Recommended settings for EOP and Microsoft Defender for Office 365 security

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Exchange Online Protection (EOP) is the core of security for Microsoft 365 subscriptions and helps keep malicious emails from reaching your employee's inboxes. But with new, more sophisticated attacks emerging every day, improved protections are often required. Microsoft Defender for Office 365 Plan 1 or Plan 2 contain additional features that give admins more layers of security, control, and investigation.

Although we empower security administrators to customize their security settings, there are two security levels in EOP and Microsoft Defender for Office 365 that we recommend: Standard and Strict. Each customer's environment and needs are different, but we believe that these levels of filtering will help prevent unwanted mail from reaching your employees' Inbox in most situations.

To automatically apply the Standard or Strict settings to users, see Preset security policies in EOP and Microsoft Defender for Office 365.

Note

The junk email rule needs to be enabled on mailboxes in order for filtering to work properly. It's enabled by default, but you should check it if filtering does not seem to be working. For more information, see Configure junk email settings on Exchange Online mailboxes in Office 365.

This article describes the default settings, and also the recommended Standard and Strict settings to help protect your users.

Tip

The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help you (admins) find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.

Anti-spam, anti-malware, and anti-phishing protection in EOP

Anti-spam, anti-malware, and anti-phishing are EOP features that can be configured by admins. We recommend the following Standard or Strict configurations.

EOP anti-spam policy settings

To create and configure anti-spam policies, see Configure anti-spam policies in Office 365.



Security feature name Default Standard Strict Comment
Spam detection action

SpamAction

Move message to Junk Email folder

MoveToJmf

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

High confidence spam detection action

HighConfidenceSpamAction

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

Quarantine message

Quarantine

Phishing email detection action

PhishSpamAction

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

Quarantine message

Quarantine

High confidence phishing email detection action

HighConfidencePhishAction

Quarantine message

Quarantine

Quarantine message

Quarantine

Quarantine message

Quarantine

Bulk email detection action

BulkSpamAction

Move message to Junk Email folder

MoveToJmf

Move message to Junk Email folder

MoveToJmf

Quarantine message

Quarantine

Bulk email threshold

BulkThreshold

7 6 4 For details, see Bulk complaint level (BCL) in Office 365.
Quarantine retention period

QuarantineRetentionPeriod

15 days 30 days 30 days
Safety Tips

InlineSafetyTipsEnabled

On

$true

On

$true

On

$true

Allowed Senders

AllowedSenders

None None None
Allowed Sender Domains

AllowedSenderDomains

None None None Adding domains to the allowed senders list is a very bad idea. Attackers would be able to send you email that would otherwise be filtered out.

Use spoof intelligence in the Security & Compliance Center on the Anti-spam settings page to review all senders who are spoofing sender email addresses in your organization's email domains or spoofing sender email addresses in external domains.

Blocked Senders

BlockedSenders

None None None
Blocked Sender Domains

BlockedSenderDomains

None None None
Enable end-user spam notifications

EnableEndUserSpamNotifications

Disabled

$false

Enabled

$true

Enabled

$true

Send end-user spam notifications every (days)

EndUserSpamNotificationFrequency

3 days 3 days 3 days
Spam ZAP

SpamZapEnabled

Enabled

$true

Enabled

$true

Enabled

$true

Phish ZAP

PhishZapEnabled

Enabled

$true

Enabled

$true

Enabled

$true

MarkAsSpamBulkMail On On On This setting is only available in PowerShell.

There are several other Advanced Spam Filter (ASF) settings in anti-spam policies that are in the process of being deprecated. More information on the timelines for the depreciation of these features will be communicated outside of this article.

We recommend that you turn these ASF settings Off for both Standard and Strict levels. For more information about ASF settings, see Advanced Spam Filter (ASF) settings in Office 365.



Security feature name Comment
Image links to remote sites (IncreaseScoreWithImageLinks)
Numeric IP address in URL (IncreaseScoreWithNumericIps)
UL redirect to other port (IncreaseScoreWithRedirectToOtherPort)
URL to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls)
Empty messages (MarkAsSpamEmptyMessages)
JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml)
Frame or IFrame tags in HTML (MarkAsSpamFramesInHtml)
Object tags in HTML (MarkAsSpamObjectTagsInHtml)
Embed tags in HTML (MarkAsSpamEmbedTagsInHtml)
Form tags in HTML (MarkAsSpamFormTagsInHtml)
Web bugs in HTML (MarkAsSpamWebBugsInHtml)
Apply sensitive word list (MarkAsSpamSensitiveWordList)
SPF record: hard fail (MarkAsSpamSpfRecordHardFail)
Conditional Sender ID filtering: hard fail (MarkAsSpamFromAddressAuthFail)
NDR backscatter (MarkAsSpamNdrBackscatter)

EOP outbound spam policy settings

To create and configure outbound spam policies, see Configure outbound spam filtering in Office 365.

