1. Microsoft Defender Licensing
2. Microsoft Defender For Office 365 P2

Hello LakshanUmesh, Thanks for your post in Microsoft community. For Attack Simulator, if your organization has Microsoft Defender for Office 365 Plan 2, which includes Threat Investigation and Response capabilities, it help you identify and find vulnerable users before a real attack impacts your bottom line. Microsoft Defender for Office 365 is included in certain subscriptions, such as Microsoft 365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium. If your subscription does not include Defender for Office 365, you can purchase Defender for Office 365 Plan 1 or Defender for Office 365 Plan 2 as an add-on to certain subscriptions. See all Microsoft Defender for Office 365 alternatives Buyer's Guide Download our free Email Security Report and find out what your peers are saying about Microsoft, Mimecast, Proofpoint, and more!

-->

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more layers of security, control, and investigation.

Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Each customer's environment and needs are different, but we believe that these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.

To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.

Note

The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see Configure junk email settings on Exchange Online mailboxes in Office 365.

This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users.

Tip

The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.

Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.

EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in Office 365.

Security feature name	Default	Standard	Strict	Comment
Spam detection action SpamAction	Move message to Junk Email folder MoveToJmf	Move message to Junk Email folder MoveToJmf	Quarantine message Quarantine
High confidence spam detection action HighConfidenceSpamAction	Move message to Junk Email folder MoveToJmf	Quarantine message Quarantine	Quarantine message Quarantine
Phishing email detection action PhishSpamAction	Move message to Junk Email folder MoveToJmf	Quarantine message Quarantine	Quarantine message Quarantine
High confidence phishing email detection action HighConfidencePhishAction	Quarantine message Quarantine	Quarantine message Quarantine	Quarantine message Quarantine
Bulk email detection action BulkSpamAction	Move message to Junk Email folder MoveToJmf	Move message to Junk Email folder MoveToJmf	Quarantine message Quarantine
Bulk email threshold BulkThreshold	7	6	4	For details, see Bulk complaint level (BCL) in Office 365.
Quarantine retention period QuarantineRetentionPeriod	15 days	30 days	30 days
Safety Tips InlineSafetyTipsEnabled	On $true	On $true	On $true
Allowed Senders AllowedSenders	None	None	None
Allowed Sender Domains AllowedSenderDomains	None	None	None	Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out. Use spoof intelligence in the Security & Compliance Center on the Anti-spam settings page to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.
Blocked Senders BlockedSenders	None	None	None
Blocked Sender Domains BlockedSenderDomains	None	None	None
Enable end-user spam notifications EnableEndUserSpamNotifications	Disabled $false	Enabled $true	Enabled $true
Send end-user spam notifications every (days) EndUserSpamNotificationFrequency	3 days	3 days	3 days
Spam ZAP SpamZapEnabled	Enabled $true	Enabled $true	Enabled $true
Phish ZAP PhishZapEnabled	Enabled $true	Enabled $true	Enabled $true
MarkAsSpamBulkMail	On	On	On	This setting is only available in PowerShell.

There are several other Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article.

We recommend that you turn these ASF settings Off for both Standard and Strict levels. For more information about ASF settings, see Advanced Spam Filter (ASF) settings in Office 365.

Security feature name	Comment
Image links to remote sites (IncreaseScoreWithImageLinks)
Numeric IP address in URL (IncreaseScoreWithNumericIps)
UL redirect to other port (IncreaseScoreWithRedirectToOtherPort)
URL to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls)
Empty messages (MarkAsSpamEmptyMessages)
JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml)
Frame or IFrame tags in HTML (MarkAsSpamFramesInHtml)
Object tags in HTML (MarkAsSpamObjectTagsInHtml)
Embed tags in HTML (MarkAsSpamEmbedTagsInHtml)
Form tags in HTML (MarkAsSpamFormTagsInHtml)
Web bugs in HTML (MarkAsSpamWebBugsInHtml)
Apply sensitive word list (MarkAsSpamSensitiveWordList)
SPF record: hard fail (MarkAsSpamSpfRecordHardFail)
Conditional Sender ID filtering: hard fail (MarkAsSpamFromAddressAuthFail)
NDR backscatter (MarkAsSpamNdrBackscatter)

EOP outbound spam policy settings

To create and configure outbound spam policies, see Configure outbound spam filtering in Office 365.

For more information about the default sending limits in the service, see Sending limits.

