Protect against threats in Office 365

Office 365 includes a variety of threat protection features. Here's a quick-start guide you can use as a checklist to make sure your threat protection features are set up for your organization. If you're new to threat protection features in Office 365, or you're just not sure where to begin, use the following guidance as a starting point.

Important

Initial recommended settings are included for each kind of policy; however, many options are available, and you can adjust your settings to meet your specific organization's needs. Allow approximately 30 minutes for your policies or changes to work their way through your datacenter.

Requirements

Subscriptions

Threat protection features are included in all Office 365 subscriptions; however, some subscriptions include more advanced features. The following table lists the protection features included in this article together with the minimum subscription requirements.

Protection type Subscription requirement
Anti-malware protection Exchange Online Protection (EOP)
Protection from malicious URLs and files in email and Office documents Office 365 Advanced Threat Protection (ATP)
Anti-phishing protection EOP
Advanced anti-phishing protection Office 365 ATP
Anti-spam protection EOP
Zero-hour auto purge (for email) EOP (EOP)
Audit logging (this is used for reporting purposes) Exchange Online

Roles and permissions

You must be assigned an appropriate role to configure policies in the Security & Compliance Center. The following table includes some examples:

Role or role group Where to learn more
Office 365 Global Administrator About Office 365 admin roles
Security Administrator Administrator role permissions in Azure Active Directory
Exchange Online Organization Management Permissions in Exchange Online
and
Exchange Online PowerShell

To learn more, see Permissions in the Office 365 Security & Compliance Center.

Part 1 - Anti-malware protection

Anti-malware protection is available in subscriptions that include EOP.

  1. In the Security & Compliance Center, choose Threat management > Policy > Anti-malware.

  2. Double-click the Default policy, and then choose settings.

  3. Specify the following settings:

    • In the Malware Detection Response section, keep the default setting of No.

    • In the Common Attachment Types Filter section, choose On.

  4. Click Save.

To learn more about anti-malware policy options, see Configure anti-malware policies.

Part 2 - Protection from malicious URLs and files

Time-of-click protection from malicious URLs and files is available in subscriptions that include Office 365 ATP (ATP), and is set up through ATP Safe Attachments and ATP Safe Links policies.

ATP Safe Attachments policies

To set up ATP Safe Attachments, you must define at least one ATP Safe Attachments policy.

  1. In the Security & Compliance Center, choose Threat management > Policy > ATP safe attachments.

  2. Select the option Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.

  3. In the Protect email attachments section, click the plus sign (+).

  4. Specify the following settings:

    • In the Name box, type Block malware.

    • In the response section, choose Block.

    • In the Redirect attachment section, select the option Enable redirect, and then specify the email address for your organization's security administrator or operator who will review detected files.

    • In the Applied to section, choose The recipient domain is. Then, select your domain, choose Add, and then click OK.

  5. Click Save.

  6. (Recommended additional step) As a global administrator or a SharePoint Online administrator run the Set-SPOTenant cmdlet with the DisallowInfectedFileDownload parameter set to true for your Office 365 environment. (This prevents people from opening, moving, copying, or sharing files that are detected as malicious.)

To learn more, see Set up Office 365 ATP Safe Attachments policies and Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams.

To set up ATP Safe Links, review and edit your default policy, and add a policy for specific users.

  1. In the Security & Compliance Center, choose Threat management > Policy > ATP Safe Links.

  2. Double-click the Default policy.

  3. In the Use safe links in section, select the option Office 365 ProPlus, Office for iOS and Android, and then click Save.

  4. In the Policies that apply to specific recipients section, click the plus sign (+).

  5. Specify the following settings:

    • In the Name box, type a name, such as Safe Links.

    • In the Select the action section, choose On.

    • Select these options:

      • Use safe attachments to scan downloadable content

      • Apply safe links to email messages sent within the organization

      • Do not let users click through safe links to original URL

    • In the Applied to section, choose The recipient domain is. Then, select your domain, choose Add, and then click OK.

  6. Click Save.

To learn more, see Set up Office 365 ATP Safe Links policies.

Part 3 - Anti-phishing protection

Anti-phishing protection is available in subscriptions that include EOP. Advanced anti-phishing protection is available in ATP. The following procedure describes how to configure an ATP anti-phishing policy. The steps are similar for configuring an anti-phishing policy (without ATP).

  1. In the Security & Compliance Center, choose Threat management > Policy > ATP anti-phishing.

  2. Click Default policy.

  3. In the Impersonation section, click Edit, and then specify the following settings:

    • On the Add users to protect tab, turn protection on. Then add users, such as your organization's board members, your CEO, CFO, and other senior leaders. (You can type an individual email address, or click to display a list.)

    • On the Add domains to protect tab, turn on Automatically include the domains I own. If you have custom domains, add those as well.

    • On the Actions tab, select Move message to the recipients' Junk Email folders for both impersonated user and impersonated domain, and turn on safety tips.

    • On the Mailbox intelligence tab, make sure mailbox intelligence is turned on.

    • On the Review your settings tab, after you have reviewed your settings, click Save.

  4. In the Spoof section, click Edit, and then specify the following settings:

    • On the Spoofing filter settings tab, make sure anti-spoofing protection is turned on.

    • On the Actions tab, choose Move message to the recipients' Junk Email folders.

    • On the Review your settings tab, after you have reviewed your settings, click Save. (If you didn't make any changes, click Cancel.)

  5. Close the default policy settings page.

To learn more about your anti-phishing policy options, see Set up anti-phishing policies.

Part 4 - Anti-spam protection

Anti-spam protection is available in subscriptions that include EOP.

  1. In the Security & Compliance Center, choose Threat management > Policy > Anti-spam.

  2. On the Custom tab, turn Custom settings on.

  3. Expand Default spam filter policy, click Edit policy, and then specify the following settings:

    • In the Spam and bulk actions section, set the threshold to a value of 5 or 6.

    • In the Allow lists section, review (and if necessary, edit) your allowed senders and domains.

  4. Click Save.

To learn more about your anti-spam policy options, see Configure the anti-spam policies.

Part 5 - Additional settings to configure

In addition to configuring protection from malware, malicious URLs and files, phishing, and spam, we recommend that you configure your zero-hour auto purge and audit logging settings.

Zero-hour auto purge for email

Zero-hour auto purge (ZAP) is available in subscriptions that include EOP. This protection is turned on by default; however, the following conditions must be met for protection to be in effect:

To learn more, see Zero-hour auto purge - protection against spam and malware.

Audit logging for reporting and investigation

Audit logging is available in subscriptions that include Exchange Online. In order to view data in threat protection reports, such as the Security Dashboard, email security reports, and Explorer, audit logging must be turned on for your organization. To learn more, see Turn Office 365 audit log search on or off.

Post-setup tasks

After you have configured your threat protection features, make sure to monitor how those features are working, review and revise your policies as needed, and watch for new features and service updates.

What to do Resources to learn more
See how threat protection features are working for your organization by viewing reports Security dashboard
Email security reports
Reports for Office 365 ATP
Threat Explorer
Periodically review and revise your threat protection policies as needed Secure Score
Smart reports and insights
Office 365 threat investigation and response features
Watch for new features and service updates Standard and Targeted release options
Message Center
Microsoft 365 Roadmap
Service Descriptions