For more information about the default sending limits in the service, see Sending limits.



Security feature name Default Standard Strict Comment
Maximum number of recipients per user: External hourly limit

RecipientLimitExternalPerHour

0 500 400 The default value 0 means use the service defaults.
Maximum number of recipients per user: Internal hourly limit

RecipientLimitInternalPerHour

0 1000 800 The default value 0 means use the service defaults.
Maximum number of recipients per user: Daily limit

RecipientLimitPerDay

0 1000 800 The default value 0 means use the service defaults.
Action when a user exceeds the limits

ActionWhenThresholdReached

Restrict the user from sending mail till the following day

BlockUserForToday

Restrict the user from sending mail

BlockUser

Restrict the user from sending mail

BlockUser

EOP anti-malware policy settings

To create and configure anti-malware policies, see Configure anti-malware policies in Office 365.



Security feature name Default Standard Strict Comment
Do you want to notify recipients if their messages are quarantined?

Action

No

DeleteMessage

No

DeleteMessage

No

DeleteMessage

If malware is detected in an email attachment, the message is quarantined and can be released only by an admin.
Common Attachment Types Filter

EnableFileFilter

Off

$false

On

$true

On

$true

This setting quarantines messages that contain executable attachments based on file type, regardless of the attachment content.
Malware Zero-hour Auto Purge

ZapEnabled

On

$true

On

$true

On

$true

Notify internal senders of the undelivered message

EnableInternalSenderNotifications

Disabled

$false

Disabled

$false

Disabled

$false

Notify external senders of the undelivered message

EnableExternalSenderNotifications

Disabled

$false

Disabled

$false

Disabled

$false

EOP default anti-phishing policy settings

For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies in EOP.



Security feature name Default Standard Strict Comment
Enable anti-spoofing protection

EnableSpoofIntelligence

On

$true

On

$true

On

$true

Enable Unauthenticated Sender

EnableUnauthenticatedSender

On

$true

On

$true

On

$true

Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain

AuthenticationFailAction

Move message to the recipients' Junk Email folders

MoveToJmf

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

This setting applies to blocked senders in spoof intelligence.

Microsoft Defender for Office 365 security

Additional security benefits come with a Microsoft Defender for Office 365 subscription. For the latest news and information, you can see What's new in Defender for Office 365.

Important

  • The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.

  • There are no default Safe Links policies or Safe Attachments policies that automatically protect all recipients in the organization. To get the protections, you need to create at least one Safe Links Policy and Safe Attachments policy.

  • Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection have no dependencies on Safe Links policies.

If your subscription includes Microsoft Defender for Office 365 or if you've purchased Defender for Office 365 as an add-on, set the following Standard or Strict configurations.

Anti-phishing policy settings in Microsoft Defender for Office 365

EOP customers get basic anti-phishing as previously described, but Microsoft Defender for Office 365 includes more features and control to help prevent, detect, and remediate against attacks. To create and configure these policies, see Configure anti-phishing policies in Defender for Office 365.

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.



Security feature name Default Standard Strict Comment
Protected users: Add users to protect

EnableTargetedUserProtection

TargetedUsersToProtect

Off

$false

none

On

$true

<list of users>

On

$true

<list of users>

Depending on your organization, we recommend adding users (message senders) in key roles. Internally, protected senders might be your CEO, CFO, and other senior leaders. Externally, protected senders could include council members or your board of directors.
Protected domains: Automatically include the domains I own

EnableOrganizationDomainsProtection

Off

$false

On

$true

On

$true

Protected domains: Include custom domains

EnableTargetedDomainsProtection

TargetedDomainsToProtect

Off

$false

none

On

$true

<list of domains>

On

$true

<list of domains>

Depending on your organization, we recommend adding domains (sender domains) that you don't own, but you frequently interact with.
Protected users: If email is sent by an impersonated user

TargetedUserProtectionAction

Don't apply any action

NoAction

Quarantine the message

Quarantine

Quarantine the message

Quarantine

Protected domains: If email is sent by an impersonated domain

TargetedDomainProtectionAction

Don't apply any action

NoAction

Quarantine the message

Quarantine

Quarantine the message

Quarantine

Show tip for impersonated users

EnableSimilarUsersSafetyTips

Off

$false

On

$true

On

$true

Show tip for impersonated domains

EnableSimilarDomainsSafetyTips

Off

$false

On

$true

On

$true

Show tip for unusual characters

EnableUnusualCharactersSafetyTips

Off

$false

On

$true

On

$true

Enable Mailbox intelligence?

EnableMailboxIntelligence

On

$true

On

$true

On

$true

Enable Mailbox intelligence based impersonation protection?

