Sign In
In this module

AD2 — Protecting Email with Defender for Office 365

5-6 hours · Module 2 · Free

Protecting Email with Defender for Office 365

Identity is the perimeter. Email is the delivery mechanism.

In Module AD1, you built the identity controls that stop 99.9% of credential attacks — even when the attacker has the password, MFA and conditional access block the sign-in. But the phishing emails that deliver those attacks are still reaching your users' inboxes. Every day, your users see emails with malicious links, weaponised attachments, and spoofed sender addresses that Exchange Online Protection's default filtering doesn't catch. Some users click. Some enter credentials. Your identity controls catch the aftermath — but catching the email before the user sees it is better than catching the attacker after they try to sign in.

Your M365 E3 license includes Defender for Office 365 Plan 1 — Safe Links, Safe Attachments, and enhanced anti-phishing. These features are included in your license but not active until you create and assign policies. This module walks you through configuring each one, setting up email authentication records (SPF, DKIM, DMARC) that prevent domain spoofing, building the user-reported phishing workflow, and investigating reported phishing emails using message trace.

The result: phishing reaching your users drops by 60% or more, malicious attachments are detonated in a sandbox before delivery, your domain can't be spoofed by external attackers, and you have a clear workflow for when a user reports "I think I got a phishing email."

What you will learn

  • Why Exchange Online Protection's default filtering is not enough and what Defender for Office 365 Plan 1 adds
  • Configuring Safe Links policies with URL rewriting, click-time scanning, and real-time URL detonation
  • Configuring Safe Attachments policies with dynamic delivery (users get the email immediately, attachment delivered after scanning)
  • Anti-phishing policies beyond defaults — impersonation protection, mailbox intelligence, and spoof intelligence
  • SPF record creation and validation for your domain
  • DKIM key configuration in the Defender portal and DNS
  • DMARC policy deployment from monitoring (p=none) to enforcement (p=reject)
  • Anti-spam policy tuning — what to tighten and what to leave alone
  • The user-reported phishing workflow — from Report Message button to admin investigation
  • Investigating a reported phishing email using message trace and Threat Explorer
  • Email protection monitoring — what to check weekly and what the metrics mean

Subsections

AD2.1 Why Default Email Filtering Is Not Enough · AD2.2 Safe Links: URL Protection That Works at Click Time · AD2.3 Safe Attachments: Sandboxing Before Delivery · AD2.4 Anti-Phishing Policies Beyond Defaults · AD2.5 SPF: Declaring Who Can Send as Your Domain · AD2.6 DKIM: Signing Your Outbound Email · AD2.7 DMARC: Enforcing Email Authentication · AD2.8 Anti-Spam Tuning · AD2.9 User-Reported Phishing Workflow · AD2.10 Investigating a Reported Phishing Email · AD2.11 Interactive Lab: Email Protection Deployment · AD2.12 Module Summary · AD2.13 Check My Knowledge

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of M365 Security: From Admin to Defender

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts.

View Pricing See Full Syllabus
← Previous Next →