Introduction
Microsoft Defender for Office 365 helps keep your organization safe from threats like phishing, malware, and spam. With so many online dangers, it’s important to set up strong security policies to protect your emails and files. This guide will show you, step by step, how to create and manage security policies in Microsoft Defender for Office 365. By following these steps, you can make sure your organization is well-protected against these online threats.
What is Office 365?
Microsoft 365, once called Office 365, is a service you pay for that gives you useful tools for work and school. It includes well-known programs like Word for writing, Excel for making spreadsheets, PowerPoint for presentations, and Outlook for emails. You also get OneDrive for storing files online, Microsoft Teams for chatting and working together, and Exchange Online for business emails. Microsoft 365 keeps your information safe and updates its programs regularly. It helps people work better and easier, whether at home or in the office.
What is Microsoft Defender?
Microsoft Defender is a security program that Microsoft uses to keep your devices and data safe from online dangers. It helps protect against viruses and malware by scanning your system and removing harmful software. It also monitors your device in real-time to block threats as they happen. Microsoft Defender includes a firewall that prevents unauthorized access to your computer and provides web protection by warning you about dangerous websites. It works well with other Microsoft services, offering strong security for Windows and Microsoft 365 users to help ensure a safer online experience.
Step 1. Access the Security Center
- Open your browser and go to Microsoft 365 Defender Security Center.
- Log in with your Microsoft 365 admin account.
- Once inside, select Show All on the left panel and choose Security.
![Microsoft 365 admin account]()
Step 2. Go to Policies and Rules
- On the dashboard, scroll down to Email & Collaboration.
- Click Policies and Rules.
- Select Threat Policies
![Threat Policies]()
Step 3. Create or Configure the Policies.
Templated policies
Preset Security Policies
Preset Security Policies in Microsoft Defender for Office 365 are pre-made settings that help protect your organization from threats like phishing, malware, and spam. These policies make it easier for administrators to set up security measures quickly. Instead of manually creating each policy, you can apply preset security settings to protect email and tools like Microsoft Teams, SharePoint, and Exchange. This saves time and helps keep your organization safe from online threats.
Steps to Create the Preset Security Policies
- In Threat Policies, select Preset Security Policies.
- Click Manage Protection and then Create Policy.
![Create Policy]()
- Apply the policies to All recipients.
- Click Confirm.
![Click Confirm]()
Review and Analyze Policies
Reviewing and analyzing your security policies is important for keeping your organization safe. This process helps you check if your security measures are working correctly and if they need updates. By looking at your threat policies regularly, you can find any weak spots and make improvements. It also shows you how well your tools are protecting against phishing, malware, and other online threats. Regular reviews help ensure your organization stays secure.
Steps to Review and Analyze Policies
- Return to the Threat Policies section.
- Use the Configuration Analyzer to review and improve settings.
![Configuration Analyzer]()
- Regularly review reports to stay informed about potential threats.
![Regularly review]()
Policies
Anti-Phishing Policies
Anti-Phishing Policies are tools in Microsoft Defender for Office 365 that help protect organizations from phishing attacks. Phishing is when bad actors pretend to be trusted sources to trick people into giving away sensitive information, like passwords or credit card numbers. These policies automatically find and block suspicious emails that look like phishing attempts. By using Anti-Phishing Policies, organizations can make their email safer, reducing the chance of employees getting tricked. Customizing these policies for different groups of users adds extra security against targeted attacks.
Steps to Configure Anti-Phishing Policies
- Under Threat Policies, click Anti-phishing.
![Anti-phishing]()
- Click + Create Policy to make a new policy.
![New policy]()
- Name: Eg, "Marketing Anti-Phishing Policy"
- Set up Impersonation Protection and Mailbox Intelligence.
- Choose how to handle phishing attempts, such as moving them to junk or quarantining them.
- Click Submit.
![Click Submit]()
Anti-Spam Policies
Inbound Anti-Spam Policies help protect your email inbox from unwanted and harmful emails. These policies are important because spam emails can waste time and lead to security problems, like phishing scams or viruses.
These policies work by checking incoming emails for things like the sender's reputation and the content of the email. You can create and adjust these policies to set rules for handling spam. This way, only legitimate emails reach your inbox, making your email safer and easier to use. Having strong inbound Anti-Spam Policies is crucial for keeping your organization safe from unwanted email threats.
Steps to Configure Anti-Spam Policies
- In Threat Policies, click Anti-spam.
![Click Anti-spam]()
- Click + Create Policy.
![Click + Create Policy]()
- Name: Eg, Marketing Anti-Spam Policy.
- Adjust spam settings.
- Set the bulk email threshold (1-9) for detecting spam.
![Detecting spam]()
- Configure how to deal with spam emails.
- Click Submit.
![Review]()
Outbound Anti-Spam Policies
Outbound Anti-Spam Policies help stop your organization from sending spam emails. These policies are important because if a hacker gets into your email account, they can send unwanted emails that can harm your organization's reputation. These policies check the emails you send for signs of spam and can block or hold them for review. They also limit how many emails can be sent quickly and notify administrators if spam is found. In short, strong outbound Anti-Spam Policies protect your organization and help maintain good relationships with customers and partners.
