Examine the security policies and rules used in Microsoft Defender for Office 365

  • 4 minutes

Microsoft Defender for Office 365 is a cloud-based service that provides protection for your email and collaboration platforms. It helps organizations prevent, detect, and respond to threats such as phishing, malware, ransomware, and impersonation. This training examines the rules and policies that govern the security features in Microsoft Defender for Office 365, including Preset Security Policies, Custom Policies, and Next-Generation Protection.

Preset Security Policies

Preset Security Policies are predefined sets of rules that apply to specific security scenarios. They're designed to help organizations quickly and easily enable Microsoft's recommended security settings. You can choose from the following Preset Security Policies:

  • Anti-phishing protection. This policy helps you protect your users from phishing attacks that use spoofing, impersonation, or domain authentication failures. It uses machine learning and sender reputation to identify and block phishing emails. It also allows you to specify the users or domains that you want to protect or exclude from protection.
  • Anti-malware protection. This policy helps you protect your users from malware attacks that use malicious attachments or links. It uses signature-based and heuristic-based detection to identify and block malware emails. It also allows you to specify the action to take on malware emails, such as deleting, quarantining, or replacing the attachment.
  • Safe Attachments protection. This policy helps you protect your users from unknown or zero-day malware attacks that use advanced techniques to evade detection. It uses dynamic analysis, detonation, and sandboxing to analyze the attachments in a secure environment and block any malicious behavior. It also allows you to specify the users or groups that you want to apply this policy to, and the action to take on unsafe attachments, such as blocking, replacing, or monitoring.
  • Safe Links protection. This policy helps you protect your users from malicious links that point to phishing or malware sites. It uses real-time scanning, time-of-click verification, and URL tracing to check the links in email messages and block any malicious redirection. It also allows you to specify the users or groups that you want to apply this policy to, and the domains that you want to include or exclude from protection.
  • Anti-spam protection. This policy helps you protect your users from unwanted or unsolicited email messages that might contain spam, phishing, or malware. It uses sender reputation, content filtering, and spam confidence level to identify and block spam emails. It also allows you to specify the action to take on spam emails, such as deleting, moving to junk, or adding a prefix to the subject.

To use Preset Security Policies, an organization must assign them to the users or groups that it wants to protect. It can also modify the settings of the Preset Security Policies to meet its needs.

Custom Policies

Custom Policies are user-defined sets of rules that apply to specific security scenarios. They're designed to help organizations create and manage their own custom security settings. You can create Custom Policies for the following security features:

  • Threat policies. These policies help you configure the actions and notifications for different types of threats, such as phishing, malware, spam, or high confidence phishing. You can create custom rules based on the sender, recipient, subject, header, attachment, or content of the email messages. You can also specify the action to take on the matching messages, such as blocking, redirecting, or modifying. You can configure the notifications to send to the sender, recipient, or administrator when a rule is triggered.
  • Mail flow rules. These rules help you control the flow of email messages in your organization, such as blocking, redirecting, or modifying the messages based on certain conditions. You can create custom rules based on the sender, recipient, subject, header, attachment, or content of the email messages. You can also specify the action to take on the matching messages, such as blocking, redirecting, or modifying. You can configure the exceptions and audit logs for the rules.
  • Outbound spam policies. These policies help you prevent your users from sending spam or bulk email messages that might harm your reputation or violate the terms of service. You can create custom policies based on the sender, recipient, subject, header, attachment, or content of the email messages. You can also specify the action to take on the matching messages, such as blocking, redirecting, or modifying. You can configure the thresholds and notifications for the policies.
  • ATP anti-phishing policies. These policies help you protect your users from advanced phishing attacks that use machine learning, impersonation, or spoofing. You can create custom policies based on the sender, recipient, subject, header, attachment, or content of the email messages. You can also specify the action to take on the matching messages, such as blocking, redirecting, or modifying. You can configure the impersonation settings, such as the users or domains that you want to protect or exclude from protection, and the action to take on impersonation emails.
  • ATP safe attachments policies. These policies help you protect your users from advanced malware attacks that use dynamic analysis, detonation, or sandboxing. You can create custom policies based on the sender, recipient, subject, header, attachment, or content of the email messages. You can also specify the action to take on the matching messages, such as blocking, redirecting, or modifying. You can configure the safe attachments settings, such as the users or groups that you want to apply this policy to, and the action to take on unsafe attachments, such as blocking, replacing, or monitoring.
  • ATP safe links policies. These policies help you protect your users from advanced malicious links that use real-time scanning, time-of-click verification, or URL tracing. You can create custom policies based on the sender, recipient, subject, header, attachment, or content of the email messages. You can also specify the action to take on the matching messages, such as blocking, redirecting, or modifying. You can configure the safe links settings, such as the users or groups that you want to apply this policy to, and the domains that you want to include or exclude from protection.

To use Custom Policies, an organization must create them in the Microsoft Purview compliance portal or the Exchange admin center. It can also assign them to the users or groups that it wants to protect.

Next-Generation Protection

Next-Generation Protection is a set of advanced security features that use artificial intelligence, machine learning, and cloud-based analysis to provide enhanced protection for an organization's email and collaboration platforms. These features include:

  • Attack Simulator. This feature helps you test the resilience of your users to phishing, password spray, or brute force attacks. You can run simulated campaigns and monitor the results to identify and educate your vulnerable users. You can choose from different templates or create your own scenarios. You can also track the progress and outcome of the campaigns, such as the number of users who opened, clicked, or submitted credentials.
  • Threat Explorer. This feature helps you investigate and respond to security incidents in your organization. You can view the details of the threats, such as the sender, recipient, subject, attachment, or URL. You can also take actions, such as deleting, quarantining, or reporting the threats. You can search for specific threats, filter by date, severity, or category, and export the results to a CSV file.
  • Threat Trackers. Threat trackers are interactive dashboards that help you monitor the trends and patterns of the threats in your organization. You can view the summary, details, and recommendations for different types of threats, such as malware, phishing, or impersonation. You can also drill down into the data, such as the top senders, recipients, or domains. You can subscribe to the trackers to receive email alerts and updates.
  • Threat Intelligence. This service provides you with access to the latest threat data and insights from Microsoft and other sources. You can use this information to understand the threat landscape, assess your risk level, and improve your security posture. You can also create custom indicators, such as the IP addresses, domains, or URLs that you want to monitor or block. You can integrate the threat intelligence data with other security tools, such as Microsoft 365 Defender, Azure Sentinel, or Power BI.
  • Threat Protection Status Report. This report helps you measure and improve the effectiveness of your security features in Microsoft Defender for Office 365. You can view the metrics, trends, and comparisons of your security performance and coverage. You can also see the effect of your security policies, such as the number of messages that were blocked, allowed, or modified. You can customize the report by selecting the time range, data source, or filter.

To use Next-Generation Protection, an organization must have Microsoft Defender for Office 365 Plan 2 or Microsoft 365 E5 license. It can access these features in the Microsoft Purview compliance portal or the Microsoft Defender portal.