ThirdSpace ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
22 June 2020

The top 5 features of Microsoft Defender for Office 365

Paul Rouse

Intelligent anti-phishing technology, automated investigations, and attack simulation – let’s explore some of the advanced protection powers found within Microsoft Defender for Office 365.

Here at ThirdSpace, we’re big fans of Microsoft Defender for Office 365.

Like all of Microsoft’s mobility and security technologies, Microsoft Defender for Office 365 (previously called Officer 365 Advanced Threat Protection) is an ever-evolving product with new features constantly being added and refined.

In this blog, I will cover my top five features of Defender for Office 365, how they work, and how they differentiate Defender for Office 365 from competitor offerings to make it a truly compelling security solution.


The best Microsoft Defender for Office 365 features explained

1. Safe Links and Safe Attachments

One of the key protection technologies within Defender for Office 365 is Safe Links & Safe Attachments.

These technologies enhance protection levels against zero-day threats as they can analyse links in emails and office documents.

They also open attachments in emails to find any potential threats hidden inside.

Both Safe Links and Safe Attachment policies apply to internal and external emails in real-time. This is a capability unique to Defender for Office 365 and one that no third party has been able to match.

Safe Links

When a user clicks a link in an email or document, Safe Links checks if the link is malicious by redirecting the link to a secure server in the Microsoft 365 environment.

This server then checks the link against a list of known malicious web sites.

If the site is deemed safe, the browser is redirected to the original link destination. If the site is on the block list, the user is blocked, and the browser displays a warning page to the end-user.

The Safe Links URL wrapping service processes links and encapsulates them within the email or document permanently.

This protection persists for the life of the message, meaning the link will be re-processed and evaluated at every click.

It doesn’t matter if this is a few hours, days, or even years later – the protection still applies.

This defends against attackers who hide malicious URLs with seemingly safe links that are subsequently redirected to unsafe sites after the message has been delivered.

Should a link point to a downloadable file, Safe Links can be configured to execute and scan the file within the sandbox and detonation chamber.

Within this sandbox area, Microsoft Defender will evaluate the content and provide a verdict on whether to allow the end-user to access the file.

This protection extends to links contained in Office applications (Word, Excel, and PowerPoint) and is coming to Teams later in 2020.

Safe Attachments

Office 365 Safe Attachment policies also route any attachments that do not have a known virus or malware signature to a special hypervisor environment for behavioural analysis.

This environment uses a variety of machine learning and analysis techniques to detect malicious intent. Only if no suspicious activity is detected is the attachment released for delivery to the user’s mailbox.

This protection from malware-infected content in Defender for Office 365 also applies beyond email.

If malicious files or links are uploaded to SharePoint or OneDrive for Business and shared, even via Microsoft Teams, Defender for Office 365 will detect it, block it, and prevent the file from being opened or shared in the future.


2. Anti-Phishing – Mailbox Intelligence

Defender for Office 365 possesses significant capabilities to prevent phishing, including impersonation protection to protect your users from lookalike domain attacks.

But one of my favourite unique capabilities of Defender for Office 365 is Mailbox Intelligence.

Mailbox Intelligence uses artificial intelligence (AI) to understand who a user typically communicates with via email (both inside and outside of your organisation).

This allows the system to build a map of usual communication paths between users.

Microsoft Defender for Office 365 then uses this map as a contributing factor in determining the risk an email poses to the recipient.

For example, if an email passes upstream checks but purports to be from the CFO who the recipient has had no prior email correspondence with (or is using a different email address compared to previous communications), Defender can insert warnings directly into the message or quarantine the message entirely.

As warning and alerting decisions are based on previous communication patterns and AI, this ensures a high rate of “true positives” where action is only taken on emails that exhibit a real risk.

This also increases the warning’s effectiveness and reduces the risk of users ignoring or becoming desensitised to them.

Webinar: Understanding Advanced Threat Protection (ATP)

Watch on-demand for a breakdown of each ATP technology and discover how to:

  • Protect email, files and apps against attacks
  • Proactively detect attacks and zero-day exploits
Watch on-demand now

3. Automated investigation and response (AIR)

One of Defender for Office 365’s most powerful features is the recent addition of automated investigation and response (AIR) capabilities.

