Main security features of Microsoft Defender For Office 365

Phishing remains one of the oldest yet most persistent cyber threats facing organizations. Despite its long history, it’s not going away but evolving, becoming one of the leading attack vectors for cybercriminals,  often leading to ransomware. 

To combat this ever-evolving threat, the cybersecurity sector is constantly developing better tools. Among the latest innovations is Microsoft Defender for Office (MDO), an integrated suite of email security functions designed to enhance the capabilities of Microsoft Defender XDR. 

MDO has numerous features, security policies, and a user interface that changes [very] frequently, which can sometimes make it challenging for analysts to navigate and utilize efficiently during their email investigations. Furthermore, for each of the MDO features, there are several scattered articles from Microsoft, making it hard to find everything you need in a single place. 

This article aims to address these challenges by focusing on the key email security features offered by MDO. We'll guide you through effective usage for phishing analysis and highlight any limitations to be aware of. 

Summary of key MDO features 

The table below summarizes six email MDO security features that can assist you in your phishing investigations. 

Six email security features of MDO

In the following sections, we’ll explore, in detail, six key email security features provided by MDO, designed to empower your journey through every phase of managing phishing incidents, from investigation to incident response (IR).

Microsoft Defender XDR section for MDO  

Explorer

Explorer is the UI component of MDO that allows analysts to search in email logs for items of interest. It contains all the email metadata for emails entering or leaving your organization. You can use different email properties—such as the sender, sender domain, URL domain or complete URL, attachment name, or email ID—to find malicious emails or identify phishing campaigns. 

MDO: searching emails of interest with Explorer

While there are more than 60 filtering capabilities, most analysts often use the following email properties during their analysis:

• Sender or sender domain
• Recipient or recipient domain
• Subject
• Network message ID (unique identifier of an email)
• Sender IP
• URL or URL domain 
• Attachment name

Depending on the phishing investigation, analysts can use each of these properties to find other emails or targeted victims. For example, consider a phishing campaign that uses different compromised email addresses to send phishing emails at scale, all with slightly different subjects (such as the victim’s name or email address). This makes it challenging to identify all emails and initiate the IR process. However, by examining the metadata of a few of these emails, analysts can identify unique elements in these emails, such as the sender IP or the URL domain, and use the Explorer UI to identify all emails related to a phishing campaign. This often happens because attackers use the same phishing URL domain but vary the URL for each victim, e.g., by base64-hashing the sender's email address to track recipients that fell victim to their malicious emails.

Once malicious emails are identified, analysts can start with the IR process. Given enough permissions, they can start deleting phishing emails and block email senders (or sender domains), as well as malicious URLs or attachment hashes. 

Unfortunately, these actions cannot be performed in one place. IR actions determining the final destination of the email (e.g., deleted, junk, or inbox folder) can be found under Explorer → Message actions. Blocking senders is possible under Policies & rules, which are also discussed in this section. Finally, blocking URLs or file hashes is possible under Settings → Endpoints → Indicators, which is neither trivial nor straightforward to find.

MDO: taking action against suspicious/malicious emails

Note that Explorer has some IR limitations, most of which you will not find in Microsoft’s documentation:

• Filtering based on properties in MDO is not flexible, mostly providing “equal to” or “not equal to” filtering. Unfortunately, it doesn’t provide other options, such as “starts with,” “ends with,” or “contains,” nor does it allow the use of regular expressions.
• You cannot allowlist URLs, even if they belong to your organization—you would need to report them to Microsoft and wait for their evaluation. Meanwhile, the false positives and blocked emails due to this presumed “phishing URL” will increase the pressure on the security team.
• Email logs are only available for the last 30 days. You should consider other ways to save these logs, which might be needed for investigations that require email logs for more than this time period, e.g., investigating a data exfiltration via email that has lasted for months.

Advanced Hunting Queries (AHQ)

For security analysts who are confident in their KQL skills and more comfortable with the console than the UI, Defender XDR provides the AHQ feature with three tables (EmailEvents, EmailUrlInfo, and EmailAttachmentInfo) dedicated to email logs. This has the additional benefit that, compared to Explorer UI, it allows analysts to query different email properties with regular expressions, e.g., “contains.” 

Additionally, AHQ enables analysts to join results from different email tables to gather more information on the email, its URLs, or attachments, such as the file hash, which is not available from the UI. For example, the query below will search for all emails with a subject that contains “Paypal” and a sender email address containing “attacker” for the last five days, joining the results with EmailUrlInfo and printing only the most important columns of both tables.

EmailEvents
| where (Subject contains "Paypal" and SenderFromAddress contains "attacker" )
| where Timestamp > ago(5d)
| join EmailUrlInfo on NetworkMessageId
| project Timestamp, SenderMailFromAddress, SenderFromAddress, SenderIPv4, RecipientEmailAddress, Subject, AttachmentCount, UrlCount, Url, DeliveryAction, DeliveryLocation, AuthenticationDetails, ThreatTypes, ThreatNames
| sort by Timestamp desc

As with Explorer UI, the email data you can query is limited to the last 30 days. It has the additional limitation that KQL is a unique querying language and not quite SQL-like, with a steep learning curve for beginners.

