Recommended settings for EOP and Microsoft Defender for Office 365 security

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give more layers of security, control, and investigation.

Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Although customer environments and needs are different, these levels of filtering help prevent unwanted mail from reaching your employees' Inbox in most situations.

To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.

This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users. The tables contain the settings in the Microsoft Defender portal and PowerShell (Exchange Online PowerShell or standalone Exchange Online Protection PowerShell for organizations without Exchange Online mailboxes).

Note

The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help admins find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.

In Microsoft 365 organizations, we recommend that you leave the Junk Email Filter in Outlook set to No automatic filtering to prevent unnecessary conflicts (both positive and negative) with the spam filtering verdicts from EOP. For more information, see the following articles:

Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.

EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in EOP.

Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table here.

Users can't release their own messages that were quarantined as malware, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

Security feature name Default Standard Strict Comment
Protection settings
Enable the common attachments filter (EnableFileFilter) Selected ($true)* Selected ($true) Selected ($true) For the list of file types in the common attachments filter, see Common attachments filter in anti-malware policies.

* The common attachments filter is on by default in new anti-malware policies that you create in the Defender portal or in PowerShell, and in the default anti-malware policy in organizations created after December 1, 2023.
Common attachment filter notifications: When these file types are found (FileTypeAction) Reject the message with a non-delivery report (NDR) (Reject) Reject the message with a non-delivery report (NDR) (Reject) Reject the message with a non-delivery report (NDR) (Reject)
Enable zero-hour auto purge for malware (ZapEnabled) Selected ($true) Selected ($true) Selected ($true)
Quarantine policy (QuarantineTag) AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy
Admin notifications
Notify an admin about undelivered messages from internal senders (EnableInternalSenderAdminNotifications and InternalSenderAdminAddress) Not selected ($false) Not selected ($false) Not selected ($false) We have no specific recommendation for this setting.
Notify an admin about undelivered messages from external senders (EnableExternalSenderAdminNotifications and ExternalSenderAdminAddress) Not selected ($false) Not selected ($false) Not selected ($false) We have no specific recommendation for this setting.
Customize notifications We have no specific recommendations for these settings.
Use customized notification text (CustomNotifications) Not selected ($false) Not selected ($false) Not selected ($false)
From name (CustomFromName) Blank Blank Blank
From address (CustomFromAddress) Blank Blank Blank
Customize notifications for messages from internal senders These settings are used only if Notify an admin about undelivered messages from internal senders is selected.
Subject (CustomInternalSubject) Blank Blank Blank
Message (CustomInternalBody) Blank Blank Blank
Customize notifications for messages from external senders These settings are used only if Notify an admin about undelivered messages from external senders is selected.
Subject (CustomExternalSubject) Blank Blank Blank
Message (CustomExternalBody) Blank Blank Blank

EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in EOP.

Wherever you select Quarantine message as the action for a spam filter verdict, a Select quarantine policy box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

If you change the action of a spam filtering verdict to Quarantine message when you create anti-spam policies the Defender portal, the Select quarantine policy box is blank by default. A blank value means the default quarantine policy for that spam filtering verdict is used. These default quarantine policies enforce the historical capabilities for the spam filter verdict that quarantined the message as described in the table here. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown.

Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft Defender portal.