AIR addresses some of the most common threats that security teams investigate in their day-to-day jobs and uses Office 365 alerts to trigger the use of predefined investigative playbooks.

These playbooks remove the manual effort involved in common email threat response and investigation tasks such as user-reported phishing emails.

When you use AIR in Defender for Office 365 it’s like employing a team of virtual analysts who are dedicated to the important, but often labour and time-intensive tasks associated with investigating email threats.

Upon completion of an automated investigation, security staff are simply required to approve or reject the automatically suggested actions to remediate the threat.

AIR also allows security teams to manually trigger automated investigations from the dashboard for any email and related content (attachment or URLs).

From my experience in previous roles on the frontline, I am all too aware of the volume of time-consuming, email-based investigations undertaken by security teams on a day to day basis.

The efficiencies introduced by AIR are a massive time saver and allow more effective use of security resource (which is often in short supply within most organisations).


4. Attack Simulator

65% of hackers use spear-phishing as the primary infection vector.

Symantec, 2020

Regular phishing and password strength tests are key to ensuring awareness of email and credential security with third-party platforms often being used to perform these tests.

This increases both the complexity and cost of securing your environment.

Microsoft Defender for Office 365 includes Attack Simulator functionality which allows you to perform phishing and credential strength tests using the following attack methods:

  • Spear phishing (credential harvest – URL-based)
  • Spear phishing (attachment-based)
  • Brute force (dictionary attack)
  • Password spray attack

The email-based attack simulations allow the use of a built-in email template editor which gives admins the ability to create custom, reusable email templates for all campaigns.

Credential-based attacks allow you the flexibility to tailor attacks to specific user groups. You can also use custom password lists to include passwords that you suspect are potentially in widespread use within your organisation.

The Attack Simulator also features advanced reporting capabilities to illustrate metrics such as fastest (or slowest) time to open an attack email, fastest (or slowest) time to click a link in the message, and more.

These metrics allow you to target training and awareness to the areas where it is most required.


5. Integration – Microsoft 365 Defender

Now I know I may be slightly biased, but I firmly believe that as a security solution, Microsoft Defender for Office 365 offers a depth of integration and interoperability that’s impossible to match.

Given the market share as the largest and most widely used technology company of its type in the world, Microsoft has access to an unparalleled view of cyber threats across its entire, global ecosystem every second of every day.

The result is an unrivalled and constantly growing database known as the Intelligent Security Graph.

This graph informs threat protection technologies across multiple services within the Microsoft 365 ecosystem.

This visibility and capability is impossible to match as a third-party solution provider with a dramatically smaller footprint.

Comprehensive coverage

Microsoft Defender for Office 365 protects email and collaboration but also forms part of the wider Microsoft 365 Defender suite that includes:

These technologies natively integrate across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.

All this functionality and protection can be possible without the overhead and complexity associated with multi-vendor solutions.

It also allows you to achieve an unequalled level of interoperability that is impossible to replicate.

To put this into context please consider the following:

  • Imagine the additional value your team could deliver if you could forget about interoperability complications and build your security operations around a platform with guaranteed compatibility across solutions.
  • Think of the additional value your security team could deliver if they only had to develop familiarity with a single security platform.

There are many benefits to be gained by removing the time wasted performing cross-platform/cross-portal investigations.

Time that can be saved by adopting a single platform where automated remediation across endpoint, identity, email, and applications is the default.



I know that was a lot to take in and there’s a lot of supporting functionality I haven’t yet touched on!

If you needed more reasons to be persuaded by Microsoft Defender for Office 365 it also includes:

  • Campaign Views (they’re great by the way!)
  • Detailed reporting and alerting functionality
  • Exciting new features coming down the pipeline (spoiler alert – there’s lots!)

I hope the features I have covered here have given you a flavour of what Defender for Office 365 is capable of and how it can benefit your organisation.


Next steps

You may also like...


The key to SOCcess – 5 things you need to consider for improved threat monitoring and response


What is a security operations centre (SOC)?


Identify, analyse and remediate: What is Microsoft 365 Defender?

Recent Blog Articles

View All
Paul Rouse
EMS Consultant
Learn More

Get in touch

We'd love to hear from you! Our friendly team can be reached Monday through Friday, from 9am to 5pm.

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.