PRACTITIONER GUIDE | EMAIL SECURITY
Practitioner GuideUpdated 12 min read

Exchange Online Protection Security Hardening: The Settings Microsoft Does Not Enable by Default

Default = Standard
Microsoft ships EOP with 'Standard' protection settings focused on minimizing false positives. Microsoft's own documentation identifies a 'Strict' preset that is more aggressive -- few organizations apply it, and fewer still audit whether their custom policies are stricter or looser than Standard
Impersonation protection off
by default for custom domains. The anti-phishing policy must be explicitly configured with the specific domains and users to protect from impersonation attacks. Without this, EOP does not flag emails from domains that look like yours
DMARC enforcement gap
EOP honors DMARC reject/quarantine policies from external senders by default, but it does not automatically enforce DMARC on inbound mail claiming to be from your own domain unless the anti-spoofing policy is explicitly set to quarantine or reject
Outbound spam policy
controls what happens when a compromised mailbox starts sending spam. The default policy has no auto-disable threshold. Without a configured limit, a single compromised account can send tens of thousands of messages before any automated action occurs

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

EOP is not a set-and-forget product. The default configuration is designed to minimize false positives for Microsoft's broad customer base, which means it trades off detection sensitivity. Organizations that treat the default as a baseline without reviewing the specific policies for impersonation protection, spoof intelligence enforcement, and outbound spam controls are consistently underprepared for BEC attacks. This guide covers the most impactful changes in priority order.

Configure Anti-Phishing Policies: Impersonation and Spoof Protection

The default anti-phishing policy has impersonation protection disabled. An attacker can send email from 'payroll@acme-corp.com' to your employees and EOP will not flag it as an impersonation of 'payroll@acmecorp.com' unless you configure the policy.

Portal path: Microsoft 365 Defender > Email and Collaboration > Policies and Rules > Threat Policies > Anti-phishing

Edit the default policy (or create a new one assigned to all recipients) and configure:

Impersonation protection:

  • Users to protect: Add your C-suite, finance leads, IT admins, HR leaders
  • Domains to protect: Add your primary domain and any domains you own
  • Action if user impersonated: Quarantine message
  • Action if domain impersonated: Quarantine message

Spoofing:

  • Enable spoof intelligence: On
  • If message is detected as spoof: Quarantine

Advanced phishing thresholds:

  • Phishing email threshold: 3 (Aggressive) or 4 (Most aggressive) -- default is 1 (Standard)

PowerShell equivalent:

Connect-ExchangeOnline
Set-AntiPhishPolicy -Identity 'Office365 AntiPhish Default' `
    -EnableMailboxIntelligence $true `
    -EnableMailboxIntelligenceProtection $true `
    -MailboxIntelligenceProtectionAction Quarantine `
    -EnableSpoofIntelligence $true `
    -AuthenticationFailAction Quarantine `
    -PhishThresholdLevel 3

Enable and Tune Safe Attachments

Safe Attachments is a Defender for Office 365 Plan 1 feature (not available in the basic EOP subscription). If your license includes it, it is not enabled by default.

Portal path: Defender > Email and Collaboration > Policies > Threat Policies > Safe Attachments

Recommended configuration:

  • Unknown malware response: Block (use Dynamic Delivery to avoid user delays while scanning)
  • Redirect attachment on detection: Send to your security team's mailbox for review
  • Safe Attachments for SharePoint, OneDrive, and Teams: Enable (separate toggle in the same policy)

Enable for SharePoint/OneDrive/Teams:

Set-AtpPolicyForO365 -EnableATPForSPOTeamsODB $true

Verify:

Get-SafeAttachmentPolicy | Select-Object Name, Enable, Action, Redirect, RedirectAddress

Dynamic Delivery scans attachments in a sandbox and delivers the message immediately with a placeholder for the attachment, replacing it with the scanned version when safe. This eliminates the user experience problem of held messages while maintaining full scan coverage.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Safe Links: Enforce URL Rewriting and Click-Time Scanning

Safe Links rewrites URLs in email messages and scans them at click time, protecting against URLs that are clean at delivery but malicious by the time the user clicks (time-of-click protection).

