Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Email Security

How Do I Protect Against Phishing in Microsoft 365?

Quick Answer

Enable Defender for Office 365 (requires Business Premium or E5), configure Safe Links, Safe Attachments, and anti-impersonation policies. Don't rely on default settings—they're not aggressive enough.

What Microsoft 365 Offers

Exchange Online Protection (EOP)

Included in all M365 plans:
  • Basic spam filtering
  • Known malware blocking
  • Basic anti-phishing
  • Connection filtering
Limitations: Catches obvious threats. Misses sophisticated attacks.

Defender for Office 365 (Plan 1)

Included in Business Premium, E5, or add-on:
  • Safe Attachments (sandbox detonation)
  • Safe Links (URL scanning at click time)
  • Anti-impersonation protection
  • Advanced anti-phishing policies
  • Real-time reports

Defender for Office 365 (Plan 2)

Included in E5 or add-on:
  • Everything in Plan 1
  • Threat Explorer
  • Automated investigation
  • Attack simulation training
  • Campaign views

Essential Configuration

1. Safe Links

What it does: Scans URLs at click time, not just delivery. Catches links that become malicious after delivery.

Configure:

  1. Microsoft 365 Defender portal > Email & collaboration > Policies > Safe Links
  2. Create or edit policy
  3. Settings:
- On: Safe Links checks URLs at click time - On: Apply Safe Links to email messages - On: Apply Safe Links to Microsoft Teams - On: Track user clicks - Do not rewrite, but scan: Consider for internal links

2. Safe Attachments

What it does: Opens attachments in a sandbox to detect malicious behaviour before delivery.

Configure:

  1. Microsoft 365 Defender portal > Email & collaboration > Policies > Safe Attachments
  2. Create or edit policy
  3. Settings:
- Dynamic Delivery: Users get email immediately, attachment replaced with placeholder until scanned - Or Block: Attachment blocked if malicious detected - On: Enable for SharePoint, OneDrive, Teams

3. Anti-phishing policies

What it does: Protects against impersonation of your users and domains.

Configure:

  1. Microsoft 365 Defender portal > Email & collaboration > Policies > Anti-phishing
  2. Create or edit policy
  3. Impersonation settings:
- Enable users to protect: Add executives, finance team - Enable domains to protect: Your domains + partners - Mailbox intelligence: On - Intelligence for impersonation protection: On
  1. Actions:
- Move to junk or quarantine - Show safety tips

4. Anti-spam policies

Tighten beyond defaults:

  1. Microsoft 365 Defender portal > Email & collaboration > Policies > Anti-spam
  2. Edit default policy
  3. Consider:
- Bulk email threshold: Lower to 5 or 6 - Mark as spam: Enable for suspicious patterns - Quarantine rather than deliver to junk

Quick Wins

Today:

  • Check you have Business Premium or Defender add-on
  • Enable Safe Links and Safe Attachments
  • Add executives to impersonation protection
This week:
  • Configure anti-phishing policy fully
  • Tighten anti-spam settings
  • Test with a phishing simulation
Ongoing:
  • Review quarantine regularly
  • Monitor phishing reports
  • Update impersonation list as roles change

External Email Warning

Add banner to external emails:

  1. Exchange Admin Centre > Mail Flow > Rules
  2. Create rule
  3. Condition: Sender is outside organisation
  4. Action: Prepend disclaimer
  5. Text: "[EXTERNAL] This email originated from outside the organisation. Be cautious with links and attachments."
Simple but effective. Makes users pause.

What Defender Won't Catch

Even with full configuration:

  • Sophisticated impersonation from lookalike domains
  • Compromised legitimate sender accounts
  • Zero-day threats (temporarily)
  • Business Email Compromise with no malware
You still need:
  • User awareness training
  • Verification processes for financial requests
  • Reporting culture

Common Mistakes

Using defaults Out-of-box settings are too permissive. Configure properly.

Not adding impersonation targets If you don't tell it who to protect, it doesn't protect them.

Blocking too aggressively Over-aggressive settings = false positives = users ignore warnings = worse security.

Ignoring reports Defender provides data. Use it. Review what's being caught and missed.

What We Configure

For managed clients:

  • Safe Links and Attachments configured optimally
  • Anti-impersonation for executives and finance
  • Policies tuned over time based on false positive/negative feedback
  • Monitoring of threats blocked and emerging patterns
  • User training to complement technical controls
Defender is powerful when configured properly. Default settings aren't proper configuration.

Related Questions