |
| Restriction placed on users who reach the message limit ActionWhenThresholdReached |
Restrict the user from sending mail until the following day BlockUserForToday |
Restrict the user from sending mail BlockUser |
Restrict the user from sending mail BlockUser |
|
| Automatic forwarding rules AutoForwardingMode |
Automatic - System-controlled Automatic |
Automatic - System-controlled Automatic |
Automatic - System-controlled Automatic |
|
| Send a copy of outbound messages that exceed these limits to these users and groups BccSuspiciousOutboundMail BccSuspiciousOutboundAdditionalRecipients |
Not selected $false Blank |
Not selected $false Blank |
Not selected $false Blank |
We have no specific recommendation for this setting. This setting only works in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create. |
| Notify these users and groups if a sender is blocked due to sending outbound spam NotifyOutboundSpam NotifyOutboundSpamRecipients |
Not selected $false Blank |
Not selected $false Blank |
Not selected $false Blank |
The default alert policy named User restricted from sending email already sends email notifications to members of the TenantAdmins (Global admins) group when users are blocked due to exceeding the limits in policy. We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users. For instructions, see Verify the alert settings for restricted users. |
EOP anti-malware policy settings
To create and configure anti-malware policies, see Configure anti-malware policies in EOP.
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table here.
Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Protection settings | ||||
| Enable the common attachments filter EnableFileFilter |
Selected $true* |
Selected $true |
Selected $true |
For the list of file types in the common attachments filter, see Anti-malware policies. * The common attachments filter is on by default in new anti-malware policies that you create in the Microsoft 365 Defender portal. The common attachments filter is off by default in the default anti-malware policy and in new policies that you create in PowerShell. |
| Common attachment filter notifications (When these file types are found) FileTypeAction |
Reject the message with a non-delivery report (NDR) Reject |
Reject the message with a non-delivery report (NDR) Reject |
Reject the message with a non-delivery report (NDR) Reject |
|
| Enable zero-hour auto purge for malware ZapEnabled |
Selected $true |
Selected $true |
Selected $true |
|
| Quarantine policy QuarantineTag |
AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | |
| Admin notifications | ||||
| Notify an admin about undelivered messages from internal senders EnableInternalSenderAdminNotifications InternalSenderAdminAddress |
Not selected $false |
Not selected $false |
Not selected $false |
We have no specific recommendation for this setting. |
| Notify an admin about undelivered messages from external senders EnableExternalSenderAdminNotifications ExternalSenderAdminAddress |
Not selected $false |
Not selected $false |
Not selected $false |
We have no specific recommendation for this setting. |
| Customize notifications | We have no specific recommendations for these settings. | |||
| Use customized notification text CustomNotifications |
Not selected $false |
Not selected $false |
Not selected $false |
|
| From name CustomFromName |
Blank $null |
Blank $null |
Blank $null |
|
| From address CustomFromAddress |
Blank $null |
Blank $null |
Blank $null |
|
| Customize notifications for messages from internal senders | These settings are used only if Notify an admin about undelivered messages from internal senders is selected. | |||
| Subject CustomInternalSubject |
Blank $null |
Blank $null |
Blank $null |
|
| Message CustomInternalBody |
Blank $null |
Blank $null |
Blank $null |
|
| Customize notifications for messages from external senders | These settings are used only if Notify an admin about undelivered messages from external senders is selected. | |||
| Subject CustomExternalSubject |
Blank $null |
Blank $null |
Blank $null |
|
| Message CustomExternalBody |
Blank $null |
Blank $null |
Blank $null |
EOP anti-phishing policy settings
For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.
The spoof settings are inter-related, but the Show first contact safety tip setting has no dependency on spoof settings.
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy¹ is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as spoof as described in the table here. When you later view or edit the quarantine policy settings, the quarantine policy name is shown.
Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft 365 Defender portal.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Phishing threshold & protection | ||||
| Enable spoof intelligence EnableSpoofIntelligence |
Selected $true |
Selected $true |
Selected $true |
|
| Actions | ||||
| Honor DMARC record policy when the message when the message is detected as spoof HonorDmarcPolicy |
Not selected $false |
Not selected $false |
Not selected $false |
This setting is currently in Preview. When this setting is turned on, you control what happens to messages where the sender fails explicit DMARC checks when the policy action in the DMARC TXT record is set to p=quarantine or p=reject. For more information, see Spoof protection and sender DMARC policies. |
| If the message is detected as spoof and DMARC Policy is set as p=quarantine DmarcQuarantineAction |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
This setting is currently in Preview. This action is meaningful only when Honor DMARC record policy when the message when the message is detected as spoof is turned on. |
| If the message is detected as spoof and DMARC Policy is set as p=reject DmarcRejectAction |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
This setting is currently in Preview. This action is meaningful only when Honor DMARC record policy when the message when the message is detected as spoof is turned on. |
| If the message is detected as spoof and DMARC Policy is set as p=reject DmarcRejectAction |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
This setting is currently in Preview. This action is meaningful only when Honor DMARC record policy when the message when the message is detected as spoof is turned on. |
| If the message is detected as spoof by spoof intelligence AuthenticationFailAction |
Move the message to the recipients' Junk Email folders MoveToJmf |
Move the message to the recipients' Junk Email folders MoveToJmf |
Quarantine the message Quarantine |
This setting applies to spoofed senders that were automatically blocked as shown in the spoof intelligence insight or manually blocked in the Tenant Allow/Block List. If you select Quarantine the message as the action for the spoof verdict, an Apply quarantine policy box is available. |
| Quarantine policy for Spoof SpoofQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if spoof detections are quarantined. |
| Show first contact safety tip EnableFirstContactSafetyTips |
Not selected $false |
Not selected $false |
Not selected $false |
For more information, see First contact safety tip. |
| Show (?) for unauthenticated senders for spoof EnableUnauthenticatedSender |
Selected $true |
Selected $true |
Selected $true |
Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Unauthenticated sender indicators. |
| Show "via" tag EnableViaTag |
Selected $true |
Selected $true |
Selected $true |
Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the MAIL FROM address. For more information, see Unauthenticated sender indicators. |
¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
Microsoft Defender for Office 365 security
Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.
Important
The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, use one of the following methods:
Turn on and use the Standard and/or Strict preset security policies and configure impersonation protection there.
Modify the default anti-phishing policy.
Create additional anti-phishing policies.
Although there's no default Safe Attachments policy or Safe Links policy, the Built-in protection preset security policy provides Safe Attachments protection and Safe Links protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies or Safe Links policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection have no dependencies on Safe Links policies.
If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.
Anti-phishing policy settings in Microsoft Defender for Office 365
EOP customers get basic anti-phishing as previously described, but Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.
Advanced settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Phishing email threshold PhishThresholdLevel |
1 - Standard 1 |
3 - More aggressive 3 |
4 - Most aggressive 4 |
Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.
Wherever you select Quarantine the message as the action for an impersonation verdict, an Apply quarantine policy box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as impersonation as described in the table here. When you later view or edit the quarantine policy settings, the quarantine policy name is shown.
Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft 365 Defender portal.