EnableMailboxIntelligenceProtection

Off

$false

On

$true

On

$true

If email is sent by an impersonated user protected by mailbox intelligence

MailboxIntelligenceProtectionAction

Don't apply any action

NoAction

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

Trusted senders

ExcludedSenders

None None None Depending on your organization, we recommend adding users that incorrectly get marked as phishing due to impersonation only and not other filters.
Trusted domains

ExcludedDomains

None None None Depending on your organization, we recommend adding domains that incorrectly get marked as phishing due to impersonation only and not other filters.

Spoof settings in anti-phishing policies in Microsoft Defender for Office 365

Note that these are the same settings that are available in anti-spam policy settings in EOP.



Security feature name Default Standard Strict Comment
Enable anti-spoofing protection

EnableSpoofIntelligence

On

$true

On

$true

On

$true

Enable Unauthenticated Sender

EnableUnauthenticatedSender

On

$true

On

$true

On

$true

Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see Spoof settings in anti-phishing policies.
If email is sent by someone who's not allowed to spoof your domain

AuthenticationFailAction

Move message to the recipients' Junk Email folders

MoveToJmf

Move message to the recipients' Junk Email folders

MoveToJmf

Quarantine the message

Quarantine

This setting applies to blocked senders in spoof intelligence.

Advanced settings in anti-phishing policies in Microsoft Defender for Office 365

For more information about this setting, see Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.



Security feature name Default Standard Strict Comment
Advanced phishing thresholds

PhishThresholdLevel

1 - Standard

1

2 - Aggressive

2

3 - More aggressive

3

Safe Links in Defender for Office 365 includes global settings that apply to all users who are included in active Safe Links policies, and settings that are specific to each Safe Links policy. For more information, see Safe Links in Defender for Office 365.

To configure these settings, see Configure global settings for Safe Links in Defender for Office 365.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.



Security feature name Default Standard Strict Comment
Use Safe Links in: Office 365 applications

EnableSafeLinksForO365Clients

On

$true

On

$true

On

$true

Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see Safe Links settings for Office 365 apps.
Do not track when users click Safe Links

TrackClicks

On

$false

Off

$true

Off

$true

Turning off this setting (setting TrackClicks to $true) tracks user clicks in supported Office 365 apps.
Do not let users click through Safe Links to original URL

AllowClickThrough

On

$false

On

$false

On

$false

Turning on this setting (setting AllowClickThrough to $false) prevents click through to the original URL in supported Office 365 apps.

To configure these settings, see Set up Safe Links policies in Microsoft Defender for Office 365.

In PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for these settings.

Note

As described earlier, there is no default Safe Links policy. The values in the Default column are the default values in new Safe Links policies that you create.



Security feature name Default Standard Strict Comment
Select the action for unknown potentially malicious URLs in messages

IsEnabled

Off

$false

On

$true

On

$true

Select the action for unknown or potentially malicious URLs within Microsoft Teams

EnableSafeLinksForTeams

Off

$false

On

$true

On

$true

Apply real-time URL scanning for suspicious links and links that point to files

ScanUrls

Off

$false

On

$true

On

$true

Wait for URL scanning to complete before delivering the message

DeliverMessageAfterScan

Off

$false

On

$true

On

$true

Apply Safe Links to email messages sent within the organization

EnableForInternalSenders

Off

$false

On

$true

On

$true

Do not track user clicks

DoNotTrackUserClicks

Off

$false

Off

$false

Off

$false

Turning off this setting (setting DoNotTrackUserClicks to $false) tracks users clicks.
Do not allow users to click through to original URL

DoNotAllowClickThrough

Off

$false

On

$true

On

$true

Turning on this setting (setting DoNotAllowClickThrough to $true) prevents click through to the original URL.

Safe Attachments settings

Safe Attachments in Microsoft Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Links policy. For more information, see Safe Attachments in Defender for Office 365.

Global settings for Safe Attachments

To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.

In PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.



Security feature name Default Standard Strict Comment
Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams

EnableATPForSPOTeamsODB

On

$true

On

$true

Turn on Safe Documents for Office clients

EnableSafeDocs

On

$true

On

$true

This setting is only available with Microsoft 365 E5 or Microsoft 365 E5 Security licenses. For more information, see Safe Documents in Microsoft Defender for Office 365.
Allow people to click through Protected View even if Safe Documents identified the file as malicious

AllowSafeDocsOpen

Off

$false

Off

$false

This setting is related to Safe Documents.

Safe Attachments policy settings

To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.

In PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.

Note

As described earlier, there is no default Safe Attachments policy. The values in the Default column are the default values in new Safe Attachments policies that you create.



Security feature name Default Standard Strict Comment
Safe Attachments unknown malware response

Action

Block

Block

Block

Block

Block

Block

Redirect attachment on detection : Enable redirect

Redirect

RedirectAddress

Off, and no email address specified.

$true

none

On, and specify an email address.

$true

an email address

On, and specify an email address.

$true

an email address

Redirect messages to a security admin for review.
Apply the above selection if malware scanning for attachments times out or error occurs.

ActionOnError

On

$true

On

$true

On

$true