1.2 Defender for Office 365
Defender for Office 365 protects email (Exchange Online), Teams, SharePoint, and OneDrive against phishing, malware, and business email compromise. Email is the number one attack vector, and Defender for Office 365 is what stands between a phishing email and the user’s inbox.
Figure 1.2: Email passes through Safe Links, Safe Attachments, and anti-phishing before delivery. ZAP can retroactively remove threats discovered after delivery.
Core components
Safe Links. Real-time URL scanning and rewriting. When a user clicks a link in an email, Safe Links checks the destination at click time — not just at delivery. This matters because attackers commonly use delayed detonation: the URL is clean when the email is delivered and weaponised hours later.
Safe Attachments. Sandboxes email attachments in a detonation environment before delivery. Opens the file in a virtual machine, watches for malicious behaviour, and blocks the email if the attachment is malicious. Adds a small delivery delay but catches zero-day malware that signature-based detection misses.
Anti-Phishing Policies. Impersonation protection for specific users (CEO, CFO) and domains (your organisation, your key partners). Mailbox intelligence that learns each user’s communication patterns and flags emails that deviate. Spoof intelligence that detects forged sender addresses.
Zero-hour Auto Purge (ZAP). Retroactive removal of delivered emails when the verdict changes after delivery.
If a URL is clean at delivery but flagged as malicious 30 minutes later, ZAP pulls the email from the user's mailbox automatically. This is why you sometimes see emails disappear from inboxes — ZAP is doing its job. During investigations, check EmailPostDeliveryEvents for ZAP actions.
Automated Investigation and Response (AIR). When a threat is detected, AIR investigates related emails, identifies all recipients of the same campaign, and recommends or executes remediation: soft delete, hard delete, block sender.
Threat Explorer and Real-time Detections. The investigation interface for analysts. Search email flow, view detection verdicts, trace phishing campaigns, and take manual actions on specific emails. You will use Threat Explorer extensively in the AiTM investigation (Module 13) and BEC investigation (Module 14).
Campaign Views. Aggregates related phishing or malware emails into campaign clusters, showing the scope and progression of a coordinated attack.
Key data tables for investigation
EmailEvents — every email processed (sender, recipient, subject, verdict)EmailUrlInfo — URLs contained in emailsEmailAttachmentInfo — attachment metadataEmailPostDeliveryEvents — post-delivery actions (ZAP removals, user reports)UrlClickEvents — Safe Links click tracking
How it connects to the ecosystem
Alerts feed into the Defender XDR unified incident queue. Phishing email alerts correlate with Entra ID sign-in alerts — because phishing leads to credential compromise. Data tables are queryable in advanced hunting and Sentinel. AIR actions are visible in the unified action centre.
Licensing
| Tier | What you get | Included in |
|---|---|---|
| P1 | Safe Links, Safe Attachments, anti-phishing, real-time detections | Business Premium (or add-on) |
| P2 | Threat Explorer, Campaign Views, AIR, attack simulation | M365 E5 (or add-on) |
Key takeaways
- Email is the number one attack vector — Defender for Office 365 is the front door defence
- Safe Links checks URLs at click time, catching delayed detonation attacks
- ZAP retroactively removes threats from inboxes after delivery — check
EmailPostDeliveryEvents - Threat Explorer (P2) is the primary investigation tool for email-based attacks
- The
Email*tables correlate with sign-in logs to trace phishing → compromise chains
Investigation decision: Suspicious email reported
Check your understanding
1. A phishing URL is clean at delivery but weaponised two hours later. Which feature catches this?
2. You discover a phishing email was delivered to 15 users. ZAP has already removed it from 12 mailboxes. Where do you verify ZAP actions?