Microsoft Defender for Office 365 is the email and collaboration security layer built into Microsoft 365 — protecting against phishing, business email compromise (BEC), malicious attachments, dangerous links, and account takeover in Microsoft 365 mailboxes, Teams, SharePoint, and OneDrive.
Like Defender for Endpoint, Defender for Office 365 is dramatically underutilised in India. Many organisations on Business Premium or E3/E5 have Defender for Office 365 included — and have never activated or configured it properly.
What Defender for Office 365 Protects
Microsoft 365 without Defender for Office 365 has basic Exchange Online Protection (EOP) — antispam and signature-based antimalware. EOP alone is not sufficient against modern phishing, BEC, and targeted email attacks.
Defender for Office 365 adds:
Safe Links
URL rewriting and real-time scanning — every link in an email (and in Office documents, Teams messages) is scanned at click time. If a URL has been weaponised after delivery (time-of-click detonation), Defender blocks it. Without Safe Links, a clean link at delivery that later becomes malicious is undetected.
This is the most consistently effective control against phishing in Microsoft 365 environments. Most major Microsoft 365 phishing incidents in India involve links that bypassed EOP because they were clean at delivery.
Safe Attachments
Files attached to emails are detonated in a cloud sandbox before delivery — Microsoft's virtual environment executes the attachment and observes behaviour before it reaches the user's inbox. Delivery is briefly delayed (typically 2–4 minutes) while analysis completes.
Protects against:
- Weaponised Office documents with malicious macros
- PDF files with embedded exploits
- Archive files (.zip, .7z) containing payloads
- Executable files disguised as documents
Safe Attachments is also available for SharePoint, OneDrive, and Teams — files shared through these platforms can be sandboxed before users access them.
Anti-Phishing with AI Impersonation Detection
Basic anti-phishing is in EOP. Defender for Office 365 adds:
User impersonation protection: Detects emails that attempt to impersonate specific high-value users — your CEO, CFO, vendor contacts. Learns normal email patterns and flags deviations.
Domain impersonation: Blocks emails from domains that visually resemble your domain — "cloudfysys.com" or "cloudfy-systems.com" attempting to impersonate "cloudfysystems.com."
Mailbox intelligence: ML model built on your organisation's email graph — which users communicate with which external domains. Flags unusual sender behaviour that is statistically anomalous for your communication patterns.
For Indian businesses facing BEC attacks — particularly payment redirection fraud targeting finance teams — these controls are the primary defence. BEC is the highest-financial-impact email threat category for Indian enterprises.
Defender for Office 365 Plan 1 vs Plan 2
Plan 1 (P1)
The prevention tier — covers the core email security controls.
Included in P1:
- Safe Links (email, Teams, Office documents)
- Safe Attachments (email, SharePoint, OneDrive, Teams)
- Anti-phishing with AI impersonation and mailbox intelligence
- Anti-spam and anti-malware (EOP is the base; P1 adds the above)
- Real-time reports in the Microsoft 365 Defender portal
Best for: Organisations that need to activate proper protection on existing Microsoft 365 mailboxes. P1 provides the controls that prevent most email-borne attacks.
Plan 2 (P2)
Adds investigation, response, and training capabilities on top of P1.
Everything in P1, plus:
Threat Explorer: Full visibility into email flow — search all email processed by Microsoft 365 by sender, URL, file hash, or detection type. Investigate which users received a specific phishing URL, which emails contained a specific malicious attachment, and take bulk remediation actions (delete emails from mailboxes retroactively).
This is the primary investigation tool for email security incidents in Microsoft 365 environments.
Automated Investigation and Response (AIR) for Email: When a high-confidence email threat is detected, AIR automatically:
- Scans for related emails in all mailboxes
- Quarantines matching emails
- Identifies affected users
- Generates an investigation summary
Reduces the manual effort of post-incident email forensics from hours to minutes.
Attack Simulation Training: Run simulated phishing campaigns against your own users:
- Choose from 1,000+ real-world phishing templates
- Measure click rates, credential submission rates, QR code scan rates
- Auto-enroll users who fail in targeted training modules
- Track improvement over time by department, role, location
Campaign Views: Groups related phishing emails into campaigns — identifies coordinated attack campaigns targeting multiple users across your organisation, with full campaign timeline and IOC extraction.
Threat Trackers: Noteworthy threat intelligence dashboards — surfaces emerging campaigns relevant to your industry and geography.
