Get Started Free

Module 8: Defender for Office 365 Policies & Protection

90 minutes · Configure Protections and Detections (15-20%)

Email is the number one attack vector. Over 90% of successful breaches begin with a phishing email. Defender for Office 365 is the protection layer between the attacker’s email and your users’ inboxes.

This module teaches you to configure every protection policy, understand their detection mechanisms and limitations, monitor their effectiveness with KQL, and use Threat Explorer for email investigation. Each protection layer has specific strengths and known limitations. Understanding both is what separates effective security configuration from checkbox compliance. The AiTM phishing campaign in Module 13 succeeded partly because of configuration gaps in email protection — this module teaches you to close those gaps.

EMAIL PROTECTION STACK — DEFENDER FOR OFFICE 365Connection FilterIP reputationAnti-MalwareSignature scanDefender for O365Anti-phish · Safe LinksSafe AttachmentsDeliveryInbox / JunkZAPPost-delivery cleanupThreat Explorer + AIR + Campaign Views (P2)Investigation · Bulk remediation · Automated response
Prerequisites

Defender for Office 365 P2 (included in M365 E5) is required for Threat Explorer, AIR, and Campaign Views. P1 provides Safe Links, Safe Attachments, and anti-phishing protection. If your organization has P1 only, you can configure all protection policies but will have limited investigation tools. The KQL queries in this module work with any plan that has the M365 Defender connector enabled in Sentinel (Module 5.6).

Sections in this module

8.1 Email Threat Landscape and Architecture

8.2 Anti-Phishing Policies

8.3 Safe Links Policies

8.4 Safe Attachments Policies

8.5 Zero-Hour Auto Purge (ZAP)

8.6 Email Authentication: SPF, DKIM, DMARC

8.7 Transport Rules for Security

8.8 Threat Explorer Deep Dive

8.9 Automated Investigation and Response for Email

8.10 Module Assessment

Start: 8.1 Email Threat Landscape and Architecture →