Security feature name	Default	Standard	Strict	Comment
Maximum number of recipients per user: External hourly limit RecipientLimitExternalPerHour	0	500	400	The default value 0 means use the service defaults.
Maximum number of recipients per user: Internal hourly limit RecipientLimitInternalPerHour	0	1000	800	The default value 0 means use the service defaults.
Maximum number of recipients per user: Daily limit RecipientLimitPerDay	0	1000	800	The default value 0 means use the service defaults.
Action when a user exceeds the limits ActionWhenThresholdReached	Restrict the user from sending mail till the following day BlockUserForToday	Restrict the user from sending mail BlockUser	Restrict the user from sending mail BlockUser

EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in Office 365.

Security feature name	Default	Standard	Strict	Comment
Do you want to notify recipients if their messages are quarantined? Action	No DeleteMessage	No DeleteMessage	No DeleteMessage	If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.
Common Attachment Types Filter EnableFileFilter	Off $false	On $true	On $true	This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.
Malware Zero-hour Auto Purge ZapEnabled	On $true	On $true	On $true
Notify internal senders of the undelivered message EnableInternalSenderNotifications	Disabled $false	Disabled $false	Disabled $false
Notify external senders of the undelivered message EnableExternalSenderNotifications	Disabled $false	Disabled $false	Disabled $false

EOP default anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.

Security feature name	Default	Standard	Strict	Comment
Enable anti-spoofing protection EnableSpoofIntelligence	On $true	On $true	On $true
Enable Unauthenticated Sender EnableUnauthenticatedSender	On $true	On $true	On $true	Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain AuthenticationFailAction	Move message to the recipients' Junk Email folders MoveToJmf	Move message to the recipients' Junk Email folders MoveToJmf	Quarantine the message Quarantine	This setting applies to blocked senders in spoof intelligence.

Microsoft Defender for Office 365 security

Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.

Important

• The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.

• There are no default Safe Links policies or Safe Attachments policies that automatically protect all recipients in the organization. To get the protections, you need to create at least one Safe Links Policy and Safe Attachments policy.

• Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection have no dependencies on Safe Links policies.

If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.

Anti-phishing policy settings in Microsoft Defender for Office 365

EOP customers get basic anti-phishing as previously described, but Microsoft Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.

Security feature name	Default	Standard	Strict	Comment
Protected users: Add users to protect EnableTargetedUserProtection TargetedUsersToProtect	Off $false none	On $true <list of users>	On $true <list of users>	Depending on your organization, we recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.
Protected domains: Automatically include the domains I own EnableOrganizationDomainsProtection	Off $false	On $true	On $true
Protected domains: Include custom domains EnableTargetedDomainsProtection TargetedDomainsToProtect	Off $false none	On $true <list of domains>	On $true <list of domains>	Depending on your organization, we recommend adding domains (sender domains) that you don't own, but you frequently interact with.
Protected users: If email is sent by an impersonated user TargetedUserProtectionAction	Don't apply any action NoAction	Quarantine the message Quarantine	Quarantine the message Quarantine
Protected domains: If email is sent by an impersonated domain TargetedDomainProtectionAction	Don't apply any action NoAction	Quarantine the message Quarantine	Quarantine the message Quarantine
Show tip for impersonated users EnableSimilarUsersSafetyTips	Off $false	On $true	On $true
Show tip for impersonated domains EnableSimilarDomainsSafetyTips	Off $false	On $true	On $true
Show tip for unusual characters EnableUnusualCharactersSafetyTips	Off $false	On $true	On $true
Enable Mailbox intelligence? EnableMailboxIntelligence	On $true	On $true	On $true
Enable Mailbox intelligence based impersonation protection? EnableMailboxIntelligenceProtection	Off $false	On $true	On $true
If email is sent by an impersonated user protected by mailbox intelligence MailboxIntelligenceProtectionAction	Don't apply any action NoAction	Move message to the recipients' Junk Email folders MoveToJmf	Quarantine the message Quarantine
Trusted senders ExcludedSenders	None	None	None	Depending on your organization, we recommend adding users that incorrectly get marked as phishing due to impersonation only and not other filters.
Trusted domains ExcludedDomains	None	None	None	Depending on your organization, we recommend adding domains that incorrectly get marked as phishing due to impersonation only and not other filters.

Spoof settings in anti-phishing policies in Microsoft Defender for Office 365

Note that these are the same settings that are available in anti-spam policy settings in EOP.

