top of page
Search

Securing Microsoft Business Premium Part 06: Securing Email with Defender for Office 365

  • Writer: Sebastian F. Markdanner
    Sebastian F. Markdanner
  • 3 days ago
  • 10 min read

Sharing is caring — While that is a mantra I follow myself, collaboration needs to be done securely.

Man at desk on laptop, next to a mug and notepad. Text: Securing Business Premium, Part 06. Pastel background with mail icons.

Email is often the first and most widely used collaboration tool in any organization, which makes Exchange Online a natural place to start when securing collaboration.


In today’s work environment, collaboration with others is essential, both internally and externally. To support this, collaboration must be easy for users while remaining secure and manageable for administrators.


In this part of the series, I’ll focus on securing email-based collaboration in a Microsoft Business Premium environment. The post covers key configuration recommendations for Exchange Online and Microsoft Defender for Office 365, laying the foundation for secure collaboration across Microsoft 365.


Table of contents


Microsoft Business Premium Collaboration - The risks

Collaboration comes with its fair bit of risks, as any access into our tenants is a possible route for malicious actors, as well as another possibility for insider risk such as malicious, intentional or unintentional data leakage, oversharing etc.


While third-party, also known as supply chain, attacks often go unreported or are mistaken for internal breaches, 35.5% of all breaches in 2024 included some form of these attacks, according to SecurityScorecard.


That statistic is frightening, especially when taking into account that most, if not all organizations have some form of "supply chain", be it consultants from an MSP or ERP, freelancers, project members, customers, resellers, vendors etc.


Looking strictly at the statistics for emails, we see equally frightening numbers.

According to FBIs IC3 report from 2024, business email compromise (BEC) had an estimated cost of $2.7 billion USD in 2024, in the US alone.


During 2025, frsecure reports that BEC accounted for a whole 36.8% of cases observed in their investigations.

 Vipre Security Group reports that roughly 40% of observed BEC phishing campaigns in 2025 showed signs of AI-assisted content generation.



The Evolution of Collaboration Security

Historically collaboration have been handled both internally and externally via fileservers with shared network drives, FTP servers, emails.. Faxing and sending letters for any of the OGs


While these options have gotten the job done, they have also led to a data leaks intentional and not. They simply cannot keep up with the modern identity-centric, highly complex and often fragmented world that we live in today.


Over time we've gotten more cloud based solutions, being able to access data and collaborate through the internet, not requiring direct access, such as via SharePoint, Teams and Azure fileshares, and even Azure file sync allowing for synchronizing files between different location fileservers.


These newer options allow us to modernize the AuthN, AuthZ and surrounding security solutions, such as using identity, device and location based protection via Conditional Access policies, sharing controls, governance, purview solutions, reporting, monitoring etc. etc.


While not all solutions are created equally, we at least have a few different options for securing collaboration across BP environments.



Microsoft Business Premium Collaboration - The Core Components

Within a BP environment, there's a set of different collaboration solutions and components which fulfills different roles, while not all of these will be covered today, it's important to know which options we have.

I've either already addressed the component previously, or I will over the next few posts.


While Microsoft Business Premium includes multiple collaboration services, this post focuses specifically on email-based collaboration through Exchange Online.


These are the different collaboration components available:


Microsoft Teams

A central hub for collaboration, enabling seamless communication, file sharing, meetings, and co-authoring across teams and even external organizations.


Microsoft SharePoint

Facilitates collaboration through shared document libraries, team sites, and intranet portals. Supporting version control, real-time co-authoring, and structured content sharing.


Microsoft OneDrive

Personal cloud storage that enables users to share files and collaborate in real time, including integration with Teams and SharePoint for a unified experience.


Microsoft Exchange

Supports collaboration through shared calendars, scheduling, and mailbox features, enabling teams to coordinate efficiently and stay connected.


Microsoft Entra User Flows

Enables streamlined and secure onboarding experiences for external users, supporting collaborative access to apps and services in a consistent manner. - Covered in this blog post.


Microsoft B2B Collaboration

Allows external partners to securely access internal resources and collaborate as guest users, without needing separate accounts or compromising security. - Covered in part 05.


Microsoft Entra Cross-tenant Synchronization

Simplifies cross-organizational collaboration by syncing users between Entra ID tenants, allowing seamless access and consistent identity management across tenants. - Covered in part 05.