Portal path: Defender > Threat Policies > Safe Links

Key settings:

  • On: Messages (required), Office 365 apps (Teams, Office clients)
  • Track user clicks: Enabled (required for investigation and reporting)
  • Let users click through to the original URL: Disabled (allows bypass -- disable this)
  • Do not rewrite the following URLs: Minimize. Each entry is an explicit bypass of Safe Links protection. Audit this list.

PowerShell:

Set-SafeLinksPolicy -Identity 'Default Safe Links Policy' `
    -IsEnabled $true `
    -ScanUrls $true `
    -EnableForInternalSenders $true `
    -TrackClicks $true `
    -AllowClickThrough $false `
    -EnableSafeLinksForEmail $true `
    -EnableSafeLinksForTeams $true `
    -EnableSafeLinksForOffice $true

Audit the 'do not rewrite' list quarterly:

(Get-SafeLinksPolicy).DoNotRewriteUrls
# Each entry is a bypass -- remove any entries that are no longer needed

Outbound Spam Policy: Limit Compromised Account Damage

When an account is compromised and used to send spam, the default EOP policy has no automatic limit. Configure thresholds to contain the blast radius.

Portal path: Defender > Threat Policies > Anti-spam > Outbound spam filter policy

Key settings:

  • Maximum number of external messages per hour: 500 (default unlimited)
  • Maximum number of internal messages per hour: 1000
  • Maximum number of messages per day: 1000
  • Restriction placed on users that reach the message limit: Restrict the user from sending mail
  • Notify these users and groups when a sender is blocked due to sending outbound spam: Add your security team and postmaster alias

PowerShell:

Set-HostedOutboundSpamFilterPolicy -Identity Default `
    -RecipientLimitExternalPerHour 500 `
    -RecipientLimitInternalPerHour 1000 `
    -RecipientLimitPerDay 1000 `
    -ActionWhenThresholdReached BlockUser `
    -NotifyOutboundSpamRecipients 'security@yourdomain.com'

Also configure the alert policy to notify immediately when a user is restricted: Portal: Defender > Alerts > Alert policies > User restricted from sending email Ensure this alert is enabled and routed to your SOC.

Mail Flow Rules: DLP, Header Inspection, and External Warning Banners

Mail flow rules (transport rules) are processed before EOP filtering and can enforce controls that policy settings cannot.

Add an external email warning banner: Every external email should be visually marked. This single control catches most impersonation attempts that bypass technical filters.

New-TransportRule -Name 'External Email Warning Banner' `
    -SentToScope NotInOrganization `
    -FromScope NotInOrganization `
    -ApplyHtmlDisclaimerLocation Prepend `
    -ApplyHtmlDisclaimerText '<div style="background:#FFF8DC;border:1px solid #FFA500;padding:8px;margin-bottom:8px"><b>EXTERNAL:</b> This email originated from outside your organization. Do not click links or open attachments unless you recognize the sender.</div>' `
    -ApplyHtmlDisclaimerFallbackAction Wrap

Block legacy authentication protocols (if not enforced by Conditional Access):

New-TransportRule -Name 'Block Basic Auth Inbound Connectors' `
    -ReceivedFromIPRanges '0.0.0.0/0' `
    -HeaderContainsMessageHeader 'Authorization' `
    -HeaderContainsWords 'Basic' `
    -RejectMessageReasonText 'Basic authentication is not permitted'

Block attachments by extension for high-risk types:

New-TransportRule -Name 'Block Dangerous Attachment Types' `
    -AttachmentExtensionMatchesWords 'exe','bat','cmd','vbs','js','jse','wsf','hta','ps1','reg' `
    -RejectMessageReasonText 'This attachment type is not permitted'

The bottom line

EOP hardening in order of impact: enable impersonation and domain protection in the anti-phishing policy (closes BEC exposure), set spoof intelligence to quarantine not junk (stops domain spoofing), configure outbound spam limits with notifications (contains compromised account damage), enable Safe Attachments and Safe Links with click-through disabled (addresses malware and URL-based phishing), and add an external email warning banner via mail flow rule (human-readable indicator that catches what technical filters miss).

