Exchange Online Protection Security Hardening: The Settings Microsoft Does Not Enable by Default

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
EOP is not a set-and-forget product. The default configuration is designed to minimize false positives for Microsoft's broad customer base, which means it trades off detection sensitivity. Organizations that treat the default as a baseline without reviewing the specific policies for impersonation protection, spoof intelligence enforcement, and outbound spam controls are consistently underprepared for BEC attacks. This guide covers the most impactful changes in priority order.
Configure Anti-Phishing Policies: Impersonation and Spoof Protection
The default anti-phishing policy has impersonation protection disabled. An attacker can send email from 'payroll@acme-corp.com' to your employees and EOP will not flag it as an impersonation of 'payroll@acmecorp.com' unless you configure the policy.
Portal path: Microsoft 365 Defender > Email and Collaboration > Policies and Rules > Threat Policies > Anti-phishing
Edit the default policy (or create a new one assigned to all recipients) and configure:
Impersonation protection:
- Users to protect: Add your C-suite, finance leads, IT admins, HR leaders
- Domains to protect: Add your primary domain and any domains you own
- Action if user impersonated: Quarantine message
- Action if domain impersonated: Quarantine message
Spoofing:
- Enable spoof intelligence: On
- If message is detected as spoof: Quarantine
Advanced phishing thresholds:
- Phishing email threshold: 3 (Aggressive) or 4 (Most aggressive) -- default is 1 (Standard)
PowerShell equivalent:
Connect-ExchangeOnline
Set-AntiPhishPolicy -Identity 'Office365 AntiPhish Default' `
-EnableMailboxIntelligence $true `
-EnableMailboxIntelligenceProtection $true `
-MailboxIntelligenceProtectionAction Quarantine `
-EnableSpoofIntelligence $true `
-AuthenticationFailAction Quarantine `
-PhishThresholdLevel 3
Enable and Tune Safe Attachments
Safe Attachments is a Defender for Office 365 Plan 1 feature (not available in the basic EOP subscription). If your license includes it, it is not enabled by default.
Portal path: Defender > Email and Collaboration > Policies > Threat Policies > Safe Attachments
Recommended configuration:
- Unknown malware response: Block (use Dynamic Delivery to avoid user delays while scanning)
- Redirect attachment on detection: Send to your security team's mailbox for review
- Safe Attachments for SharePoint, OneDrive, and Teams: Enable (separate toggle in the same policy)
Enable for SharePoint/OneDrive/Teams:
Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true
Verify:
Get-SafeAttachmentPolicy | Select-Object Name, Enable, Action, Redirect, RedirectAddress
Dynamic Delivery scans attachments in a sandbox and delivers the message immediately with a placeholder for the attachment, replacing it with the scanned version when safe. This eliminates the user experience problem of held messages while maintaining full scan coverage.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Safe Links: Enforce URL Rewriting and Click-Time Scanning
Safe Links rewrites URLs in email messages and scans them at click time, protecting against URLs that are clean at delivery but malicious by the time the user clicks (time-of-click protection).
Portal path: Defender > Threat Policies > Safe Links
Key settings:
- On: Messages (required), Office 365 apps (Teams, Office clients)
- Track user clicks: Enabled (required for investigation and reporting)
- Let users click through to the original URL: Disabled (allows bypass -- disable this)
- Do not rewrite the following URLs: Minimize. Each entry is an explicit bypass of Safe Links protection. Audit this list.
PowerShell:
Set-SafeLinksPolicy -Identity 'Default Safe Links Policy' `
-IsEnabled $true `
-ScanUrls $true `
-EnableForInternalSenders $true `
-TrackClicks $true `
-AllowClickThrough $false `
-EnableSafeLinksForEmail $true `
-EnableSafeLinksForTeams $true `
-EnableSafeLinksForOffice $true
Audit the 'do not rewrite' list quarterly:
(Get-SafeLinksPolicy).DoNotRewriteUrls
# Each entry is a bypass -- remove any entries that are no longer needed
Outbound Spam Policy: Limit Compromised Account Damage
When an account is compromised and used to send spam, the default EOP policy has no automatic limit. Configure thresholds to contain the blast radius.
Portal path: Defender > Threat Policies > Anti-spam > Outbound spam filter policy
Key settings:
- Maximum number of external messages per hour: 500 (default unlimited)
- Maximum number of internal messages per hour: 1000
- Maximum number of messages per day: 1000
- Restriction placed on users that reach the message limit: Restrict the user from sending mail
- Notify these users and groups when a sender is blocked due to sending outbound spam: Add your security team and postmaster alias
PowerShell:
Set-HostedOutboundSpamFilterPolicy -Identity Default `
-RecipientLimitExternalPerHour 500 `
-RecipientLimitInternalPerHour 1000 `
-RecipientLimitPerDay 1000 `
-ActionWhenThresholdReached BlockUser `
-NotifyOutboundSpamRecipients 'security@yourdomain.com'
Also configure the alert policy to notify immediately when a user is restricted: Portal: Defender > Alerts > Alert policies > User restricted from sending email Ensure this alert is enabled and routed to your SOC.
Mail Flow Rules: DLP, Header Inspection, and External Warning Banners
Mail flow rules (transport rules) are processed before EOP filtering and can enforce controls that policy settings cannot.
Add an external email warning banner: Every external email should be visually marked. This single control catches most impersonation attempts that bypass technical filters.
