AD2.1 Why Default Email Filtering Is Not Enough

What gets through EOP — real examples

The phishing emails that compromise M365 tenants are not the ones EOP catches. They are the ones EOP misses. Understanding why they get through tells you exactly what Defender for Office 365 fixes.

Credential phishing on newly registered domains. The attacker registers a domain 24 hours before the campaign — microsoftonline-verify.com, m365-security-update.net, or something equally plausible. The domain has no reputation — it's never sent spam, never hosted malware, never appeared on any blocklist. EOP has no basis to block it. The email contains a link to a convincing Microsoft login page hosted on this new domain. The user clicks, enters their credentials, and the attacker captures them. Defender for Office 365 Safe Links catches this because it scans the URL at click time — even if the URL was clean at delivery, Safe Links checks the destination when the user actually clicks. If the destination is a credential harvesting page, Safe Links blocks it.

Weaponised documents with no known signature. The attacker sends a Word document that uses a macro to download a payload from a legitimate file-sharing service (Dropbox, Google Drive, SharePoint). The document itself doesn't contain malware — the malware is downloaded after the user opens the document and enables macros. EOP's signature-based scanning doesn't flag it because the document is clean. Defender for Office 365 Safe Attachments catches this because it opens the document in a sandbox, observes the macro execution, watches the payload download, and blocks delivery if the behavior is malicious.

CEO impersonation via display name spoofing. The attacker creates a Gmail account with the display name "James Morrison — CEO" and sends an email to the finance team: "I need you to process this wire transfer urgently." The email comes from a legitimate Gmail address, not from your domain, so SPF and DKIM pass for Gmail. EOP doesn't flag it because it's technically a legitimate email from Gmail — there's no spoofing of your domain. Defender for Office 365 anti-phishing with impersonation protection catches this because it compares the display name against your protected users list and flags the mismatch between the display name (your CEO) and the sender domain (Gmail).

Checking your current email threat exposure

Before you configure Defender for Office 365, assess what's currently getting through. Navigate to security.microsoft.com → Email & collaboration → Explorer (or Reports → Email & collaboration reports if you don't have Threat Explorer).

If you have access to the Threat & vulnerability management reports, check the "Threat protection status" report. This shows the volume of email threats detected by type (malware, phish, spam) and the verdict (blocked, delivered, delivered to junk). The "Delivered" column tells you how many threats reached user inboxes despite EOP filtering.

If you don't have access to Explorer (it requires P2), use the simpler reports. Navigate to security.microsoft.com → Reports → Email & collaboration → Mailflow status summary. This shows total email volume and the percentage categorized as spam, phish, or malware. Even at the summary level, this tells you whether phishing emails are reaching users.

For a practical test of your current state, ask your users: "How many suspicious emails did you receive this week?" If the answer is more than zero, those are the emails EOP didn't catch. Each one is a potential compromise if the user clicks.

You can also check the message trace for phishing delivery. Navigate to the Exchange admin center (admin.exchange.microsoft.com) → Mail flow → Message trace. Search for emails delivered in the last 7 days where the subject contains common phishing keywords: "password expires," "account suspended," "verify your identity," "urgent action required." Review the results — if any of these were delivered to user inboxes (not quarantined), your email filtering has gaps that Defender for Office 365 closes.

For a more systematic check, use PowerShell to query message trace data for the last 7 days and identify delivered emails from external senders with suspicious patterns:

Connect-ExchangeOnline
$start = (Get-Date).AddDays(-7)
$end = Get-Date

# Find all delivered emails from external senders
Get-MessageTrace -StartDate $start -EndDate $end -Status "Delivered" |
    Where-Object { $_.SenderAddress -notlike "*@northgateeng.com" } |
    Group-Object SenderAddress |
    Sort-Object Count -Descending |
    Select-Object Name, Count -First 20

This shows which external senders delivered the most email to your organization in the last week. Review the top senders — are they all legitimate? If you see a sender you don't recognize delivering 50+ emails, investigate the content. The volume alone isn't suspicious (newsletters, vendor communications), but an unfamiliar sender delivering high volume warrants a closer look.

You can also check specifically for emails that EOP flagged but delivered anyway — the ones that landed in Junk rather than being blocked:

Get-MessageTrace -StartDate $start -EndDate $end -Status "FilteredAsSpam" |
    Group-Object Subject |
    Sort-Object Count -Descending |
    Select-Object Name, Count -First 10

Repeated subjects in the spam filter (the same phishing subject hitting multiple users) indicate a campaign targeting your organization. These are the emails Defender for Office 365 would have caught before delivery with Safe Links and Safe Attachments — and the evidence for why you need to configure those controls now.

One more check: verify whether Microsoft's preset security policies are active. Navigate to security.microsoft.com → Policies & rules → Threat policies → Preset security policies. Microsoft provides two presets — "Standard protection" and "Strict protection" — that configure Safe Links, Safe Attachments, and anti-phishing with recommended settings. If neither is active, no preset protection is applied. For most organizations, the "Standard protection" preset is a reasonable starting point — but building your own policies (as this module teaches) gives you control over every setting. If you want to get protection running in 2 minutes before customising, enable the Standard preset and refine it later.

The deployment sequence for email protection

Email protection follows the same phased approach you used for identity in Module AD1. The sequence is: Safe Links first (highest impact, lowest blast radius), then Safe Attachments (high impact, small delay to email delivery), then anti-phishing tuning (medium impact, requires understanding your organization's communication patterns), then email authentication (SPF, DKIM, DMARC — high impact but requires DNS access and careful rollout).

Each of the following subsections covers one control with step-by-step configuration, blast radius analysis, testing procedures, and monitoring queries. By the end of this module, your email protection will be fully configured and your phishing exposure will drop from "whatever EOP catches" to "95%+ blocked before delivery."