All Microsoft 365 subscriptions come with Exchange Online Protection, which includes defenses against spam, viruses, and phishing that are enabled by default. For additional protection, you can configure optional policies available in all subscription types, and you can enable Defender for Office 365, a feature included in Microsoft 365 Business Premium. The simplest way to enable email protection is to use the pre-set policies in the Microsoft 365 Defender unified experience.
| Configure email protection: | Recommend settings – normal scenario | Recommended settings – high risk scenario |
| Enable Defender for Office 365 preset policies | Yes | Yes |
| Enable transport rule for attachments with Office macro extension | Warn | Block |
| Block auto-forwarded email | All Users | All Users |
| Enable Sender Policy Framework (SPF) | All domains | All domains |
| Enable DomainKeys Identified Mail (DKIM) signing | All domains | All domains |
| Enable DMARC policy | Enabled, quarantine | Enabled, reject |
| Enable Common Attachment Types filter | Preset, standard | Preset, strict |
| Enable Defender for Office 365 Anti-Phishing Policies | Preset, standard | Preset, strict |
| Enable Defender for Office 365 Safe Links policy | Preset, standard | Preset, strict |
| Enable Defender for Office 365 Safe Attachments policy | Preset, standard | Preset, strict |
| Enable safe attachments for SharePoint, OneDrive and Microsoft Teams | Preset, built-in | Preset, built-in |
- Enable Defender for Office 365 preset policies: We recommend starting with a preset security policy, which is a compilation of settings for: anti-spam, anti-malware, anti-phishing, Safe Links, and Safe Attachments For more information see Preset security policies in EOP and Microsoft Defender for Office 365
- Enable transport rule for attachments with Office macro extension: By opening files that contain malicious macros, users can introduce ransomware to the business. To help prevent this, you can insert a warning to the user whenever a file type that may contain macros flows through the email system. The steps are detailed in Protect against ransomware.
- Block auto-forwarded email: If a cybercriminal gains access to an employee’s account, they may auto-forward that person’s email to an outside account. This allows the attacker to watch the flow of email over extended periods of time, looking for opportunities to steal other people’s credentials and impersonate others—for example, to divert payments to a fake supplier. The default outbound spam filter disables automatic forwarding in Microsoft 365 Business Premium; however, you may modify the policy to allow for specific cases where forwarding is desirable. For more information see Control automatic external email forwarding in Microsoft 365.
- Email authentication will help prevent spoofing of the domain and reduce phishing and other unauthentic emails from other domains. There are three separate but related technologies work together to accomplish this: the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Setting up email authentication is relatively simple if all outbound email originates through Outlook and Microsoft 365 and requires just a few DNS records and policy settings. For more information refer to Email authentication in EOP.
- Enable Common Attachment Types filter: To block email attachments that contain file types that are commonly used for malware, you can activate this filter by enabling the standard protection preset policy or by turning it on separately. For more details, see Preset security policies in EOP and Microsoft Defender for Office 365 andRaise the level of protection against malware in mail.
- Enable Defender for Office 365 Anti-phishing Policies: This protects businesses from unknown email threats in real-time by using intelligent systems that inspect attachments and links for malicious content. Safety tips can inform users when receiving email from a sender for the first time or when the sender does not pass email authentication, which are common in phishing scenarios. You can enable recommended Defender for Office 365 policies using the Microsoft Defender for Office 365 setup guide by clicking Settings in the left-hand navigation of the Microsoft 365 Admin Center (Note: You may have to select a link for advanced deployment guides to see them) You may also want to configure policies to help prevent impersonation of key individuals – also known as spear-phishing. For more information see Anti-phishing policies in Microsoft 365 and Configure anti-phishing policies in Microsoft Defender for Office 365.
- Enable Defender for Office 365 Safe Attachment Policies: Safe Attachments is a feature in Microsoft Defender for Office 365 that uses a virtual environment to check attachments in inbound email messages after they’ve been scanned by anti-malware protection in Exchange Online Protection (EOP). This method helps analyze behavior and other indicators to protect against new forms of malware. For more information see Set up Safe Attachments policies in Microsoft Defender for Office 365 and Turn on safe attachments for SharePoint, OneDrive and Microsoft Teams
- Enable Defender for Office 365 Safe Links Policies: Safe Links in Microsoft Defender for Office 365 provides URL scanning of inbound email messages in mail flow, and time of click verification of URLs and links in email messages and in other locations. This helps ensure links in emails and Office documents are safe, even if the content at the link destination has changed. For more information see Set up Safe Links policies in Microsoft Defender for Office 365
Microsoft Defender for Office 365 is included in the Microsoft 365 Business Premium subscription, and some enterprise subscription plans.