Insights · Microsoft Security

Exploring Microsoft Defender for Office: Key Benefits and Features

23 July 2024 · Josh Ellis

In our last blog post we had a look at the features and benefits of Microsoft Defender for Endpoint, this week we are going to have a look at another product within the Defender suite – Microsoft Defender for Offic…

In our last blog post we had a look at the features and benefits of Microsoft Defender for Endpoint, this week we are going to have a look at another product within the Defender suite – Microsoft Defender for Office.

A large portion of cyber attacks start with email. Common forms of email compromise taking shape as CEO Fraud, Bogus invoices, malicious links or attachments, spear phishing. The list of email-based attacks goes on and on and this means it’s essential for organisations to protect their collaboration based platforms and tools.

Defender for Office builds on top of base Exchange Online Protection (EOP) and extends into the M365 Ecosystem (SharePoint, OneDrive and Microsoft Teams). Its main purpose is to add an additional layer of protection to all of your email and collaboration tools.

Versions

Defender for Office comes in 2 different versions:

  • Defender for Office Plan 1is included in Microsoft Business Premium or as a standalone product.
  • Defender for Office Plan 2 is included with Office 365 E5, Microsoft 365 A5/E5, A5/E5 Security or as a standalone product.

Key Features

Some key features are highlighted below:

Additional features in the Anti-Phishing Policies

Additional features are provided within Defender for Office when compared to EOP, which allows you to configure user and domain impersonation protection. ‘User Impersonation’ can help to protect against phishing emails trying to impersonate sensitive users within your organisation (such as the CEO who is urgently trying to get you to buy gift cards).

Safe Attachments in Exchange Online, SharePoint, OneDrive and Microsoft Teams

Safe Attachments offers an additional layer of protection on top of Exchange Online Protection’s Anti-malware detection. Any message or attachment which don’t have a known virus/malware signature are opened in a virtual environment/sandbox for inspection prior to delivering the attachment to the users. Safe Attachments can also be applied files within SharePoint, OneDrive & Microsoft Teams.

Safe Links in Email, Office Clients and Microsoft Teams

Safe Links is similar to Safe Attachments, where links are opened in a virtual environment/sandbox at the point of time when the user clicks on the link. These are then inspected prior to allowing the user to visit the link.

Attack Simulation Training

Attack Simulation Training allows you to run phishing simulations against your organisation, as well as provide staff education and training. These can be run on a scheduled basis and customised to your organisational requirements. Attack Simulation Training requires Plan 2 licensing.

Threat Explorer

Threat Explorer provides administrative staff with an easy to use near real time tool to investigate and respond to email-based threats. Explorer can be used to investigate URLs within Emails, as well as taking any required action on any malicious items.  

Automated Investigation & Response (AIR)

AIR is used to help streamline the investigation and remediation of threats, when a threat is detected Defender for Office can automatically launch an investigation. The investigation analyses the email, assesses it and then provides recommended actions to take. Recommended actions can then be manually reviewed and approved. AIR requires Plan 2 licensing.

A full feature list can be found here: https://learn.microsoft.com/en-us/defender-office-365/mdo-about

Tricks and Tips for a successful deployment

Preset Security Policies

Microsoft have supplied some prebuilt policies which configure a recommended baseline. These policies allow very little user configuration and provide a balance between detecting malicious and spam email and ensuring legitimate email is delivered.

There are 2 options with these policies:

  • Standard – these can be targeted at most of your users
  • Strict – These can be targeted at the more sensitive users within the organisation (Executives, Directors, Finance etc).

The one downside to these policies is that most of the settings for the underlying policies are not able to be modified. If you would like the ability to tweak and tune the policies – this option may not be for you.

Policies

Defender for Office includes policies for Anti-Phishing, Anti-Spam, Anti-Malware, Safe Attachments and Safe Links. There are various recommendations out there on the best configuration to go for and there will likely be some tuning required for your organisations.

Policies can be targeted at specific domains or users, and it is recommended to use this functionality to test the configuration any identify any impacts before rolling it out to all of your users.

Email Reporter Button

While not strictly a Defender for Office offering, Microsoft have a ‘Report Message’ Plugin for Outlook, which provides your users with a way to report suspicious emails. It allows your users to distinguish their reports between Junk and Phishing. Any reported emails turn up in the Defender XDR portal and can be investigated and any relevant actions taken on them. This plugin is also used in Attack Simulation training to identify if users correctly reported the phishing simulations.

Review your other email security mechanisms

While on this topic, it’s a good time to look into your SPF, DKIM and DMARC configurations.

  • Sender Policy Framework (SPF) designates what IPs are allowed to send email on your behalf. This can be configured to ‘Hard fail’ or ‘Soft fail’ depending on the configuration which tells recipients of your emails what to do in the event the IPs don’t match.
  • Domain Keys Identified Mail (DKIM) is a way to digitally sign emails you send, so that recipients of your emails can be assured they are not impersonated.
  • Domain-Based Message Authentication, Reporting & Conformance (DMARC) allows recipients of your emails to report on messages they receive from your and if they are correctly complying with your SPF and DKIM configuration.

In Summary

Hopefully this has provided you with some insight into the different versions of Defender for Office and some high-level guidance into deploying it within your environment.

Fenrir Security have deployed, managed, reviewed and remediated many Defender for Office deployments over the years. If you are looking for some help with planning, managing or deploying Defender for Office, then please reach out to us via info@fenrir.nz for a chat.

Fenrir also provides a managed security offering which manages and maintains Defender for Office, and the wider Microsoft Defender ecosystem.

 

Josh Ellis

Written by

Josh Ellis Co-Founder & Principal Security Architect

Josh has worked with a wide range of clients, from small businesses with just two staff members to large enterprises and government agencies. This experience has given him a deep understanding of the unique cyber security needs of different organisations.

Connect on LinkedIn

Back to insights