Automated Investigation and Response (AIR)

To reduce the burden on security teams, MDO includes the AIR feature, which automates some of the investigation steps and IR actions. This feature is automatically triggered in MDO for at least ten types of email security alerts the moment they are triggered. Analysts can also trigger AIR manually for suspicious emails that were not detected by MDO. This can be done by clicking on Explorer → Message actions → Trigger investigation (as can be seen above in the Explorer section). The actions taken by AIR can be found and reviewed under Email & collaboration → Investigations.

Once triggered, AIR will gather data about the email and its elements (such as URLs or attachments), evaluate the sender’s IP reputation and other elements, and provide all this gathered information to the analyst, together with remediation recommendations that analysts can approve or reject. 

Campaigns

This is another subsection in MDO with a UI similar to Explorer but with a different focus. Its UI and filtering options are tailored to analyze phishing campaigns, provide a plot of identified phishing campaigns against your organization, and list the top phishing campaigns. It also provides the number of recipients and indicates whether any of them fell victim to the malicious email and interacted with it. This data can be quite helpful for the threat intelligence team when evaluating phishing campaign trends, the phishing theme (e.g., M365 credential phishing), the frequency of such campaigns, or the threat actors behind them.

MDO Campaigns feature to track phishing campaigns

The limitation of this feature is that it only covers phishing campaigns previously tagged by MDO, denying analysts the ability to chart and analyze campaigns they’ve independently discovered.

Attack simulation training

Phishing fundamentally preys on human vulnerability, attempting to deceive individuals into actions that benefit the attacker. Despite the best efforts of security tools to intercept as many phishing attempts as possible, no single tool is infallible. Recognizing this reality, Microsoft has woven phishing simulations and security awareness training (SAT) into the fabric of MDO, consolidating them within the Attack simulation training feature.

MDO: Attack simulation training

While this MDO feature contains a vast amount of payloads to choose from for phishing simulations and a complementary library for SAT, it also has its limitations. For example, phishing simulation reports are quite basic (mostly table-based) and provide little flexibility for analysts to modify them to display the data in different formats. Additionally, organizing and manually setting up the phishing campaign can be quite a lengthy process, especially at the beginning. 

To speed up the process and benefit from real-time phishing simulation reporting and analytic dashboards, your organization might consider IRONSCALES autonomous simulations. This product provides fully automated monthly campaigns based on the latest real-world attack methods and uses GenAI to create the simulations, continuously testing employees and their resilience to phishing while saving IT teams significant amounts of time. The IT (security) team can still control or adjust the frequency of simulations and then leave the rest to IRONSCALES. 

MDO’s security awareness training (SAT) content has one significant limitation—it's quite generic. Microsoft has to create SAT content that broadly addresses common phishing tactics, aiming to accommodate its global customer base. However, organizations operate in different sectors of the industry and are often faced with specialized and targeted phishing attacks specific to their sectors, making it crucial to have training content that can be tailored to these specific phishing attacks. 

One platform that can do this is IRONSCALES, which provides a wide range of interactive training and videos with up-to-date phishing examples for different industry sectors or even different departments within your organization. Even better, by combining both SAT and phishing simulation testing from IRONSCALES, the training content can be tailored and personalized for all employees based on how they interact with phishing emails in each phishing simulation. 

IRONSCALES training modules

Policies & rules

One of the most important components of MDO is Policies & rules, where the IT team can configure a variety of defensive email features and alert rules (currently 49 are available) to govern and restrict the email flow based on the risk appetite of your organization. Due to the extensive array of policies and rules offered by MDO, they are discussed in this separate article. Here, we will mention some of the most important policies that affect phishing investigations and IR: 

• Zero-hour auto purge (ZAP): Part of the anti-malware policy, this feature enables MDO to automate a part of the IR process. In cases where MDO initially misses a malicious email, ZAP is designed to rectify this by recognizing patterns of threat, such as a surge in clicks on a malicious link or a drop in the sender domain reputation. It can then automatically start deleting the malicious, blacklisted phishing URLs and raise an incident to alert the security team. 
• Customize file types: Also part of the anti-malware policy, this feature can be used by security teams to decide what kind of files or attachments are allowed or disallowed to be sent via email. Based on the risk appetite that your organization has, by blocking most of the dangerous or abused file extensions, you can significantly reduce the risk of malware being delivered via common attachments, such as EXE, JS, PS1, VBS, and BAT. 
• Safe links: This feature enables Microsoft to monitor all URL clicks in emails (or other M365 apps like Teams). The security team or threat intelligence team can use this information during their investigations, for example, to review the most clicked domains, detect unusual domains, or identify users who tend to click on malicious URLs in emails.

While potent, care should be taken when changing these configurations as they might have unexpected consequences, such as blocking important business emails or processes. It is recommended that the documentation for each policy be carefully read and that changes be tested before deploying them for the entire M365 tenant. 

Conclusion

The phishing problem won’t go away anytime soon, so vendors are investing in email security solutions to mitigate or prevent its risks. One of these solutions is Microsoft’s MDO. In this article, we showed how MDO aids analysts with phishing investigations and incident response, often automating the process. We also presented IRONSCALES and explained how its products integrate well with M365 to bring email security to the next level with tailored SAT, phishing simulations, and an AI-powered phishing report button.