PRACTITIONER GUIDE | EMAIL SECURITY
Practitioner GuideUpdated 11 min read

Microsoft Defender for Office 365 Configuration Guide: Safe Links, Safe Attachments, and Anti-Phishing Policies That Actually Block Attacks

Preset security policies
Standard and Strict -- Microsoft provides two preset policy bundles that enable recommended MDO settings in bulk. Standard is appropriate for most organizations; Strict is for high-risk users (executives, finance, IT admins). Apply these first, then customize exceptions
ZAP (Zero-Hour Auto Purge)
retroactively removes messages from user mailboxes after delivery if a URL or attachment is later classified as malicious. ZAP is enabled by default in EOP for spam/malware and in MDO for phishing. Verify it is not disabled in your policies
Safe Attachments: Block
is the highest-protection Safe Attachments action. It blocks messages with suspicious attachments that fail sandbox detonation, quarantining them. Dynamic Delivery allows the email body through immediately while the attachment is being detonated, reducing the delivery delay for legitimate mail
First-contact safety tips
are an MDO feature that adds a visible banner to emails from senders the recipient has not communicated with before. Simple and effective against spear phishing from newly registered domains. Enable it in anti-phishing policies

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

MDO out of the box does not have all the recommended protections enabled. Microsoft uses conservative defaults to minimize false positives, which means organizations that do not review their MDO configuration are running with gaps. The fastest path to a strong MDO posture is applying the Standard or Strict preset security policy to all users, then reviewing the anti-phishing policy for executive impersonation protection additions. This guide covers the settings that matter and why.

Apply the Preset Security Policies

The preset security policies (Standard and Strict) are Microsoft's recommended bundled configuration. They are the fastest way to enable MDO protections correctly.

Location: Microsoft 365 Defender portal (security.microsoft.com) > Email and Collaboration > Policies and Rules > Threat Policies > Preset Security Policies

Apply Standard protection to all users:

  • Standard protection: Turn on
  • Applied to: All recipients (or a specific group for pilot)
  • The Standard policy enables: Safe Links with click tracking, Safe Attachments with Block action, anti-phishing with impersonation protection, anti-spam, anti-malware

Apply Strict protection to high-risk users:

  • Strict protection: Turn on
  • Applied to: Your executives, finance team, IT admins, HR, and any user who handles sensitive data or wire transfers
  • Strict adds: More aggressive thresholds, block on SCL (spam confidence level) 5+ instead of 6+, stricter impersonation detection

Why use presets instead of custom policies: Preset policies are automatically updated as Microsoft adjusts recommended settings. Custom policies require manual updates to stay current. Use presets as the baseline and create custom exception policies only for specific users who need different behavior.

Configure Anti-Phishing Impersonation Protection

The anti-phishing policy's impersonation protection is the most important setting to customize -- it requires you to tell MDO which users and domains to protect.

Location: Threat Policies > Anti-phishing > Create or edit policy > Impersonation protection

Add users to protect (impersonation targets): Add executives, finance approvers, and IT administrators by email address. When an incoming email impersonates one of these addresses (e.g., a spoofed display name that says 'John Smith, CFO' but comes from an external domain), MDO detects it.

Common targets to add:

  • CEO, CFO, CISO, CTO
  • Any users named in wire transfer or payment approval processes
  • IT helpdesk addresses that attackers spoof in tech support scams

Add domains to protect:

  • Your own domain (domain impersonation protection -- catches emails claiming to be from your domain when sent from outside)
  • Partner/vendor domains you receive critical communications from

Recommended action for impersonation detections: Quarantine The default action is to move to Junk -- change it to Quarantine for impersonation of users and domains. Users should not see impersonation attempts in Junk; they should not see them at all until reviewed.

Enable mailbox intelligence:

  • Mailbox intelligence: On
  • Mailbox intelligence-based impersonation protection: On This analyzes each user's historical email patterns to detect when they receive mail from a sender that looks unusual for their communication history.
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Safe Links and Safe Attachments Beyond Defaults

Safe Links -- settings to verify:

Path: Threat Policies > Safe Links > Create/edit policy

  • On: Safe Links checks a list of known, malicious links when users click links in email: Enabled
  • Apply Safe Links to email messages sent within the organization: Enabled (catches internal phishing from compromised mailboxes)
  • Apply real-time URL scanning for suspicious links and links that point to files: Enabled
  • Wait for URL scanning to complete before delivering the message: Enabled (slight delay but catches detonation results)
  • Do not rewrite URLs, do check via Safe Links API only: Disabled (URL rewriting is safer -- allows click-time detonation for URLs that were clean at delivery but became malicious later)
  • Track user clicks: Enabled (required for click data in threat explorer)
  • Let users click through to original URL: Disabled for Strict users, your call for Standard

Safe Attachments -- action recommendation:

Path: Threat Policies > Safe Attachments > Create/edit policy

  • Action: Dynamic Delivery (preferred) or Block
    • Dynamic Delivery: Delivers the email body immediately, replaces attachment with a placeholder while detonating, delivers the real attachment if clean. Better user experience with no delivery delay.
    • Block: Quarantines the entire email until detonation completes. More disruptive but higher assurance.
  • Enable redirect: Enable -- specify a security team mailbox. Attachments flagged as malicious get a copy sent to your security team for review.
  • Apply Safe Attachments detection response if scanning can't complete: Enabled (Block by timeout)

Monitor MDO Detections in Your SIEM

Key MDO alert types to route to your SIEM:

In the Microsoft 365 Defender portal (security.microsoft.com) > Alerts:

  • A potentially malicious URL click was detected: A user clicked a Safe Links-rewritten URL that MDO classified as malicious. High priority.
  • Email messages containing malicious URL removed after delivery: ZAP fired -- a URL in an already-delivered email was retroactively classified as malicious and the email was removed.
  • Phish delivered due to an ETR override: Your own Exchange Transport Rules allowed a phishing email through. Review the override.