Security feature name Default Standard Strict Comment
Bulk email threshold & spam properties
Bulk email threshold (BulkThreshold) 7 6 5 For details, see Bulk complaint level (BCL) in EOP.
Bulk email spam (MarkAsSpamBulkMail) (On) (On) (On) This setting is only available in PowerShell.
Increase spam score settings All of these settings are part of the Advanced Spam Filter (ASF). For more information, see the ASF settings in anti-spam policies section in this article.
Mark as spam settings Most of these settings are part of ASF. For more information, see the ASF settings in anti-spam policies section in this article.
Contains specific languages (EnableLanguageBlockList and LanguageBlockList) Off ($false and Blank) Off ($false and Blank) Off ($false and Blank) We have no specific recommendation for this setting. You can block messages in specific languages based on your business needs.
From these countries (EnableRegionBlockList and RegionBlockList) Off ($false and Blank) Off ($false and Blank) Off ($false and Blank) We have no specific recommendation for this setting. You can block messages from specific countries/regions based on your business needs.
Test mode (TestModeAction) None None None This setting is part of ASF. For more information, see the ASF settings in anti-spam policies section in this article.
Actions
Spam detection action (SpamAction) Move message to Junk Email folder (MoveToJmf) Move message to Junk Email folder (MoveToJmf) Quarantine message (Quarantine)
Quarantine policy for Spam (SpamQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if spam detections are quarantined.
High confidence spam detection action (HighConfidenceSpamAction) Move message to Junk Email folder (MoveToJmf) Quarantine message (Quarantine) Quarantine message (Quarantine)
Quarantine policy for High confidence spam (HighConfidenceSpamQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessWithNotificationPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if high confidence spam detections are quarantined.
Phishing detection action (PhishSpamAction) Move message to Junk Email folder (MoveToJmf)* Quarantine message (Quarantine) Quarantine message (Quarantine) * The default value is Move message to Junk Email folder in the default anti-spam policy and in new anti-spam policies that you create in PowerShell. The default value is Quarantine message in new anti-spam policies that you create in the Defender portal.
Quarantine policy for Phishing (PhishQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessWithNotificationPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if phishing detections are quarantined.
High confidence phishing detection action (HighConfidencePhishAction) Quarantine message (Quarantine) Quarantine message (Quarantine) Quarantine message (Quarantine) Users can't release their own messages that were quarantined as high confidence phishing, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined high confidence phishing messages.
Quarantine policy for High confidence phishing (HighConfidencePhishQuarantineTag) AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy
Bulk compliant level (BCL) met or exceeded (BulkSpamAction) Move message to Junk Email folder (MoveToJmf) Move message to Junk Email folder (MoveToJmf) Quarantine message (Quarantine)
Quarantine policy for Bulk compliant level (BCL) met or exceeded (BulkQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if bulk detections are quarantined.
Intra-Organizational messages to take action on (IntraOrgFilterState) Default (Default) Default (Default) Default (Default) The value Default is the same as selecting High confidence phishing messages. Currently, in U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), the value Default is the same as selecting None.
Retain spam in quarantine for this many days (QuarantineRetentionPeriod) 15 days 30 days 30 days This value also affects messages that are quarantined by anti-phishing policies. For more information, see Quarantine retention.
Enable spam safety tips (InlineSafetyTipsEnabled) Selected ($true) Selected ($true) Selected ($true)
Enable zero-hour auto purge (ZAP) for phishing messages (PhishZapEnabled) Selected ($true) Selected ($true) Selected ($true)
Enable ZAP for spam messages (SpamZapEnabled) Selected ($true) Selected ($true) Selected ($true)
Allow & block list
Allowed senders (AllowedSenders) None None None
Allowed sender domains (AllowedSenderDomains) None None None Adding domains to the allowed domains list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out.

Use the spoof intelligence insight and the Tenant Allow/Block List to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.
Blocked senders (BlockedSenders) None None None
Blocked sender domains (BlockedSenderDomains) None None None

¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.

ASF settings in anti-spam policies

For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see Advanced Spam Filter (ASF) settings in EOP.

