M06 · Defender for Office 365

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.0 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): MDO policy names, Threat Explorer labels, and portal paths change frequently. Plan 1 vs. Plan 2 feature boundaries also shift. Verify against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

  1. Describe how Defender for Office 365 (MDO) protects email and collaboration services.
  2. Explain the function of Anti-phishing policies, Safe Links, and Safe Attachments.
  3. Use Threat Explorer to investigate an email-based threat.
  4. Describe automated investigation and response (AIR) and how to review AIR results.

1. MDO protection layers

Microsoft Defender for Office 365 (MDO) protects email and collaboration (Exchange Online, Teams, SharePoint, OneDrive) against phishing, malware, and business email compromise. It is layered:

  • Exchange Online Protection (EOP) — the baseline included with Exchange Online: anti-malware, anti-spam, and basic anti-phishing / connection filtering. Every mailbox gets this.
  • MDO Plan 1 — adds Safe Links, Safe Attachments, and enhanced anti-phishing (impersonation protection), plus real-time detections.
  • MDO Plan 2 — adds Threat Explorer (advanced hunting for email), Automated Investigation and Response (AIR), attack simulation training, and advanced threat-tracking/campaign views.
flowchart TD EOP["EOP (baseline)<br/>anti-malware, anti-spam, basic anti-phish"] --> P1["MDO Plan 1<br/>Safe Links, Safe Attachments, impersonation protection"] P1 --> P2["MDO Plan 2<br/>Threat Explorer, AIR, attack simulation"]

Diagram alt text: Three stacked layers building upward. The base layer is Exchange Online Protection, the baseline providing anti-malware, anti-spam, and basic anti-phishing. The middle layer is MDO Plan 1, adding Safe Links, Safe Attachments, and impersonation protection. The top layer is MDO Plan 2, adding Threat Explorer, automated investigation and response, and attack simulation training.

Licensing note (as of June 2026): which capability sits in EOP vs. Plan 1 vs. Plan 2 changes; confirm in current Microsoft Learn. A “missing” feature is often a plan gap.

2. Anti-phishing policies

Anti-phishing policies defend against deception-based attacks:

  • Impersonation protection — detect messages where the sender pretends to be a specific protected user (e.g., the CEO) or domain (your own or a partner’s). You define who/what to protect.
  • Spoof intelligence — detect senders forging the From address, using authentication signals (SPF, DKIM, DMARC) and sending patterns; surfaces a spoof allow/block list.
  • Mailbox intelligence — learns each user’s normal contact graph to flag unusual senders that may be impersonation attempts.

These map to ATT&CK Phishing (T1566) and its sub-techniques — the most common initial-access vector (M01).

  • Safe Linkstime-of-click URL protection. When a user clicks a link in mail (or supported Office/Teams content), MDO rewrites and re-checks the URL at click time, detonating/evaluating it so a link that was benign at delivery but weaponized later is still caught. Blocked clicks show a warning page.
  • Safe Attachmentsdetonation sandbox for email attachments. Attachments are opened in an isolated environment to observe malicious behavior before delivery. Dynamic Delivery delivers the message body immediately while the attachment is scanned, then attaches it once cleared — so users are not blocked waiting on detonation.

Together these address ATT&CK Spearphishing Link (T1566.002) and Spearphishing Attachment (T1566.001).

4. Threat Explorer

Threat Explorer (Explorer; MDO Plan 2) is the interactive investigation tool for email threats. You can:

  • Filter delivered mail by threat type (malware, phish), sender, recipient, subject, URL, detection technology, delivery action, and time.
  • See the delivery path and status — was it delivered, junked, blocked, or zapped (removed post-delivery)?
  • Identify all affected recipients of a campaign in one view.
  • Pivot to the email entity page for a single message — full detail on headers, URLs, attachments, authentication results, and the actions available.

In the lab you will use Threat Explorer to trace a simulated phishing campaign’s delivery path and affected recipients.

