top of page
  • Writer's pictureNathan Hutchinson

Getting started with Defender for Office 365: Part 2

In part 1 of our Defender for Office 365 series we talked about licensing, quarantine policies, anti-phishing, anti-spam and anti-malware policies, if you missed part 1 you can read it here.

Lets continue where we left off, in the Threat Policies tab of the Defender Security portal and we'll start with Safe Attachments.

Safe Attachments

Safe attachments adds additional protection to your environment for attachments received via email and files in SharePoint, OneDrive and Teams. The feature 'detonates' the attachments in a virtualised environment before delivering them to the recipients mailbox, therefore checking the attchment for any malware.

As with the other policies go ahead and create a new policy, give it a name and description, apply it to your users, groups or domains and move onto the policy settings.

Safe attachments policy settings have five main configuration options, and each option has a description provided, we are going to use the Replace option, I believe this is the best option to start with, another good option is Dynamic Delivery however I've found this often causes confusion for end users as they can recieve the email instantly and in some cases it can take a long time for the attachment to come through causing frustration and confusion. Here we will also apply our preferred quarantine policy for any emails caught with malware, we will use our custom policy we created earlier.

You may decide that you want to redirect email caught with malware to a mailbox that you can monitor yourselves, to do this enable the checkbox and provide the email address to send the captured emails to, remember to enable the detection response for timeout errors also.

Submit to create the policy.

You may notice just like the quarantine policies, safe attachments also has a global settings option.

Some of these settings such as Safe Documents require Defender for Endpoint as part of either Microsoft 365 E5 or the E5 security add-on.

Safe Links

Safe links provides URL scanning, rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages and other locations. Safe links can protect users from malicious links used for attacks such as phishing.

Create and name your policy, target your users and then get to configuring the main settings.

The below settings are my recommendations, just remember to add any URLs you might not want scanning by the service here. A scenario I often find that requires this, is when sending the Datto RMM link via email, if the URL for the installer has not been added, Safe Links will scan the URL, causing the agent to download and install on the VM that detonates the link, the VM will never be accessible, but you can easily end up with lots of stale devices in RMM if not careful.

Choose your preferred notification method, I usually opt for the default notification initially.

Submit and create your policy.

Just like safe attachments, safe links also has global settings you can configure.

Configuration Analyser

Now that we've created our starting baseline policies, we can use the built in analyser to review the policies we've created which will provide recommendations for our policy configuration to improve security.

The analyser allows you to review your policies based on a standard baseline and a strict baseline. The tool will review all policies, including the default ones, I would recommend leaving the default policies as they are and ignoring any recommendations for those, the other however I would review and tweak as necessary. The end goal of the tool is to further enhance the security of your policies and you should use this to your advantage however keep in mind that the tool does not know your organisation requirements or your users so you'll want to make up your own mind on the recommendations, it's OK to start small and update based on the recommendations periodically.


These policies should give you a strong starting point for using Defender for Office 365, in part 3 of this series I will explore Attack simulation training and how to launch your own campaigns to test your users!

148 views0 comments


bottom of page