Security feature name Default Recommended
Standard
Recommended
Strict
Comment
Image links to remote sites (IncreaseScoreWithImageLinks) Off Off Off
Numeric IP address in URL (IncreaseScoreWithNumericIps) Off Off Off
URL redirect to other port (IncreaseScoreWithRedirectToOtherPort) Off Off Off
Links to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls) Off Off Off
Empty messages (MarkAsSpamEmptyMessages) Off Off Off
Embed tags in HTML (MarkAsSpamEmbedTagsInHtml) Off Off Off
JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml) Off Off Off
Form tags in HTML (MarkAsSpamFormTagsInHtml) Off Off Off
Frame or iframe tags in HTML (MarkAsSpamFramesInHtml) Off Off Off
Web bugs in HTML (MarkAsSpamWebBugsInHtml) Off Off Off
Object tags in HTML (MarkAsSpamObjectTagsInHtml) Off Off Off
Sensitive words (MarkAsSpamSensitiveWordList) Off Off Off
SPF record: hard fail (MarkAsSpamSpfRecordHardFail) Off Off Off
Sender ID filtering hard fail (MarkAsSpamFromAddressAuthFail) Off Off Off
Backscatter (MarkAsSpamNdrBackscatter) Off Off Off
Test mode (TestModeAction) None None None For ASF settings that support Test as an action, you can configure the test mode action to None, Add default X-Header text, or Send Bcc message (None, AddXHeader, or BccMessage). For more information, see Enable, disable, or test ASF settings.

Note

ASF adds X-CustomSpam: X-header fields to messages after the messages have been processed by Exchange mail flow rules (also known as transport rules), so you can't use mail flow rules to identify and act on messages that were filtered by ASF.

EOP outbound spam policy settings

To create and configure outbound spam policies, see Configure outbound spam filtering in EOP.

For more information about the default sending limits in the service, see Sending limits.

Note

Outbound spam policies are not part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you create.

Security feature name Default Recommended
Standard
Recommended
Strict
Comment
Set an external message limit (RecipientLimitExternalPerHour) 0 500 400 The default value 0 means use the service defaults.
Set an internal message limit (RecipientLimitInternalPerHour) 0 1000 800 The default value 0 means use the service defaults.
Set a daily message limit (RecipientLimitPerDay) 0 1000 800 The default value 0 means use the service defaults.
Restriction placed on users who reach the message limit (ActionWhenThresholdReached) Restrict the user from sending mail until the following day (BlockUserForToday) Restrict the user from sending mail (BlockUser) Restrict the user from sending mail (BlockUser)
Automatic forwarding rules (AutoForwardingMode) Automatic - System-controlled (Automatic) Automatic - System-controlled (Automatic) Automatic - System-controlled (Automatic)
Send a copy of outbound messages that exceed these limits to these users and groups (BccSuspiciousOutboundMail and BccSuspiciousOutboundAdditionalRecipients) Not selected ($false and Blank) Not selected ($false and Blank) Not selected ($false and Blank) We have no specific recommendation for this setting.

This setting works only in the default outbound spam policy. It doesn't work in custom outbound spam policies that you create.
Notify these users and groups if a sender is blocked due to sending outbound spam (NotifyOutboundSpam and NotifyOutboundSpamRecipients) Not selected ($false and Blank) Not selected ($false and Blank) Not selected ($false and Blank) The default alert policy named User restricted from sending email already sends email notifications to members of the TenantAdmins group (Global Administrator members) when users are blocked due to exceeding the limits in policy. We strongly recommend that you use the alert policy rather than this setting in the outbound spam policy to notify admins and other users. For instructions, see Verify the alert settings for restricted users.

EOP anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.

The spoof settings are inter-related, but the Show first contact safety tip setting has no dependency on spoof settings.

Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy¹ is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as spoof as described in the table here. When you later view or edit the quarantine policy settings, the quarantine policy name is shown.

Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft Defender portal.