Which Microsoft 365 Plan Includes Defender for Office 365?
| Microsoft 365 Plan | Defender for Office 365 |
|---|---|
| Microsoft 365 Business Basic | Exchange Online Protection only (no Defender) |
| Microsoft 365 Business Standard | Exchange Online Protection only |
| Microsoft 365 Business Premium | Defender for Office 365 Plan 1 |
| Microsoft 365 Apps for Enterprise | Exchange Online Protection only |
| Microsoft 365 E3 | Exchange Online Protection only |
| Microsoft 365 E5 | Defender for Office 365 Plan 2 |
| Microsoft 365 E5 Security add-on | Defender for Office 365 Plan 2 |
| Defender for Office 365 P1 standalone | Available — per-user/month |
| Defender for Office 365 P2 standalone | Available — per-user/month |
Important for Indian E3 users: Microsoft 365 E3 does NOT include Defender for Office 365. E3 only includes basic Exchange Online Protection. If your organisation is on E3 and has not added Defender for Office 365, your email security is limited to spam filtering and signature-based antimalware. The phishing, impersonation, and BEC controls described above are absent.
Options for E3 users:
- Add Defender for Office 365 P1 standalone (per user, per month) — adds the prevention layer
- Upgrade to Microsoft 365 E5 Security add-on — adds both Defender for Office 365 P2 and Defender for Endpoint P2 on top of E3
Common Activation Gaps in India
Defender for Office 365 included in Business Premium or E5 is not "on" in any meaningful sense without configuration. Default policies are in place but do not represent a properly deployed Defender environment.
1. Safe Links policy not configured for internal mail Default Safe Links only scans external inbound email. To protect against internal phishing (compromised account sending malicious links internally), Safe Links must be explicitly enabled for internal email. Most deployments miss this.
2. Safe Attachments in "Monitor" mode, not "Block" The default Safe Attachments policy in many tenants is in monitor-only mode — it detects but does not block malicious attachments. Effective deployment requires confirming policies are in blocking mode with appropriate action for detected malware.
3. Anti-impersonation list not populated User impersonation protection is only as good as the list of high-value users you have configured for protection — your CEO, CFO, board members, finance team, key vendor contacts. An empty list means no impersonation protection is active.
4. Attack Simulation not run P2 subscribers who have never run a phishing simulation have no baseline measurement of their organisation's email risk posture. Cloudfy recommends running a baseline simulation as the first step of any Defender for Office 365 P2 deployment.
5. Threat Explorer not monitored Threat Explorer provides full visibility into email threats — but requires someone to review it. Without a defined process for reviewing Threat Explorer findings (daily or weekly), the detection capability exists but produces no operational security benefit.
Defender for Office 365 vs Mimecast vs Barracuda
For organisations evaluating standalone email security vendors against Defender for Office 365:
| Dimension | Defender for Office 365 P2 | Mimecast | Barracuda Email Security |
|---|---|---|---|
| Architecture | API-native (cloud, no MX change) | Gateway (MX-based) | API-native (gateway also available) |
| Installation complexity | Simple API permissions in M365 | MX record change + connector setup | API connection or MX change |
| Detection quality | Strong — Microsoft threat intel | Strong — independent threat intel | Strong — AI + pattern matching |
| Email continuity | Via Exchange Online | Included (Mimecast Continuity) | Via Barracuda Essentials |
| Email archiving | Via Microsoft 365 archiving | Included (Mimecast Archive) | Via separate Barracuda product |
| Encryption | Via Microsoft Purview | Included | Available |
| Cost if on M365 E5 | Included | Additional subscription | Additional subscription |
| DMARC enforcement | Via Microsoft admin config | Via Mimecast DMARC Analyzer | Via Barracuda DMARC configuration |
Key consideration: If you are on Microsoft 365 E5 or Business Premium, Defender for Office 365 is already licensed. Adding Mimecast or Barracuda on top incurs additional cost — typically ₹200–600 per user per year — for incremental capability that may not justify the cost for organisations that properly configure and manage Defender for Office 365.
Mimecast's continuity service (email availability during Exchange Online outages) and archiving capabilities are the most commonly cited reasons for maintaining Mimecast alongside Defender for Office 365 in hybrid deployments.
Frequently Asked Questions
Does Defender for Office 365 protect Google Workspace? No. Defender for Office 365 only protects Microsoft 365 mailboxes (Exchange Online). For Google Workspace email security, Google's built-in Workspace security controls apply. Third-party products (Mimecast, Barracuda) cover both platforms.
Is Defender for Office 365 effective against QR code phishing? Microsoft has added QR code detection to Defender for Office 365 — identifying embedded QR codes in emails and scanning the destination URL. This was a significant gap that has been addressed in recent updates. Cloudfy validates QR phishing controls as part of Defender deployment engagements.
Can Defender for Office 365 protect Teams and SharePoint? Yes. Safe Links applies to URLs shared in Microsoft Teams messages. Safe Attachments applies to files uploaded to SharePoint and OneDrive. Both require policy configuration — they are not active by default with default settings.
How long does Safe Attachments delay email delivery? Typically 2–4 minutes for unknown files being detonated. Clean files with known-safe signatures deliver without delay. Files from trusted senders (configured in policy) can bypass sandboxing. For organisations sensitive to email delivery latency, the delay is minimal and the security benefit significant.
Ready to activate and configure Microsoft Defender for Office 365 in your organisation? Contact Cloudfy Systems — authorised Microsoft partner — for a free email security assessment and formal quotation.