Microsoft External ID

Build for both B2B and B2C scenarios utilizing a new Entra tenant with focus on external access. Supports collaboration with customers and partners by providing flexible identity management and access to shared apps, content, and experiences. Not in scope for this series.


Across these different solutions, there's a number of configurations that we can utilize to enhance collaboration without compromising on security.



Microsoft Entra Step Up Collaboration Components

While the focus of this series, including this post, is BP environments. There are at least a few honorable mentions I'd like to mention, even though I will not expand on them in this series:


Microsoft Entra Entitlement Management

Provides another option for enabling collaborators access into the environment via self-service access provisioning via self-service Access Packages and Access Reviews.

I went over both Access Packages and Access Reviews previously.



Microsoft Defender for Office 365 (MDO)

Within the Microsoft Defender suite, we have MDO, a comprehensive solution for securing email and collaboration, which we can utilize to protect our organization against threats such as phishing, spam, malware and business email compromise (BEC).


Microsoft Business Premium includes Microsoft Defender for Office 365 Plan 1, which provides foundational protection for email and collaboration workloads.


For email security within MDO, we already configured DKIM & DMARC all the way back in part 01 and is without a doubt the first thing to do with any connected domain.


With DKIM & DMARC in place, we've got a few different policies to think about, namely the threat policies including Anti-Phishing, Anti-Malware, Anti-Spam, Safe attachments, Safe links & Quarantine policies.

We've got two different options, the microsoft provided preset policies and the manual policies.



MDO Preset policies

Microsoft have blessed us with a great foundational security policy set for MDO.

While this is a great starting point, easy to implement and configures a policy for each of the different policy types within MDO. It should also be treated as such, a foundation, to build outward from.


Once enabled, a single policy for each type is created with priority "-" meaning it's always the highest priority.


My recommendation:

Enable the standard preset policy, which will provide a quick security enhancement across Microsoft Office 365, with added manual policies for granular controls, scoped to sensitive users such as C-level or non-human accounts.


A lot of organizations, especially in the SMB segment finds the standard preset as appropriate across the whole environment, and if that's the case - by all means!


To enable the preset policies follow these steps:

  1. Navigating the portal

    Login to the security portal (security.microsoft.com), open the Email & Collaboration menu, click on Policies & rules and finally Threat policies

    Microsoft Defender interface showing "Policies & rules" section. "Threat policies" is highlighted. Sidebar lists various security options.

  2. Accessing the Preset configurations

    Within the Threat policies, click on Preset Security Policies

    Threat policies interface showing templated policies, preset security, and configuration analyzer, alongside anti-phishing, spam, and malware rules.

  3. Enabling the preset policies

    Click on Manage protection settings for the Standard protection to start the wizard

    Note: Strict protection can be used for specific users, but be careful with it as it's rather aggressive

    Microsoft 365 protection settings shown: Built-in, Standard, and Strict with toggles. Options are off. Descriptions outline security features.

  4. Going through the wizard

    Choose the users the Exchange Online Protection and Defender for Office is applied to.

    This should be for all users unless you want to use the strict policy for a subgroup of users

    Exchange protection setup screen with options for email security. "Apply to" includes All, Specific, or None. Blue "Next" button below.
    Defender for Office 365 protection settings screen with options to apply protection to recipients. Next and Cancel buttons below.

  1. Configure impersonation protection

    Within the next few steps, add emails that'll be included in the impersonation protection protected list. This should be high-level users and emails. This is often used for boardmembers internal & external emails, specific partners, c-suite executives and service accounts.

    Email protection settings screen for Office 365. Three emails listed to flag for impersonation. Options to add emails and names.

    Add domains to the protected list, and domains for exclusions

    Security settings interface with options for Exchange online protection and more. Domains to flag: chanceofsecurity.com and microsoft.com.
    Email protection setup screen showing options for trusted domains. One domain, defNot.KnownHacker.us.gov, is listed. Next and Cancel buttons visible.

  1. Enable the policy, review and save

    Ensure you enable the policy before going through the review of the policy and saving it at last

    Policy settings screen showing "Apply standard protection" wizard. Options: Exchange online protection, Defender for Office 365, Impersonation. Policy mode selection visible.