Security feature name Default Standard Strict Comment
Phishing threshold & protection
Enable spoof intelligence (EnableSpoofIntelligence) Selected ($true) Selected ($true) Selected ($true)
Actions
Honor DMARC record policy when the message is detected as spoof (HonorDmarcPolicy) Selected ($true) Selected ($true) Selected ($true) When this setting is turned on, you control what happens to messages where the sender fails explicit DMARC checks when the policy action in the DMARC TXT record is set to p=quarantine or p=reject. For more information, see Spoof protection and sender DMARC policies.
If the message is detected as spoof and DMARC Policy is set as p=quarantine (DmarcQuarantineAction) Quarantine the message (Quarantine) Quarantine the message (Quarantine) Quarantine the message (Quarantine) This action is meaningful only when Honor DMARC record policy when the message is detected as spoof is turned on.
If the message is detected as spoof and DMARC Policy is set as p=reject (DmarcRejectAction) Reject the message (Reject) Reject the message (Reject) Reject the message (Reject) This action is meaningful only when Honor DMARC record policy when the message is detected as spoof is turned on.
If the message is detected as spoof by spoof intelligence (AuthenticationFailAction) Move the message to the recipients' Junk Email folders (MoveToJmf) Move the message to the recipients' Junk Email folders (MoveToJmf) Quarantine the message (Quarantine) This setting applies to spoofed senders that were automatically blocked as shown in the spoof intelligence insight or manually blocked in the Tenant Allow/Block List.

If you select Quarantine the message as the action for the spoof verdict, an Apply quarantine policy box is available.
Quarantine policy for Spoof (SpoofQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if spoof detections are quarantined.
Show first contact safety tip (EnableFirstContactSafetyTips) Not selected ($false) Selected ($true) Selected ($true) For more information, see First contact safety tip.
Show (?) for unauthenticated senders for spoof (EnableUnauthenticatedSender) Selected ($true) Selected ($true) Selected ($true) Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Unauthenticated sender indicators.
Show "via" tag (EnableViaTag) Selected ($true) Selected ($true) Selected ($true) Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the MAIL FROM address.

For more information, see Unauthenticated sender indicators.

¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.

Microsoft Defender for Office 365 security

Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.

Important

  • The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, use one of the following methods:

    • Turn on and use the Standard and/or Strict preset security policies and configure impersonation protection there.
    • Modify the default anti-phishing policy.
    • Create additional anti-phishing policies.
  • Although there's no default Safe Attachments policy or Safe Links policy, the Built-in protection preset security policy provides Safe Attachments protection and Safe Links protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy, or in custom Safe Attachments or Safe Links policies). For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

  • Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection have no dependencies on Safe Links policies.

If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.

Anti-phishing policy settings in Microsoft Defender for Office 365

EOP customers get basic anti-phishing as previously described, but Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.

Advanced settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.

Security feature name Default Standard Strict Comment
Phishing email threshold (PhishThresholdLevel) 1 - Standard (1) 3 - More aggressive (3) 4 - Most aggressive (4)

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.

Wherever you select Quarantine the message as the action for an impersonation verdict, an Apply quarantine policy box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy is used if you don't select a quarantine policy. This policy enforces the historical capabilities for messages that were quarantined as impersonation as described in the table here. When you later view or edit the quarantine policy settings, the quarantine policy name is shown.

Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft Defender portal.

