ThirdSpace ThirdSpace
ThirdSpace Contact Us
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Page
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Service
  • Solutions
  • People
Load more
22 June 2020

The top 5 features of Microsoft Defender for Office 365

A headshot photo of ThirdSpace consultant Paul Rouse.
Written by Paul Rouse

Intelligent anti-phishing technology, automated investigations, and attack simulation – let’s explore some of the advanced protection powers found within Microsoft Defender for Office 365.

Here at ThirdSpace, we’re big fans of Microsoft Defender for Office 365.

Like all of Microsoft’s mobility and security technologies, Microsoft Defender for Office 365 (previously called Office 365 Advanced Threat Protection) is an ever-evolving product with new features constantly being added and refined.

In this blog, I will cover my top five features of Defender for Office 365, how they work, and how they differentiate Defender for Office 365 from competitor offerings to make it a truly compelling security solution.

The best Microsoft Defender for Office 365 features explained

1. Safe Links and Safe Attachments

One of the key protection technologies within Defender for Office 365 is Safe Links and Safe Attachments.

These technologies enhance protection levels against zero-day threats as they can analyse links in emails and office documents.

They also open attachments in emails to find any potential threats hidden inside.

Both Safe Links and Safe Attachment policies apply to internal and external emails in real-time. This is a capability unique to Defender for Office 365 and one that no third party has been able to match.

Safe Links

When a user clicks a link in an email or document, Safe Links checks if the link is malicious by redirecting the link to a secure server in the Microsoft 365 environment.

This server then checks the link against a list of known malicious web sites.

If the site is deemed safe, the browser is redirected to the original link destination. If the site is on the block list, the user is blocked, and the browser displays a warning page to the end-user.

The Safe Links URL wrapping service processes links and encapsulates them within the email or document permanently.

This protection persists for the life of the message, meaning the link will be re-processed and evaluated at every click.

It doesn’t matter if this is a few hours, days, or even years later – the protection still applies.

This defends against attackers who hide malicious URLs with seemingly safe links that are subsequently redirected to unsafe sites after the message has been delivered.

Should a link point to a downloadable file, Safe Links can be configured to execute and scan the file within the sandbox and detonation chamber.

Within this sandbox area, Microsoft Defender will evaluate the content and provide a verdict on whether to allow the end-user to access the file.

This protection extends to links contained in Office applications (Word, Excel, and PowerPoint) and is coming to Teams later in 2020.

Safe Attachments

Office 365 Safe Attachment policies also route any attachments that do not have a known virus or malware signature to a special hypervisor environment for behavioural analysis.

This environment uses a variety of machine learning and analysis techniques to detect malicious intent. Only if no suspicious activity is detected is the attachment released for delivery to the user’s mailbox.

This protection from malware-infected content in Defender for Office 365 also applies beyond email.

If malicious files or links are uploaded to SharePoint or OneDrive for Business and shared, even via Microsoft Teams, Defender for Office 365 will detect it, block it, and prevent the file from being opened or shared in the future.

2. Anti-Phishing – Mailbox Intelligence

Defender for Office 365 possesses significant capabilities to prevent phishing, including impersonation protection to protect your users from lookalike domain attacks.

But one of my favourite unique capabilities of Defender for Office 365 is Mailbox Intelligence.

Mailbox Intelligence uses artificial intelligence (AI) to understand who a user typically communicates with via email (both inside and outside of your organisation).

This allows the system to build a map of usual communication paths between users.

Microsoft Defender for Office 365 then uses this map as a contributing factor in determining the risk an email poses to the recipient.

For example, if an email passes upstream checks but purports to be from the CFO who the recipient has had no prior email correspondence with (or is using a different email address compared to previous communications), Defender can insert warnings directly into the message or quarantine the message entirely.

As warning and alerting decisions are based on previous communication patterns and AI, this ensures a high rate of “true positives” where action is only taken on emails that exhibit a real risk.

This also increases the warning’s effectiveness and reduces the risk of users ignoring or becoming desensitised to them.

Defender for Office 365 Demo

Defender for Office 365 Demo

See Defender for Office 365 in action. Covering key features and functions, we'll show you:

  • Custom policy creation and reporting dashboards
  • Cutting-edge investigation and response capabilities
  • How to improve protection, trial, and migrate to Defender
Watch now

3. Automated investigation and response (AIR)

One of Defender for Office 365’s most powerful features is the recent addition of automated investigation and response (AIR) capabilities.

AIR addresses some of the most common threats that security teams investigate in their day-to-day jobs and uses Office 365 alerts to trigger the use of predefined investigative playbooks.

These playbooks remove the manual effort involved in common email threat response and investigation tasks such as user-reported phishing emails.

When you use AIR in Defender for Office 365 it’s like employing a team of virtual analysts who are dedicated to the important, but often labour and time-intensive tasks associated with investigating email threats.

Upon completion of an automated investigation, security staff are simply required to approve or reject the automatically suggested actions to remediate the threat.

AIR also allows security teams to manually trigger automated investigations from the dashboard for any email and related content (attachment or URLs).

From my experience in previous roles on the frontline, I am all too aware of the volume of time-consuming, email-based investigations undertaken by security teams on a day-to-day basis.

The efficiencies introduced by AIR are a massive time saver and allow more effective use of security resource (which is often in short supply within most organisations).

4. Attack Simulator

65% of hackers use spear-phishing as the primary infection vector.

Symantec, 2020

Performing regular phishing and social engineering exercises are a vital part of ensuring and maintaining awareness of email and credential security within your organisation. Many organisations use additional third-party platforms to perform these tests and further additional platforms to deliver any required user training.

This increases both the complexity and cost of securing your organisation’s environment.

Microsoft Defender for Office 365 (Plan 2) includes Attack Simulation Training functionality which allows you to detect, quantify and reduce social engineering risk across your user base using the following common attack methods:

  • Credential harvest
  • Malware attachment
  • Link in attachment
  • Link to malware
  • Drive-by-URL

As well as being able to choose from a catalogue of payloads based on commonly used social engineering techniques, administrators can create custom payloads as well as being able to choose relevant training content (provided by leading security awareness training provider Terranova) to assign to users who succumb to the simulated attack.

The Attack Simulation Training also features advanced reporting capabilities to gain insights into the threat readiness progress of employees with metrics allowing you to target further training, and possible increased security policy configurations to the areas where it is most required.

5. Integration – Microsoft 365 Defender

Now I know I may be slightly biased, but I firmly believe that as a security solution, Microsoft Defender for Office 365 offers a depth of integration and interoperability that’s impossible to match.

Given the market share as the largest and most widely used technology company of its type in the world, Microsoft has access to an unparalleled view of cyber threats across its entire, global ecosystem every second of every day.

The result is an unrivalled and constantly growing database known as the Intelligent Security Graph.

This graph informs threat protection technologies across multiple services within the Microsoft 365 ecosystem.

This visibility and capability is impossible to match as a third-party solution provider with a dramatically smaller footprint.

Comprehensive coverage

Microsoft Defender for Office 365 protects email and collaboration but also forms part of the wider Microsoft 365 Defender suite that includes:

These technologies natively integrate across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.

All this functionality and protection can be possible without the overhead and complexity associated with multi-vendor solutions.

It also allows you to achieve an unequalled level of interoperability that is impossible to replicate.

To put this into context please consider the following:

  • Imagine the additional value your team could deliver if you could forget about interoperability complications and build your security operations around a platform with guaranteed compatibility across solutions.
  • Think of the additional value your security team could deliver if they only had to develop familiarity with a single security platform.

There are many benefits to be gained by removing the time wasted performing cross-platform/cross-portal investigations.

Time that can be saved by adopting a single platform where automated remediation across endpoint, identity, email, and applications is the default.


I know that was a lot to take in and there’s a lot of supporting functionality I haven’t yet touched on!

If you needed more reasons to be persuaded by Microsoft Defender for Office 365 it also includes:

  • Campaign Views (they’re great by the way!)
  • Detailed reporting and alerting functionality
  • Exciting new features coming down the pipeline (spoiler alert – there’s lots!)

I hope the features I have covered here have given you a flavour of what Defender for Office 365 is capable of and how it can benefit your organisation.

Next steps

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Subscribe to the ThirdSpace mailing list and get your free buyer’s guide to Microsoft Enterprise Security

Submit your business email to join our mailing list and we'll send you 'A buyer’s guide to Microsoft Enterprise Security'.

A headshot photo of ThirdSpace consultant Paul Rouse.

About Paul Rouse

EMS Consultant

Paul is a Microsoft certified consultant with extensive experience of high-level solution design and implementation using industry-leading technology from major vendors. Paul's 19 years of IT...


You may also like...


Top 4 managed security services benefits – It’s not all about the money


From ‘You’ve been pwned’ to passwordless: Secure access made easy – An interview with Yubico’s Chief Solutions Officer


Microsoft Defender for Office 365 vs Mimecast – evaluate and migrate

Recent Blog Articles

View All
Related topics

Webinar: Defender for Office 365 Demo

See how Microsoft’s email security tool protects against phishing and malware.

Watch now

Need some help?

Send us your questions or feedback.

Friendly folks are standing by!

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.