  1. Once saved you'll see the policy have changed to ON

    Protection tiers for Microsoft Office 365: Built-in, Standard, and Strict. Each with detailed settings, icons, and toggles. Tables compare features.

Within the policies, there'll now be new policies with the highest priority, which cannot be edited:

Anti-phishing settings in Microsoft 365 showing security policy list; "Standard Preset Security Policy" highlighted with status "On."


MDO Manual policies

Using the presets is a great foundation for protecting the organization, but isn't quite as flexible as we might want, which is where the manual policies comes in.


These policies requires a bit more work, but provides the flexibility and granularity that most orgs need for specific accounts.

These policies should always be created based on your specific environment and need.

I'll show how to create a policy here


To start creating manual policies follow these steps:

  1. Navigating the portal

    Login to the security portal (security.microsoft.com), open the Email & Collaboration menu, click on Policies & rules and finally Threat policies

    Microsoft Defender interface showing "Policies & rules" section. "Threat policies" is highlighted. Side menu lists various features.

  1. Access the policy type you want to create

    Within the Threat policies menu, you'll need to choose which policy type you want to create.

    You should have at least one policy created for each of the 5 available types:

    • Anti-phishing

    • Anti-spam

    • Anti-malware

    • Safe attachments

    • Safe links

    Threat policies menu with Anti-phishing, Anti-spam, Anti-malware, Safe Attachments, Safe Links. Includes rules and actions for email security.

  2. Creating the policy

    Click on Create within the policy menu, and fill out the policy settings.

    Starting with the name and description of the new policy

    Anti-phishing policies interface in Microsoft 365. Two policies listed: "Standard Preset Security" and "Office365 AntiPhish Default." Options to create, export, refresh.
    Policy creation screen with fields for name and description under "Policy name." Text entered: "Default anti-phishing policy" and "Super well explained optional description."

  3. Adding protected OR excluded users

    I recommend having at least one policy which works as a catch all policy, ensuring a basic protection is always enabled.

    Screenshot of an anti-phishing policy form interface. Fields for users, groups, domains, and an entered domain. Navigation steps on the left.

  4. Adding the policy protection & actions

    This step is a bit different for each policy type, this is where you'll provide the actual protections and actions depending on said policies.

    Here's an example of an Anti-phishing policy:


    Phishing threshold & protection

    • Threshold: 1 (default)

    • Enable user impersonation protection

      • Add high-level users such as C-suite, Boardmembers and high-priv users

    • Enable domain impersonation protection

      • Add your owned domains & any custom domains that you frequently collaborate with such as contract partners or vendors

    • Do not add trusted senders

    • Enable mailbox intelligence

    • Enable mailbox intelligence for impersonation protection

    • Enable spoof intelligence

    Email security settings interface showing phishing thresholds, impersonation, and spoof intelligence options with checkboxes enabled.

    Actions

    • If a message is detected as user or domain impersonation: Quarantine

      • Quarantine policy: DefaultFullAccessWithNotificationPolicy (we'll get to this)

    • If Mailbox Intelligence detects an impersonated user: Delete the message before it's delivered

    • Honor DMARC policies

    • Enable all the safety tips

    Email anti-phishing policy settings screen with options for message actions, quarantine, safety tips, and indicators, displayed on a white background.

  1. Review and create

    Go through and review the policy before submitting the policy.

    Anti-phishing policy review screen showing settings for users, domains, and protections. Options include impersonation and mailbox intelligence.

After creating the policy, it'll be added with the highest priority available, which can be modified over time with more policies added

Microsoft 365 anti-phishing settings screen showing three policies: Standard, Default, and Office365 AntiPhish Default. All are active.


MDO Quarantine policies

Quarantine policies directly impact both security outcomes and user experience, making them a critical but often overlooked part of email protection.


During the policy creations it's possible to utilize quarantine as an action based on the policy, detections and intelligence from the Microsoft tool.

By default 3 policies exists:


  • DefaultFullAccessPolicy

  • AdminOnlyAccessPolicy

  • DefaultFullAccessWithNotificationPolicy


While these are fine, they either provide too many or too few permissions for the receiver of the initial emails.

I recommend create a new policy with limited access, while still sending notification emails to the enduser.