Security feature name Default Standard Strict Comment
Phishing threshold & protection
User impersonation protection: Enable users to protect (EnableTargetedUserProtection and TargetedUsersToProtect) Not selected ($false and none) Selected ($true and <list of users>) Selected ($true and <list of users>) We recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.
Domain impersonation protection: Enable domains to protect Not selected Selected Selected
Include domains I own (EnableOrganizationDomainsProtection) Off ($false) Selected ($true) Selected ($true)
Include custom domains (EnableTargetedDomainsProtection and TargetedDomainsToProtect) Off ($false and none) Selected ($true and <list of domains>) Selected ($true and <list of domains>) We recommend adding domains (sender domains) that you don't own, but you frequently interact with.
Add trusted senders and domains (ExcludedSenders and ExcludedDomains) None None None Depending on your organization, we recommend adding senders or domains that are incorrectly identified as impersonation attempts.
Enable mailbox intelligence (EnableMailboxIntelligence) Selected ($true) Selected ($true) Selected ($true)
Enable intelligence for impersonation protection (EnableMailboxIntelligenceProtection) Off ($false) Selected ($true) Selected ($true) This setting allows the specified action for impersonation detections by mailbox intelligence.
Actions
If a message is detected as user impersonation (TargetedUserProtectionAction) Don't apply any action (NoAction) Quarantine the message (Quarantine) Quarantine the message (Quarantine)
Quarantine policy for user impersonation (TargetedUserQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessWithNotificationPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if user impersonation detections are quarantined.
If a message is detected as domain impersonation (TargetedDomainProtectionAction) Don't apply any action (NoAction) Quarantine the message (Quarantine) Quarantine the message (Quarantine)
Quarantine policy for domain impersonation (TargetedDomainQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessWithNotificationPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if domain impersonation detections are quarantined.
If mailbox intelligence detects an impersonated user (MailboxIntelligenceProtectionAction) Don't apply any action (NoAction) Move the message to the recipients' Junk Email folders (MoveToJmf) Quarantine the message (Quarantine)
Quarantine policy for mailbox intelligence impersonation (MailboxIntelligenceQuarantineTag) DefaultFullAccessPolicy¹ DefaultFullAccessPolicy DefaultFullAccessWithNotificationPolicy The quarantine policy is meaningful only if mailbox intelligence detections are quarantined.
Show user impersonation safety tip (EnableSimilarUsersSafetyTips) Off ($false) Selected ($true) Selected ($true)
Show domain impersonation safety tip (EnableSimilarDomainsSafetyTips) Off ($false) Selected ($true) Selected ($true)
Show user impersonation unusual characters safety tip (EnableUnusualCharactersSafetyTips) Off ($false) Selected ($true) Selected ($true)

¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy in the default security policy or in new custom security policies that you create. The only difference between these two quarantine policies is quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.

EOP anti-phishing policy settings in Microsoft Defender for Office 365

These are the same settings that are available in anti-spam policy settings in EOP.

Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.

Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies. For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

Global settings for Safe Attachments

Note

The global settings for Safe Attachments are set by the Built-in protection preset security policy, but not by the Standard or Strict preset security policies. Either way, admins can modify these global Safe Attachments settings at any time.

The Default column shows the values before the existence of the Built-in protection preset security policy. The Built-in protection column shows the values that are set by the Built-in protection preset security policy, which are also our recommended values.

To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature name Default Built-in protection Comment
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams (EnableATPForSPOTeamsODB) Off ($false) On ($true) To prevent users from downloading malicious files, see Use SharePoint Online PowerShell to prevent users from downloading malicious files.
Turn on Safe Documents for Office clients (EnableSafeDocs) Off ($false) On ($true) This feature is available and meaningful only with licenses that aren't included in Defender for Office 365 (for example, Microsoft 365 A5 or Microsoft 365 E5 Security). For more information, see Safe Documents in Microsoft 365 A5 or E5 Security.
Allow people to click through Protected View even if Safe Documents identified the file as malicious (AllowSafeDocsOpen) Off ($false) Off ($false) This setting is related to Safe Documents.

Safe Attachments policy settings

To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.

In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.

Note

As described earlier, although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy, or in custom Safe Attachments policies.

The Default in custom column refers to the default values in new Safe Attachments policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.

Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.

The policy named AdminOnlyAccessPolicy enforces the historical capabilities for messages that were quarantined as malware as described in the table here.

Users can't release their own messages that were quarantined as malware by Safe Attachments, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to request the release of their quarantined malware messages.