MDO Threat Explorer for investigation: Security.microsoft.com > Email and Collaboration > Explorer

  • Filter by Detection Technology: Safe Links, Safe Attachments, Impersonation
  • Review click events: Explorer > URL clicks > filter by "Allowed" click to find users who clicked through blocked URLs

Route MDO alerts to Microsoft Sentinel: Sentinel > Data connectors > Microsoft Defender XDR > Connect Alerts appear in the SecurityAlert table:

SecurityAlert
| where TimeGenerated > ago(24h)
| where ProductName has 'Defender for Office'
| where AlertSeverity in ('High', 'Medium')
| project TimeCreated = TimeGenerated, AlertName, Entities, AlertSeverity
| order by TimeCreated desc

The bottom line

MDO configuration priority order: apply the Standard preset security policy to all users and the Strict preset to executives and finance immediately, then customize the anti-phishing policy to add your specific executive email addresses and company domains to the impersonation protection list. Verify ZAP is enabled and Safe Links URL rewrites are on. After one week, review Threat Explorer for detections -- the impersonation protection hits and Safe Attachments detonation results will tell you what was getting through before.

Frequently asked questions

What is the difference between Exchange Online Protection (EOP) and Microsoft Defender for Office 365?

EOP is the baseline email filtering layer included in all Exchange Online and Microsoft 365 subscriptions. It handles spam filtering, malware scanning, spoofing detection, and connection filtering. MDO (Defender for Office 365) adds an additional layer on top of EOP with Safe Links (URL sandboxing and click-time protection), Safe Attachments (behavioral sandbox detonation of attachments), advanced impersonation protection with mailbox intelligence, attack simulation training, threat hunting in Threat Explorer, and automated investigation and response. EOP is the floor; MDO raises the ceiling significantly for targeted phishing and BEC (Business Email Compromise).

Does Safe Attachments add significant email delivery delay?

With Dynamic Delivery mode, the email body arrives immediately -- users can read the message while the attachment is being detonated (typically 1-5 minutes for most file types). The attachment placeholder in the email is replaced by the real attachment once it is cleared. For most business email this is unnoticeable. With Block mode, the entire email is held until detonation completes, creating a delay that users experience as slow email delivery. For high-security environments (executives, finance), the Block mode delay is acceptable. For general user populations, Dynamic Delivery provides the best balance of protection and experience.

Why would a phishing email get through MDO to a user's inbox?

Common reasons phishing bypasses MDO: the email came from a legitimate third-party service that was compromised (a trusted sender domain with a good reputation), the malicious URL was not yet in Microsoft's threat intelligence at the time of delivery (ZAP may catch it later), an Exchange Transport Rule (ETR) in your environment bypassed filtering for the sender domain, the Safe Links URL rewrite was disabled for that policy, or the email used a non-URL technique (a QR code, a telephone number for callback phishing, or a benign attachment that instructs the user to call a number). Review the Detection Technology field in Threat Explorer for bypassed emails to understand which protection layer failed.

How do I protect against Business Email Compromise (BEC) that doesn't have malicious URLs or attachments?

BEC emails are often text-only -- no malicious links, no attachments, just an email impersonating an executive asking for a wire transfer or gift card purchase. MDO's impersonation protection (executive email addresses in the anti-phishing policy) and mailbox intelligence are the primary controls. Additionally: enable the first-contact safety tip (visual warning on emails from new senders), configure DMARC with policy reject on your own domain (prevents domain spoofing), and implement training via Attack Simulator to teach employees to recognize social engineering. For high-risk users in finance, require phone verification for any wire transfer request received by email.

How do Safe Links and Safe Attachments interact with each other in MDO?

Safe Links and Safe Attachments are independent protection mechanisms that operate on different threat vectors. Safe Attachments detonates file attachments in a sandbox before delivery. Safe Links rewrites URLs in email bodies and documents and performs real-time reputation checks when a user clicks. They do not depend on each other -- an email with no attachments still benefits from Safe Links, and an email with no URLs still benefits from Safe Attachments. Both should be enabled in your MDO policies for complete coverage. Note that Safe Links also applies to URLs in Microsoft 365 documents (Word, Excel, PowerPoint) opened from SharePoint and OneDrive, extending protection beyond email to document-borne phishing links.

How do I investigate a phishing email that Microsoft Defender for Office 365 did not block?

Use Threat Explorer (Microsoft 365 Defender > Email and Collaboration > Explorer) to locate the message by sender, recipient, subject, or time range. The detailed view shows the complete detection analysis: which policies the message was evaluated against, URL detonation results, attachment sandbox results, and the delivery action taken. For a missed phishing email, check: whether the recipient was in scope for the applicable Safe Links and Safe Attachments policies (policy ordering and exclusions can cause gaps), whether the sending domain was manually allowed in the tenant allow list, whether the message passed DMARC (which makes it harder to classify as spoofing), and whether the URL or attachment was new (zero-day phishing bypasses signature-based detection). Submit the missed sample to Microsoft via the Submissions portal (Microsoft 365 Defender > Actions and Submissions > Submissions) to improve detection models and report on the submission status.

Sources & references

  1. Microsoft -- Recommended settings for EOP and Microsoft Defender for Office 365 security
  2. Microsoft -- Safe Attachments in Microsoft Defender for Office 365
  3. Microsoft -- Set up Safe Links policies in Microsoft Defender for Office 365

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.