The default access will allow users to mark the sender as safe, and to release the policies directly, which we don't want - on the other hand, the admin only policy requires admins actively looks through the quarantine report on the daily to ensure everything is caught and then analyzing each entity, which we also don't want as that adds administrative overhead.


The best of both worlds is therefore a limited amount of permissions providing the enduser the ability to preview the message and request for release without allowing for release and marking senders as safe directly.


To create this custom policy follow these steps:

  1. Accessing the menu

    Navigate to the Quarantine policies menu within the Threat policies menu in the security portal

    Microsoft Defender interface showing threat policies, templated policies, and rules for email security. Quarantine policies are highlighted.

  1. Create the policy

    Click on create policy and fill out the name of the new quarantine policy

    "Quarantine policy settings interface showing options to add, refresh, and export policies. List includes three policy names with checkboxes."
    New policy creation screen showing "Policy name" field with "LimitedAccessWithNotificationPolicy" entered. Options listed on left sidebar.

  1. Assigning user permissions

    Choose Set specific access (Advanced), choose the Allow recipients to request(...) option for the release action and enable Delete, Preview & Block sender permissions.

    New policy setup window for recipient message access, highlighting specific access with options to delete, preview, block, or allow sender.

    NOTE: The Allow sender permission will enable the enduser to bypass the policy by adding the sender to safe/trusted senders, which will bypass the quarantining of emails from the sender in the future


  1. Enable notifications

    Enable the Quarantine notifications and either choose to include or exclude notifications for mails from blocked senders

    Email settings screen displaying "Quarantine notification" options. "Enable" is checked. Background is white, with "Next" and "Cancel" buttons.


  1. Review & Submit

    Review the settings you've added to the policy and submit it

    Policy review page with options for managing message access and quarantine notifications. Buttons for Edit, Submit, Back, and Cancel are visible.

After creating the policy, it'll be usable within custom threat policies like the phishing policy we created previously.

Email security settings screenshot with dropdowns for quarantining or rejecting messages flagged for impersonation or spoofing. Buttons: Save, Cancel.

Sidenote:

I highly recommend customizing the Global Quarantine notification settings adding company branding by adding a custom sender address, display name and the company logo. This will increase the endusers trust in the quarantine notification emails and will follow the regular branding that was added during part 01 of the series.


You're also able to modify how often the notification emails are sent, I recommend using within 4 hours as it provides the best experience for users


These settings are also access through the Quarantine policies page:

Office 365 Quarantine policy screen showing options to add, refresh, export policies. Listed policies with last updated times.
Email quarantine notification settings interface with fields for sender display name, address, subject, disclaimer, and language selection.


Inbound DANE with DNSSEC for Exchange Online

Transport-level email security doesn’t stop at filtering and detection. For organizations that want stronger guarantees around mail server authenticity and encryption, SMTP DANE with DNSSEC provides an additional layer of protection against downgrade and man-in-the-middle attacks.


Microsoft Exchange Online supports inbound DANE with DNSSEC, allowing receiving organizations to validate TLS certificates via DNS rather than relying solely on the public PKI.


I’ve covered inbound SMTP DANE with DNSSEC for Exchange Online in detail, including prerequisites, limitations, and configuration, in a dedicated post, which you can read here:



While it's not directly required, I highly recommend that you go through the different parts of modern email security, which I've written an article on which you can find here:




Conclusion

Email remains one of the most critical — and most abused — collaboration channels in any organization. In this post, we’ve focused on strengthening email-based collaboration in a Microsoft Business Premium environment by applying layered security controls across Exchange Online and Microsoft Defender for Office 365.


By combining foundational protections such as DKIM and DMARC with Defender for Office 365 threat policies, impersonation protection, Safe Links, Safe Attachments, and a carefully balanced quarantine experience, we significantly reduce the risk of phishing, malware, and business email compromise, without preventing users from collaborating effectively.


And now, the mandatory bad joke:


I used to hate facial hair… but then it grew on me 😎

This joke has been reviewed and approved by absolutely no one


With these controls in place, Exchange Online moves from being a high-risk entry point to a controlled and trusted collaboration platform, forming a solid foundation for securing collaboration across Microsoft 365.


In Part 07, we’ll continue building on this foundation by shifting focus to another core collaboration workload within Microsoft Business Premium.



🔗 Securing Microsoft Business Premium Series Post Index

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page