Frequently asked questions

What is the difference between EOP and Microsoft Defender for Office 365?

EOP is the baseline email filtering layer included in all Microsoft 365 subscriptions. It provides anti-spam, anti-malware, and basic anti-phishing filtering. Microsoft Defender for Office 365 (formerly Advanced Threat Protection) is an add-on or included with higher-tier plans (Business Premium, E3 with add-on, E5) that adds Safe Attachments (sandboxing), Safe Links (URL rewriting), advanced anti-phishing with AI-based impersonation detection, attack simulation training, and threat investigation capabilities. If you have Business Premium or E5, you have Defender for Office 365 Plan 1 or Plan 2 -- check your license before concluding that Safe Attachments is not available.

Should I use the preset Standard or Strict security policies instead of custom policies?

Preset policies (Standard protection and Strict protection) are maintained by Microsoft and update automatically when Microsoft changes recommendations. For organizations that do not have dedicated email security expertise, the Strict preset is a good starting point that is more aggressive than custom defaults most admins configure. The limitation of preset policies is that they cannot be customized -- you cannot add specific protected users or domains for impersonation. The recommended approach is to apply the Strict preset as a baseline and add custom anti-phishing policies on top for the specific users and domains requiring impersonation protection.

Does EOP enforce DMARC for inbound mail?

EOP honors DMARC records from external sending domains -- if a sender's DMARC policy says p=reject and the message fails DMARC authentication, EOP will reject or quarantine it according to your anti-spoofing policy. However, EOP does not automatically enforce strict DMARC rejection for your own domain -- that requires both publishing a p=reject DMARC record and ensuring the anti-spoofing policy treats DMARC failures as suspicious. Set up DMARC, DKIM, and SPF for all your domains, then configure EOP's anti-spoofing policy to quarantine messages that fail composite authentication.

How do I investigate an email that should have been blocked?

Use Threat Explorer (Defender > Email and Collaboration > Explorer) or the Message Trace tool (Exchange admin center > Mail flow > Message trace). Threat Explorer shows the full detection analysis for a message including which filters it passed or failed, the URL and attachment verdicts, and the delivery action. For missed detections, review: the anti-phishing policy assignment (is the recipient covered?), the Safe Attachments policy (is it enabled and the recipient is in scope?), and the spoof intelligence review list (the sender may have been manually allowed). Submit the missed sample to Microsoft via the Submissions portal for retraining.

What is the highest-value EOP configuration change for reducing phishing volume?

Enabling impersonation protection for your senior leadership and domain-critical senders in the anti-phishing policy provides the highest return for most organizations. Attackers impersonating CFOs, CEOs, and finance team members in BEC campaigns bypass generic content filters because the emails contain no malicious URLs or attachments. Configure the anti-phishing policy's Impersonation section with the names and email addresses of your top 20-50 executives and high-value users. Enable mailbox intelligence so the system learns each user's normal contacts and flags senders that the user has never interacted with. This combination catches a majority of targeted BEC attempts that signature-based filtering cannot detect.

How do I configure EOP inbound connectors to enforce that email from a specific domain arrives only through that domain's authorized mail servers?

Partner or vendor email that arrives from a specific domain should be restricted to arrive only from that vendor's IP addresses or via their certificate-authenticated connector, preventing spoofing that bypasses SPF (which validates the envelope sender's IPs, not the From header). Create an inbound connector in EOP: go to Exchange admin center > Mail flow > Connectors > New connector, set the source as 'Partner organization', configure the authentication method as either 'IP address ranges' (specify the vendor's sending IPs) or 'Subject name matches this pattern' (for certificate-based authentication), and restrict the connector to only accept mail from the specified domain. Apply the connector to a mail flow rule: create a transport rule that matches mail from the partner domain and requires it to arrive via the specific connector, rejecting messages from the same domain that arrive via any other path. This prevents adversaries who compromise a public mail relay or use a lookalike domain from delivering mail that claims to be from your vendor.

Sources & references

  1. Microsoft: Recommended settings for EOP and Microsoft Defender for Office 365
  2. Microsoft: Anti-phishing policies in Microsoft 365
  3. Microsoft: Spoof intelligence insight

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.