Security feature name	Default	Standard	Strict	Comment
Enable anti-spoofing protection EnableSpoofIntelligence	On $true	On $true	On $true
Enable Unauthenticated Sender EnableUnauthenticatedSender	On $true	On $true	On $true	Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain AuthenticationFailAction	Move message to the recipients' Junk Email folders MoveToJmf	Move message to the recipients' Junk Email folders MoveToJmf	Quarantine the message Quarantine	This setting applies to blocked senders in spoof intelligence.

Advanced settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.

Security feature name	Default	Standard	Strict	Comment
Advanced phishing thresholds PhishThresholdLevel	1 - Standard 1	2 - Aggressive 2	3 - More aggressive 3

Safe Links settings

Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see Safe Links in Defender for Office 365.

Global settings for Safe Links

To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature name	Default	Standard	Strict	Comment
Use Safe Links in: Office 365 applications EnableSafeLinksForO365Clients	On $true	On $true	On $true	Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office 365 apps.
Do not track when users click Safe Links TrackClicks	On $false	Off $true	Off $true	Turning off this setting (setting TrackClicks to $true) tracks user clicks in supported Office 365 apps.
Do not let users click through Safe Links to original URL AllowClickThrough	On $false	On $false	On $false	Turning on this setting (setting AllowClickThrough to $false) prevents click through to the original URL in supported Office 365 apps.

Safe Links policy settings

To configure these settings, see Set up Safe Links policies in Microsoft Defender for Office 365.

In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.

Note

As described earlier, there is no default Safe Links policy. The values in the Default column are the default values in new Safe Links policies that you create.

Security feature name	Default	Standard	Strict	Comment
Select the action for unknown potentially malicious URLs in messages IsEnabled	Off $false	On $true	On $true
Select the action for unknown or potentially malicious URLs within Microsoft Teams EnableSafeLinksForTeams	Off $false	On $true	On $true
Apply real-time URL scanning for suspicious links and links that point to files ScanUrls	Off $false	On $true	On $true
Wait for URL scanning to complete before delivering the message DeliverMessageAfterScan	Off $false	On $true	On $true
Apply Safe Links to email messages sent within the organization EnableForInternalSenders	Off $false	On $true	On $true
Do not track user clicks DoNotTrackUserClicks	Off $false	Off $false	Off $false	Turning off this setting (setting DoNotTrackUserClicks to $false) tracks users clicks.
Do not allow users to click through to original URL DoNotAllowClickThrough	Off $false	On $true	On $true	Turning on this setting (setting DoNotAllowClickThrough to $true) prevents click through to the original URL.

Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.

Global settings for Safe Attachments

To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.

Security feature name	Default	Standard	Strict	Comment
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams EnableATPForSPOTeamsODB	On $true	On $true
Turn on Safe Documents for Office clients EnableSafeDocs	On $true	On $true	This setting is only available with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. For more information, see Safe Documents in Microsoft Defender for Office 365.
Allow people to click through Protected View even if Safe Documents identified the file as malicious AllowSafeDocsOpen	Off $false	Off $false	This setting is related to Safe Documents.

Safe Attachments policy settings

To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.

In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.

Note

Microsoft Defender Licensing

As described earlier, there is no default Safe Attachments policy. The values in the Default column are the default values in new Safe Attachments policies that you create.

Security feature name	Default	Standard	Strict	Comment
Safe Attachments unknown malware response Action	Block Block	Block Block	Block Block
Redirect attachment on detection : Enable redirect Redirect RedirectAddress	Off, and no email address specified. $true none	On, and specify an email address. $true an email address	On, and specify an email address. $true an email address	Redirect messages to a security admin for review.
Apply the above selection if malware scanning for attachments times out or error occurs. ActionOnError	On $true	On $true	On $true

Related articles

Microsoft Defender For Office 365 P2

• Are you looking for best practices for Exchange mail flow rules (also known as transport rules)? See Best practices for configuring mail flow rules in Exchange Online.

• Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see Report messages and files to Microsoft.

• Use these links for info on how to set up your EOP service, and configureMicrosoft Defender for Office 365. Don't forget the helpful directions in 'Protect Against Threats in Office 365'.

• Security baselines for Windows can be found here: Where can I get the security baselines? for GPO/on-premises options, and Use security baselines to configure Windows 10 devices in Intune for Intune-based security. Finally, a comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines.