Protect against threats – Office 365
Microsoft 365 includes a variety of threat protection features. Here’s a quick-start guide you can use as a checklist to make sure your threat protection features are set up for your organization.
Important |
Initial recommended settings are included for each kind of policy; however, many options are available, and you can adjust your settings to meet your specific organization’s needs. Allow approximately 30 minutes for your policies or changes to work their way through your datacenter. |
Requirements
(a).Subscriptions
Threat protection features are included in all Microsoft 365 subscriptions; however, some subscriptions include more advanced features. The following table lists the protection features included in this article together with the minimum subscription requirements.
Protection type |
Subscription requirement |
Anti-malware protection |
|
Protection from malicious URLs and files in email and Office documents |
|
Anti-phishing protection |
|
Advanced anti-phishing protection |
|
Anti-spam protection |
|
Zero-hour auto purge (for email) |
|
Audit logging (this is used for reporting purposes) |
(b).Roles and permissions
You must be assigned an appropriate role to configure policies in the Security & Compliance Center. The following table includes some examples:
Role or role group |
Where to learn more |
global administrator |
|
Security Administrator |
|
Exchange Online Organization Management |
Permissions in Exchange Online and |
Part 1 – Anti-malware protection
Anti-malware protection is available in subscriptions that include EOP.
- In the Security & Compliance Center, choose Threat management > Policy > Anti-malware.
- Double-click the Default policy, and then choose settings.
- Specify the following settings:
- In the Malware Detection Response section, keep the default setting of No.
- In the Common Attachment Types Filter section, choose On.
- Click Save.
To learn more about anti-malware policy options, see Configure anti-malware policies.
Part 2 – Protection from malicious URLs and files
Time-of-click protection from malicious URLs and files is available in subscriptions that include Office 365 ATP (ATP), and is set up through ATP Safe Attachments and ATP Safe Links policies.
ATP Safe Attachments policies
To set up ATP Safe Attachments, you must define at least one ATP Safe Attachments policy.
- In the Security & Compliance Center, choose Threat management > Policy > ATP safe attachments.
- Select the option Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.
- In the Protect email attachments section, click the plus sign (+).
- Specify the following settings:
- In the Name box, type
Block malware
. - In the response section, choose Block.
- In the Redirect attachment section, select the option Enable redirect, and then specify the email address for your organization’s security administrator or operator who will review detected files.
- In the Applied to section, choose The recipient domain is. Then, select your domain, choose Add, and then click OK.
- In the Name box, type
- Click Save.
- (Recommended additional step) As a global administrator or a SharePoint Online administrator run the Set-SPOTenant cmdlet with the DisallowInfectedFileDownload parameter set to true for your Microsoft 365 environment. (This prevents people from opening, moving, copying, or sharing files that are detected as malicious.)
To learn more, see Set up Office 365 ATP Safe Attachments policies and Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams.
ATP Safe Links policies
To set up ATP Safe Links, review and edit your default policy, and add a policy for specific users.
- In the Security & Compliance Center, choose Threat management > Policy > ATP Safe Links.
- Double-click the Default policy.
- In the Use safe links in section, select the option Microsoft 365 Apps for enterprise, Office for iOS and Android, and then click Save.
- In the Policies that apply to specific recipients section, click the plus sign (+).
- Specify the following settings:
- In the Name box, type a name, such as
Safe Links
. - In the Select the action section, choose On.
- Select these options:
- Use safe attachments to scan downloadable content
- Apply safe links to email messages sent within the organization
- Do not let users click through safe links to original URL
- In the Applied to section, choose The recipient domain is. Then, select your domain, choose Add, and then click OK.
- In the Name box, type a name, such as
- Click Save.
To learn more, see Set up Office 365 ATP Safe Links policies.
Part 3 – Anti-phishing protection
Anti-phishing protection is available in subscriptions that include EOP. Advanced anti-phishing protection is available in ATP.
The following procedure describes how to configure an ATP anti-phishing policy. The steps are similar for configuring an anti-phishing policy (without ATP).
- In the Security & Compliance Center, choose Threat management > Policy > ATP anti-phishing.
- Click Default policy.
- In the Impersonation section, click Edit, and then specify the following settings:
- On the Add users to protect tab, turn protection on. Then add users, such as your organization’s board members, your CEO, CFO, and other senior leaders. (You can type an individual email address, or click to display a list.)
- On the Add domains to protect tab, turn on Automatically include the domains I own. If you have custom domains, add those as well.
- On the Actions tab, select Quarantine the message for both the impersonated user and impersonated domain options. In addition, turn on impersonation safety tips.
- On the Mailbox intelligence tab, make sure mailbox intelligence is turned on. In addition, turn on mailbox intelligence based impersonation protection. In the If email is sent by an impersonated user list, choose Quarantine the message.
- On the Add trusted senders and domains tab, specify any trusted senders or domains that you want to add.
- On the Review your settings tab, after you have reviewed your settings, click Save.
- In the Spoof section, click Edit, and then specify the following settings:
- On the Spoofing filter settings tab, make sure anti-spoofing protection is turned on.
- On the Actions tab, choose Quarantine the message.
- On the Review your settings tab, after you have reviewed your settings, click Save. (If you didn’t make any changes, click Cancel.)
- Close the default policy settings page.
To learn more about your anti-phishing policy options, see Configure ATP anti-phishing policies.
Part 4 – Anti-spam protection
Anti-spam protection is available in subscriptions that include EOP.
- In the Security & Compliance Center, choose Threat management > Policy > Anti-spam.
- On the Custom tab, turn Custom settings on.
- Expand Default spam filter policy, click Edit policy, and then specify the following settings:
- In the Spam and bulk actions section, set the threshold to a value of 5 or 6.
- In the Allow lists section, review (and if necessary, edit) your allowed senders and domains.
- Click Save.
To learn more about your anti-spam policy options, see Configure anti-spam policies in EOP.
Part 5 – Additional settings to configure
In addition to configuring protection from malware, malicious URLs and files, phishing, and spam, we recommend that you configure your zero-hour auto purge and audit logging settings.
Zero-hour auto purge for email
Zero-hour auto purge (ZAP) is available in subscriptions that include EOP. This protection is turned on by default; however, the following conditions must be met for protection to be in effect:
- Spam actions are set to Move message to Junk Email folder in anti-spam policies.
- Users have kept their default junk email settings, and have not turned off junk email protection.
To learn more, see Zero-hour auto purge – protection against spam and malware.
Audit logging for reporting and investigation
Audit logging is available in subscriptions that include Exchange Online. In order to view data in threat protection reports, such as the Security Dashboard, email security reports, and Explorer, audit logging must be turned on for your organization. To learn more, see Turn audit log search on or off.
Post-setup tasks
After you have configured your threat protection features, make sure to monitor how those features are working, review and revise your policies as needed, and watch for new features and service updates.
What to do |
Resources to learn more |
See how threat protection features are working for your organization by viewing reports |
|
Periodically review and revise your threat protection policies as needed |
|
Watch for new features and service updates |