Security feature name Default in custom Built-in protection Standard Strict Comment
Safe Attachments unknown malware response (Enable and Action) Off (-Enable $false and -Action Block) Block (-Enable $true and -Action Block) Block (-Enable $true and -Action Block) Block (-Enable $true and -Action Block) When the Enable parameter is $false, the value of the Action parameter doesn't matter.
Quarantine policy (QuarantineTag) AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy AdminOnlyAccessPolicy
Redirect attachment with detected attachments : Enable redirect (Redirect and RedirectAddress) Not selected and no email address specified. (-Redirect $false and RedirectAddress is blank) Not selected and no email address specified. (-Redirect $false and RedirectAddress is blank) Not selected and no email address specified. (-Redirect $false and RedirectAddress is blank) Not selected and no email address specified. (-Redirect $false and RedirectAddress is blank) Redirection of messages is available only when the Safe Attachments unknown malware response value is Monitor (-Enable $true and -Action Allow).

For more information about Safe Links protection, see Safe Links in Defender for Office 365.

Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy or in custom Safe Links policies. For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

To configure Safe Links policy settings, see Set up Safe Links policies in Microsoft Defender for Office 365.

In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for Safe Links policy settings.

Note

The Default in custom column refers to the default values in new Safe Links policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.

Security feature name Default in custom Built-in protection Standard Strict Comment
URL & click protection settings
Email The settings in this section affect URL rewriting and time of click protection in email messages.
On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default. (EnableSafeLinksForEmail) Selected ($true) Selected ($true) Selected ($true) Selected ($true)
Apply Safe Links to email messages sent within the organization (EnableForInternalSenders) Selected ($true) Not selected ($false) Selected ($true) Selected ($true)
Apply real-time URL scanning for suspicious links and links that point to files (ScanUrls) Selected ($true) Selected ($true) Selected ($true) Selected ($true)
Wait for URL scanning to complete before delivering the message (DeliverMessageAfterScan) Selected ($true) Selected ($true) Selected ($true) Selected ($true)
Do not rewrite URLs, do checks via Safe Links API only (DisableURLRewrite) Selected ($false)* Selected ($true) Not selected ($false) Not selected ($false) * In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the DisableURLRewrite parameter is $false.
Do not rewrite the following URLs in email (DoNotRewriteUrls) Blank Blank Blank Blank We have no specific recommendation for this setting.

Note: Entries in the "Don't rewrite the following URLs" list aren't scanned or wrapped by Safe Links during mail flow. Report the URL as I've confirmed it's clean and then select Allow this URL to add an allow entry to the Tenant Allow/Block List so the URL isn't scanned or wrapped by Safe Links during mail flow and at time of click. For instructions, see Report good URLs to Microsoft.
Teams The setting in this section affects time of click protection in Microsoft Teams.
On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten. (EnableSafeLinksForTeams) Selected ($true) Selected ($true) Selected ($true) Selected ($true)
Office 365 apps The setting in this section affects time of click protection in Office apps.
On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten. (EnableSafeLinksForOffice) Selected ($true) Selected ($true) Selected ($true) Selected ($true) Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office apps.
Click protection settings
Track user clicks (TrackClicks) Selected ($true) Selected ($true) Selected ($true) Selected ($true)
Let users click through to the original URL (AllowClickThrough) Selected ($false)* Selected ($true) Not selected ($false) Not selected ($false) * In new Safe Links policies that you create in the Defender portal, this setting is selected by default. In new Safe Links policies that you create in PowerShell, the default value of the AllowClickThrough parameter is $false.
Display the organization branding on notification and warning pages (EnableOrganizationBranding) Not selected ($false) Not selected ($false) Not selected ($false) Not selected ($false) We have no specific recommendation for this setting.

Before you turn on this setting, you need to follow the instructions in Customize the Microsoft 365 theme for your organization to upload your company logo.
Notification
How would you like to notify your users? (CustomNotificationText and UseTranslatedNotificationText) Use the default notification text (Blank and $false) Use the default notification text (Blank and $false) Use the default notification text (Blank and $false) Use the default notification text (Blank and $false) We have no specific recommendation for this setting.

You can select Use custom notification text (-CustomNotificationText "<Custom text>") to enter and use customized notification text. If you specify custom text, you can also select Use Microsoft Translator for automatic localization (-UseTranslatedNotificationText $true) to automatically translate the text into the user's language.