| Security feature name | Default | Standard | Strict | Comment |
|---|---|---|---|---|
| Phishing threshold & protection | ||||
| Enable users to protect (impersonated user protection) EnableTargetedUserProtection TargetedUsersToProtect |
Not selected $false none |
Selected $true <list of users> |
Selected $true <list of users> |
We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors. |
| Enable domains to protect (impersonated domain protection) | Not selected | Selected | Selected | |
| Include domains I own EnableOrganizationDomainsProtection |
Off $false |
Selected $true |
Selected $true |
|
| Include custom domains EnableTargetedDomainsProtection TargetedDomainsToProtect |
Off $false none |
Selected $true <list of domains> |
Selected $true <list of domains> |
We recommend adding domains (sender domains) that you don't own, but you frequently interact with. |
| Add trusted senders and domains ExcludedSenders ExcludedDomains |
None | None | None | Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts. |
| Enable mailbox intelligence EnableMailboxIntelligence |
Selected $true |
Selected $true |
Selected $true |
|
| Enable intelligence for impersonation protection EnableMailboxIntelligenceProtection |
Off $false |
Selected $true |
Selected $true |
This setting allows the specified action for impersonation detections by mailbox intelligence. |
| Actions | ||||
| If a message is detected as user impersonation TargetedUserProtectionAction |
Don't apply any action NoAction |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
|
| Quarantine policy for user impersonation TargetedUserQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessWithNotificationPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if user impersonation detections are quarantined. |
| If a message is detected as domain impersonation TargetedDomainProtectionAction |
Don't apply any action NoAction |
Quarantine the message Quarantine |
Quarantine the message Quarantine |
|
| Quarantine policy for domain impersonation TargetedDomainQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessWithNotificationPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if domain impersonation detections are quarantined. |
| If mailbox intelligence detects an impersonated user MailboxIntelligenceProtectionAction |
Don't apply any action NoAction |
Move the message to the recipients' Junk Email folders MoveToJmf |
Quarantine the message Quarantine |
|
| Quarantine policy for mailbox intelligence impersonation MailboxIntelligenceQuarantineTag |
DefaultFullAccessPolicy¹ | DefaultFullAccessPolicy | DefaultFullAccessWithNotificationPolicy | The quarantine policy is meaningful only if mailbox intelligence detections are quarantined. |
| Show user impersonation safety tip EnableSimilarUsersSafetyTips |
Off $false |
Selected $true |
Selected $true |
|
| Show domain impersonation safety tip EnableSimilarDomainsSafetyTips |
Off $false |
Selected $true |
Selected $true |
|
| Show user impersonation unusual characters safety tip EnableUnusualCharactersSafetyTips |
Off $false |
Selected $true |
Selected $true |
¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
EOP anti-phishing policy settings in Microsoft Defender for Office 365
These are the same settings that are available in anti-spam policy settings in EOP.
Safe Attachments settings
Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.
Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
Global settings for Safe Attachments
Note
The global settings for Safe Attachments are set by the Built-in protection preset security policy, but not by the Standard or Strict preset security policies. Either way, admins can modify these global Safe Attachments settings at any time.
The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in protection column shows the values that are set by the Built-in protection preset security policy, which are also our recommended values.
To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.
In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.
| Security feature name | Default | Built-in protection | Comment |
|---|---|---|---|
| Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams EnableATPForSPOTeamsODB |
Off $false |
On $true |
To prevent users from downloading malicious files, see Use SharePoint Online PowerShell to prevent users from downloading malicious files. |
| Turn on Safe Documents for Office clients EnableSafeDocs |
Off $false |
On $true |
This feature is available and meaningful only with licenses that are not included in Defender for Office 365 (for example, Microsoft 365 A5 or Microsoft 365 E5 Security). For more information, see Safe Documents in Microsoft 365 A5 or E5 Security. |
| Allow people to click through Protected View even if Safe Documents identified the file as malicious AllowSafeDocsOpen |
Off $false |
Off $false |
This setting is related to Safe Documents. |
Safe Attachments policy settings
To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.
In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.
Note
As described earlier, there is no default Safe Attachments policy, but Safe Attachments protection is assigned to all recipients by the Built-in protection preset security policy (users who aren't defined in any Safe Attachments policies).
The Default in custom column refers to the default values in new Safe Attachments policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table here.
Users can't release their own messages that were quarantined as malware by Safe Attachments, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.
| Security feature name | Default in custom | Built-in protection | Standard | Strict | Comment |
|---|---|---|---|---|---|
| Safe Attachments unknown malware response Enable and Action |
Off -Enable $false and -Action Block |
Block -Enable $true and -Action Block |
Block -Enable $true and -Action Block |
Block -Enable $true and -Action Block |
When the Enable parameter is $false, the value of the Action parameter doesn't matter. |
| Quarantine policy QuarantineTag |
AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | AdminOnlyAccessPolicy | |
| Redirect attachment with detected attachments : Enable redirect Redirect RedirectAddress |
Not selected and no email address specified. -Redirect $false RedirectAddress is blank ( $null) |
Not selected and no email address specified. -Redirect $false RedirectAddress is blank ( $null) |
Selected and specify an email address. $true an email address |
Selected and specify an email address. $true an email address |
Redirect messages to a security admin for review. Note: This setting is not configured in the Standard, Strict, or Built-in protection preset security policies. The Standard and Strict values indicate our recommended values in new Safe Attachments policies that you create. |
| Apply the Safe Attachments detection response if scanning can't complete (timeout or errors) ActionOnError |
Selected $true |
Selected $true |
Selected $true |
Selected $true |
Safe Links policy settings
For more information about Safe Links protection, see Safe Links in Defender for Office 365.
Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to all recipients (users who aren't defined in the Standard or Strict preset security policies or in custom Safe Links policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.
To configure Sae Links policy settings, see Set up Safe Links policies in Microsoft Defender for Office 365.
In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for Safe Links policy settings.
Note
The Default in custom column refers to the default values in new Safe Links policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
| Security feature name | Default in custom | Built-in protection | Standard | Strict | Comment |
|---|---|---|---|---|---|
| URL & click protection settings | |||||
| The settings in this section affect URL rewriting and time of click protection in email messages. | |||||
| On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default. EnableSafeLinksForEmail |
Selected $true |
Selected $true |
Selected $true |
Selected $true |
|
| Apply Safe Links to email messages sent within the organization EnableForInternalSenders |
Selected $true |
Not selected $false |
Selected $true |
Selected $true |
|
| Apply real-time URL scanning for suspicious links and links that point to files ScanUrls |
Selected $true |
Selected $true |
Selected $true |
Selected $true |
|
| Wait for URL scanning to complete before delivering the message DeliverMessageAfterScan |
Selected $true |
Selected $true |
Selected $true |
Selected $true |
|
| Do not rewrite URLs, do checks via Safe Links API only DisableURLRewrite |
Selected* $true |
Selected $true |
Not selected $false |
Not selected $false |
* In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the DisableURLRewrite parameter is $false. |
| Do not rewrite the following URLs in email DoNotRewriteUrls |
Blank $null |
Blank $null |
Blank $null |
Blank $null |
We have no specific recommendation for this setting. Note: Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use allow URL entries in the Tenant Allow/Block List so URLs are not scanned or wrapped by Safe Links during mail flow and at time of click. |
| Teams | The setting in this section affects time of click protection in Microsoft Teams. | ||||
| On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten. EnableSafeLinksForTeams |
Selected $true |
Selected $true |
Selected $true |
Selected $true |
|
| Office 365 apps | The setting in this section affects time of click protection in Office apps. | ||||
| On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten. EnableSafeLinksForOffice |
Selected $true |
Selected $true |
Selected $true |
Selected $true |
Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office apps. |
| Click protection settings | |||||
| Track user clicks TrackClicks |
Selected $true |
Selected $true |
Selected $true |
Selected $true |
|
| Let users click through to the original URL AllowClickThrough |
Selected* $true |
Selected $true |
Not selected $false |
Not selected $false |
* In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the AllowClickThrough parameter is $false. |
| Display the organization branding on notification and warning pages EnableOrganizationBranding |
Not selected $false |
Not selected $false |
Not selected $false |
Not selected $false |
We have no specific recommendation for this setting. Before you turn on this setting, you need to follow the instructions in Customize the Microsoft 365 theme for your organization to upload your company logo. |
| Notification | |||||
| How would you like to notify your users? CustomNotificationText UseTranslatedNotificationText |
Use the default notification text Blank ( $null) $false |
Use the default notification text Blank ( $null) $false |
Use the default notification text Blank ( $null) $false |
Use the default notification text Blank ( $null) $false |
We have no specific recommendation for this setting. You can select Use custom notification text ( -CustomNotificationText "<Custom text>") to enter and use customized notification text. If you specify custom text, you can also select Use Microsoft Translator for automatic localization (-UseTranslatedNotificationText $true) to automatically translate the text into the user's language. |
Related articles
Are you looking for best practices for Exchange mail flow rules (also known as transport rules)? See Best practices for configuring mail flow rules in Exchange Online.
Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see Report messages and files to Microsoft.
Use these links for info on how to set up your EOP service, and configure Microsoft Defender for Office 365. Don't forget the helpful directions in 'Protect Against Threats in Office 365'.
Security baselines for Windows can be found here: Where can I get the security baselines? for GPO/on-premises options, and Use security baselines to configure Windows devices in Intune for Intune-based security. Finally, a comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines.
Feedback
Submit and view feedback for