5. Automated Investigation and Response (AIR)

Automated Investigation and Response (AIR) (MDO Plan 2) automatically investigates alerts and recommends (or, where configured, takes) remediation actions, dramatically reducing manual triage.

  • Trigger conditions — an alert (e.g., a user reported a phishing message, or a malicious URL/file detected) kicks off an automated investigation.
  • What it does — gathers related evidence (other copies of the message, affected users, URLs/files) and determines a verdict and recommended actions (e.g., soft-delete the malicious emails).
  • Approval workflow — many remediation actions require an analyst to review and approve before they execute, keeping a human in the loop. You review the investigation’s findings, evidence, and recommended actions, then approve or reject.

In the lab you will review an AIR investigation result and approve a remediation action.

Compare to M04: MDO’s AIR is the email-workload sibling of the broader automated investigation in Defender XDR; both emphasize evidence-gathering plus human-approved remediation, distinct from automatic attack disruption, which acts without approval during high-confidence attacks.

6. Attack simulation training (overview)

Attack simulation training (MDO Plan 2) lets you safely run simulated phishing campaigns against your own users to measure susceptibility and assign training to those who fall for them. It uses benign, Microsoft-provided simulation payloads — never real malware — and is a primary way to drive down human-factor risk. Used in a lab/dev tenant only.

7. Module summary

  • MDO layers on top of EOP: Plan 1 adds Safe Links, Safe Attachments, impersonation protection; Plan 2 adds Threat Explorer, AIR, attack simulation training.
  • Anti-phishing policies combine impersonation protection, spoof intelligence, and mailbox intelligence; Safe Links re-checks URLs at click time; Safe Attachments detonates files (Dynamic Delivery avoids delays). These map to ATT&CK Phishing (T1566).
  • Threat Explorer investigates email threats — filter, trace delivery, find affected recipients, pivot to the email entity page.
  • AIR auto-investigates alerts, gathers evidence, and recommends remediation, typically with analyst approval before action.

Glossary (first-use acronyms in this module)

  • AIR — Automated Investigation and Response.
  • DKIM — DomainKeys Identified Mail (email authentication).
  • DMARC — Domain-based Message Authentication, Reporting, and Conformance.
  • EOP — Exchange Online Protection.
  • MDO — Microsoft Defender for Office 365.
  • SPF — Sender Policy Framework (email authentication).
  • ZAP — Zero-hour Auto Purge (post-delivery removal of malicious mail).

Sources

Citations recorded per CLAUDE.md. Living documents; “as of June 2026” stamps indicate currency.

  1. Microsoft Learn — “Microsoft Defender for Office 365 overview.” https://learn.microsoft.com/defender-office-365/mdo-about
  2. Microsoft Learn — “Anti-phishing policies in Microsoft Defender for Office 365.” https://learn.microsoft.com/defender-office-365/anti-phishing-policies-about
  3. Microsoft Learn — “Safe Links in Microsoft Defender for Office 365.” https://learn.microsoft.com/defender-office-365/safe-links-about
  4. Microsoft Learn — “Safe Attachments in Microsoft Defender for Office 365.” https://learn.microsoft.com/defender-office-365/safe-attachments-about
  5. Microsoft Learn — “Threat Explorer and real-time detections.” https://learn.microsoft.com/defender-office-365/threat-explorer-about
  6. Microsoft Learn — “Automated investigation and response (AIR) in Microsoft Defender for Office 365.” https://learn.microsoft.com/defender-office-365/air-about
  7. Microsoft Learn — “Attack simulation training.” https://learn.microsoft.com/defender-office-365/attack-simulation-training-get-started
  8. MITRE ATT&CK — Phishing (T1566). https://attack.mitre.org/techniques/T1566/

M06 of 10 · Microsoft Defender — Security Operations Fundamentals · maps to curriculum.md → M06 learning objectives 1–4. Student handout — distribute freely to learners. No answer keys contained.