Defender 365: How It Can Protect You and Your Business

By Ted Brown | April 4, 2023
Ted Brown is Ntiva’s Director of Product Management, our go-to guy for all things product related and our certified Microsoft expert!

What's the best spam solution for your business? This used to be a complicated question with a variety of decent answers, but as of late the best response is simply "Defender 365."

While the front end of Defender 365 is fairly simple, let's take a deeper look at the capabilities of Microsoft Defender that separate it from the pack!

Don't want to read the article? Interested in seeing our expert demos?
Watch the full recording below.

Be sure to
register here for the "Ntiva Lunch and Learn" webinar series!


What is Microsoft Defender 365?

Microsoft Defender for Office 365 is the cybersecurity software inside of Office 365 licensing, providing anti-spam, anti-phishing, and other security protections throughout your 365 landscape to keep your accounts and devices safe.


Email Security: How Emails Flow Through Office 365


When external mail is sent to you, the email travels across the internet directly to your Exchange Online Protection, the basic anti-spam platform included with all Microsoft 365 mailboxes. While I don't recommend using this without Defender 365, Exchange Online Protection does a fair job at bare-bones protection from malicious emails.

After passing the anti-malware and policy filters in Exchange Online Protection, emails will go through the more advanced filtering policies included in Defender for Office 365. These include filters to anti-phishing, user impersonation, and domain impersonation.


Microsoft Defender: The Best Threat Protection for Your 365 Environment

Workplace collaboration has never been easier, thanks to software like Office 365. We no longer simply communicate over email, all of our Microsoft Office programs are integrated through simple clicks. The downside to this ease of collaboration, however, is the increased threat landscape that needs to be monitored at all times.

Malicious links can now be sent through documents or messages on collaboration tools such as Teams, OneDrive, or SharePoint, bypassing all of the basic anti-spam offerings of Exchange Online Protection. Microsoft Defender for Office 365 takes care of this in multiple ways.

Customizable Threat Protection Policies

You can decide how strict you want your threat protection policies to be for your organization. These policies can be as simple as blocking certain domains, all the way to stopping suspicious links from ever arriving in your inbox.

Real-Time Reporting

Keep an eye on any potential issues at all times, with easily accessible dashboards providing up to the minute reporting for your entire organization.

Automated Threat Investigation and Response

Save time and effort investigating and mitigating threats with automated responses. Known threats can be pinpointed and stopped completely without anyone on your staff lifting a finger!


Defender for Office 365 Licensing Types


While the free version (Exchange Online Protection) of Microsoft Defender for Office 365 does provide some safety nets for your business, we recommend upgrading to Exchange Online Plan One. For $2 per user/month, you have the full capability of Defender for cloud apps in your Office 365 environment, including SharePoint, OneDrive, and Teams.

Exchange Online Plan Two ($5 per user/month) includes extras such as threat tracking and explorer, attack simulation, and end user training campaigns, but the main security features we recommend for Defender are all available in Exchange Online Plan One.


Security Layers of Defender for Office 365


The Microsoft Defender for Office 365 protection stack has multiple layers of security protection for all incoming messages. This stack is composed of four layers, each checking for different types of threats. Let's take a look at the cybersecurity components of each.

Edge Layer

Edge layer checks every single message for sender validity. Is this really coming from who they say they are? Are they a reputable domain?

Network Throttling: The number of messages that can be accepted at any given time are limited thanks to network throttling. This helps prevent Denial of Service (DOS) attacks.

IP Reputation: The sender's IP address is checked, and if found to be a known bad connecting IP, all messages are automatically blocked.

Domain Reputation: Same as IP address, but reputation is based on domain name. All messages are automatically blocked.

Directory-Based Edge Filtering: Advanced tool meant to prevent data harvesting of your organization's directory information through SMTP.

Backscatter Detection: Prevents your accounts from being attacked through invalid non-delivery reports (NDRs).

Enhanced Filtering for Connectors (Skip Listing): Checks the true source of emails as they arrive, even when traffic passes through another device before it reaches Office 365.


Sender Intelligence Layer

If the domain and IP address information check out, Defender 365 looks at who is sending the message.

Account Compromise Detection: This will flag messages sent from an account that appears to be compromised.

Spoof Intelligence: Blocks emails that are sent from malicious senders pretending to be a valid domain. This can include someone pretending to use your own business domain!

Bulk Filtering: Configurable bulk confidence level (BCL) indicating whether the message comes from a bulk sender, usually a higher likelihood of being spam.

Mailbox Intelligence: Learns from standard user email behavior and will flag emails if the email behavior seems out of the ordinary. This can cover user and domain impersonation as well!


Content Filtering Layer

The location and the sender have been validated, so now it's time for Defender to look at the content INSIDE the email, including attachments and links.

Mail Flow Rules: Evaluate all messages based on the conditions, exceptions, and actions of enabled mail flow rules.

Microsoft Defender Antivirus: Two separate third-party antivirus engines are used to detect any known malware in attachments.

Common Attachment Filtering: Customizable attachment blocking based on your settings. This can be used for specific file types, such as all PDFs or XLS files.

Content Heuristics: Machine learning can detect and flag suspicious messages based on message structure and word frequency.

Safe Attachments: Sandboxes every attachment before delivery, using dynamic analysis to detect new threats and prevent delivery if flagged.


Post-Delivery Layer

The message was sent from a legitimate email address, the attachments and URLs are clean...time for the post-delivery layer!

Safe Links: When a URL is clicked, the reputation is checked before the user heads to the website. This is applied to all Office 365 software, including SharePoint, OneDrive, and Teams.

Zero-Hour Auto-Purge (ZAP): Retroactively detects and neutralizes malicious content that was previously delivered. This works for malware, phishing, and spam.


When combined, these layers of Microsoft Defender for Office 365 cloud services add up to a robust, complex cybersecurity system that keeps your organization safe throughout the entire communication process.


Microsoft Defender for Office 365: Serious Cybersecurity for Your Business Communication and Collaboration Channels

Is your organization utilizing Office 365 WITHOUT Microsoft Defender? If this is the case, you're at serious risk of a cyber attack. Never quite got around to upgrading to Office 365? Reach out to us and see how our team of experts can help you stay connected and secure!


New call-to-action

Tags: Microsoft