New-TransportRule -Name 'External Email Warning Banner' `
-SentToScope NotInOrganization `
-FromScope NotInOrganization `
-ApplyHtmlDisclaimerLocation Prepend `
-ApplyHtmlDisclaimerText '<div style="background:#FFF8DC;border:1px solid #FFA500;padding:8px;margin-bottom:8px"><b>EXTERNAL:</b> This email originated from outside your organization. Do not click links or open attachments unless you recognize the sender.</div>' `
-ApplyHtmlDisclaimerFallbackAction Wrap
Block legacy authentication protocols (if not enforced by Conditional Access):
New-TransportRule -Name 'Block Basic Auth Inbound Connectors' `
-ReceivedFromIPRanges '0.0.0.0/0' `
-HeaderContainsMessageHeader 'Authorization' `
-HeaderContainsWords 'Basic' `
-RejectMessageReasonText 'Basic authentication is not permitted'
Block attachments by extension for high-risk types:
New-TransportRule -Name 'Block Dangerous Attachment Types' `
-AttachmentExtensionMatchesWords 'exe','bat','cmd','vbs','js','jse','wsf','hta','ps1','reg' `
-RejectMessageReasonText 'This attachment type is not permitted'
The bottom line
EOP hardening in order of impact: enable impersonation and domain protection in the anti-phishing policy (closes BEC exposure), set spoof intelligence to quarantine not junk (stops domain spoofing), configure outbound spam limits with notifications (contains compromised account damage), enable Safe Attachments and Safe Links with click-through disabled (addresses malware and URL-based phishing), and add an external email warning banner via mail flow rule (human-readable indicator that catches what technical filters miss).
Frequently asked questions
What is the difference between EOP and Microsoft Defender for Office 365?
EOP is the baseline email filtering layer included in all Microsoft 365 subscriptions. It provides anti-spam, anti-malware, and basic anti-phishing filtering. Microsoft Defender for Office 365 (formerly Advanced Threat Protection) is an add-on or included with higher-tier plans (Business Premium, E3 with add-on, E5) that adds Safe Attachments (sandboxing), Safe Links (URL rewriting), advanced anti-phishing with AI-based impersonation detection, attack simulation training, and threat investigation capabilities. If you have Business Premium or E5, you have Defender for Office 365 Plan 1 or Plan 2 -- check your license before concluding that Safe Attachments is not available.
Should I use the preset Standard or Strict security policies instead of custom policies?
Preset policies (Standard protection and Strict protection) are maintained by Microsoft and update automatically when Microsoft changes recommendations. For organizations that do not have dedicated email security expertise, the Strict preset is a good starting point that is more aggressive than custom defaults most admins configure. The limitation of preset policies is that they cannot be customized -- you cannot add specific protected users or domains for impersonation. The recommended approach is to apply the Strict preset as a baseline and add custom anti-phishing policies on top for the specific users and domains requiring impersonation protection.
Does EOP enforce DMARC for inbound mail?
EOP honors DMARC records from external sending domains -- if a sender's DMARC policy says p=reject and the message fails DMARC authentication, EOP will reject or quarantine it according to your anti-spoofing policy. However, EOP does not automatically enforce strict DMARC rejection for your own domain -- that requires both publishing a p=reject DMARC record and ensuring the anti-spoofing policy treats DMARC failures as suspicious. Set up DMARC, DKIM, and SPF for all your domains, then configure EOP's anti-spoofing policy to quarantine messages that fail composite authentication.
How do I investigate an email that should have been blocked?
Use Threat Explorer (Defender > Email and Collaboration > Explorer) or the Message Trace tool (Exchange admin center > Mail flow > Message trace). Threat Explorer shows the full detection analysis for a message including which filters it passed or failed, the URL and attachment verdicts, and the delivery action. For missed detections, review: the anti-phishing policy assignment (is the recipient covered?), the Safe Attachments policy (is it enabled and the recipient is in scope?), and the spoof intelligence review list (the sender may have been manually allowed). Submit the missed sample to Microsoft via the Submissions portal for retraining.
What is the highest-value EOP configuration change for reducing phishing volume?
Enabling impersonation protection for your senior leadership and domain-critical senders in the anti-phishing policy provides the highest return for most organizations. Attackers impersonating CFOs, CEOs, and finance team members in BEC campaigns bypass generic content filters because the emails contain no malicious URLs or attachments. Configure the anti-phishing policy's Impersonation section with the names and email addresses of your top 20-50 executives and high-value users. Enable mailbox intelligence so the system learns each user's normal contacts and flags senders that the user has never interacted with. This combination catches a majority of targeted BEC attempts that signature-based filtering cannot detect.
How do I configure EOP inbound connectors to enforce that email from a specific domain arrives only through that domain's authorized mail servers?
Partner or vendor email that arrives from a specific domain should be restricted to arrive only from that vendor's IP addresses or via their certificate-authenticated connector, preventing spoofing that bypasses SPF (which validates the envelope sender's IPs, not the From header). Create an inbound connector in EOP: go to Exchange admin center > Mail flow > Connectors > New connector, set the source as 'Partner organization', configure the authentication method as either 'IP address ranges' (specify the vendor's sending IPs) or 'Subject name matches this pattern' (for certificate-based authentication), and restrict the connector to only accept mail from the specified domain. Apply the connector to a mail flow rule: create a transport rule that matches mail from the partner domain and requires it to arrive via the specific connector, rejecting messages from the same domain that arrive via any other path. This prevents adversaries who compromise a public mail relay or use a lookalike domain from delivering mail that claims to be from your vendor.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