Steps to Configure Outbound Anti-Spam Policies
- In Anti-spam, go to the Outbound Spam section.
- Click + Create Policy.
![Configure Outbound]()
- Name: Outbound Anti-Spam for Marketing
- Set up rules for handling outbound spam.
- Click Create.
![Handling outbound spam]()
Anti-Malware Policies
Anti-malware policies are important for keeping your organization safe from harmful software, like viruses and ransomware. These policies check emails and attachments to find and stop malware before it can cause problems. By using strong Anti-Malware Policies, your organization can protect sensitive information and reduce the risk of security issues. In short, these policies help keep your systems secure and your data safe from online threats.
Step to Configure Anti-Malware Policies
- Under Threat Policies, select Anti-malware.
![Anti-Malware Policies]()
- Click + Create Policy.
- Name the policy: Eg, "Marketing Anti-Malware Policy"
- Select the Group or specific user
![Specific user]()
- Enable Common Attachments Filter and Zero-Hour Auto Purge (ZAP).
![ZAP]()
- Click Submit.
![Submit]()
Safe Attachments
Safe Attachments help keep your email safe by checking any files sent to you. When you get an email with an attachment, Safe Attachments scans it for viruses or harmful software. If it finds something dangerous, it can block or remove the file. This way, your computer and important information stay protected. Using Safe Attachments helps your organization stay safe from online threats.
Steps to Set Up Safe Attachments
- Go to Threat Policies and select Safe Attachments.
![Safe Attachments]()
- Click + Create Policy.
![Safe policy]()
- Name: Eg, Safe Attachments for All Users
- Enable dynamic analysis to scan email attachments.
![All Users]()
- Click Submit.
![Again submit]()
Safe Links
Safe Links is a tool that helps protect you from harmful websites. When you click on links in your emails or documents, Safe Links checks if they are safe. If a link is dangerous, it will block it or send you to a safe version. This feature keeps your information and devices secure from phishing attacks and other online dangers, making your internet use safer.
Steps to Set Up Safe Links
- In Threat Policies, click Safe Links.
![Click Safe Links]()
- Click + Create Policy.
![Create Safe Links]()
- NameSafe Links for All Users").
- Enable real-time scanning of links in emails and Office apps.
![Office apps]()
- Click Submit.
![Review submit]()
Rules
Quarantine Policies
Quarantine policies help keep your email safe by checking for harmful messages. When an email looks suspicious, it is moved to a special area called quarantine instead of going to your inbox. This lets the IT team review the email before deciding what to do with it. Quarantine policies are important for protecting users and their information from threats while still allowing safe emails to get through. Regularly checking and updating these policies helps make sure they work well against new security problems.
Steps to Configure Quarantine Policies
- In Threat Policies, select Quarantine.
![Select Quarantine]()
- Click + Add Custom Policy.
![Add Custom Policy]()
- Name: Eg, High-Risk Quarantine Policy.
- Set criteria for phishing, malware, or spam emails.
![High-Risk Quarantine Policy]()
- Click Submit.
![New policy submit]()
Tenant Allow/Block Lists
Tenant Allow/Block Lists let you decide which email addresses or domains can send or receive emails to and from your organization.
- Choose the Tenant Allow/Block Lists.
![Tenant Allow/Block Lists]()
- Click on Add Blocked Entry.
- Type in the email address or domain you want to block (e.g., [email protected]).
- Click Save.
![Click save]()
Email Authentication Settings
Email authentication settings help verify that emails are really from the person or organization they say they are from. This includes features like ARC and DKIM.
- Click Email Authentication Settings.
![Email Authentication Settings]()
- Set Up ARC and DKIM
- Follow the instructions to set up ARC and DKIM for your domain.
- Make sure your DNS records are updated as needed.
![DNS records]()
Advanced Delivery
Advanced delivery lets you manage special situations when emails need to go through rules differently.
- Click on Advanced Delivery
![Advanced Delivery]()
- Set Overrides: Specify when emails should bypass normal rules.
- Create the SecOps Mailbox.
- Choose or create an email address for the security team, like technetshifan.onmicrosoft.com.
- Then Click Save.
![Save]()
Enhanced Filtering
Enhanced filtering ensures that emails are checked properly, especially when emails don’t go through Exchange Online Protection (EOP) first.
- Select Enhanced Filtering
![Enhanced Filtering]()
Enhanced Filtering for Connectors helps filter emails based on where the messages originally come from, not just the connector's source IP address. It checks the earlier steps in the message's path to find the actual source of the emails, ignoring the connector's IP.
Conclusion
Creating threat policies in Microsoft Defender for Office 365 is very important for keeping your organization safe from cyber threats like phishing, malware, and spam. By following the steps to set up and customize these policies, you can improve email security and protect sensitive information. Regularly checking and updating these policies helps keep them effective against new threats. With the right protections, you can ensure a safer working environment for your employees and your organization.