Trial playbook: Microsoft Defender for Office 365

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to:

• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Welcome to the Microsoft Defender for Office 365 trial playbook! This playbook will help you make the most of your 90-day free trial by teaching you how to safeguard your organization with Defender for Office 365.

Now you have the option to try Defender for Office 365 in one of two ways:

• Blocking mode (recommended): If your mail exchanger (MX) record points to Microsoft 365, you can evaluate Defender for Office 365 capabilities in blocking mode. Defender for Office 365 automatically applies the Standard preset security policy settings.

  Throughout the evaluation period, you can choose at any time to opt into a higher protection template (our Strict preset security policy settings), or you create your own individual protection policies to suits your needs.

• Audit mode: If your MX record points somewhere other than to Microsoft 365 (for example, a third-party email gateway), you can evaluate Defender for Office 365 in audit mode. Defender for Office 365 will not take blocking action on messages that we determine to be harmful.

  These threats will be logged and available for your review through the Threat protection status report, which gives you detailed information on the types of detected threats, who the threats were targeting, and much more. These additional "catches" indicate the additional protection capabilities of Defender for Office 365 over the standard Exchange Online Protection (EOP) capabilities, or the capabilities of other third-party email gateways. Once you're satisfied and are ready to use Defender for Office 365, you can migrate to Defender for Office 365.

Using the recommendations in this guide, you'll learn how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks.

Let's get started!

Blocking mode

Step 1: Getting started in blocking mode

Start your Microsoft Defender for Office 365 trial

After you've initiated the trial and completed the setup process, it may take up to 2 hours for changes to take effect.

We've automatically configured Preset security policies in your environment. These policies represent a baseline protection profile that's suitable for most users. Standard protection includes:

• Safe Links, Safe Attachments and anti-phishing policies that are scoped to the entire tenant or subset of users you may have chosen during the trial setup process.
• Safe Attachments protection for SharePoint, OneDrive, and Microsoft Teams.
• Safe Links protection for supported Office 365 apps.

Watch this video to learn more: Protect against malicious links with Safe Links in Microsoft Defender for Office 365 - YouTube.

Enable users to report suspicious content in blocking mode

Defender for Office 365 enables users to report messages to their security teams and allows admins to submit messages to Microsoft for analysis.

• Deploy the Report Message add-in or the Report Phishing add-in.
• Establish a workflow to Report false positives and false negatives.
• Use the Submissions portal.

Watch this video to learn more: Learn how to use the Submissions portal to submit messages for analysis - YouTube.

Review reports to understand the threat landscape in blocking mode

Use the reporting capabilities in Defender for Office 365 to get more details about your environment.

• Understand threats received in email and collaboration tools with the Threat protection status report.
• See where threats are blocked with the Mailflow status report.
• Review links that were viewed by users or blocked by the system.

Step 2: Intermediate steps in blocking mode

Prioritize focus on your most targeted users

Protect your most targeted and most visible users with Priority Account Protection in Defender for Office 365, which helps you prioritize your workflow to ensure these users are safe.

• Identify your most targeted or most visible users.
• Tag these users as priority accounts.
• Track threats to priority account throughout the portal.

Watch this video to learn more: Protecting priority accounts in Microsoft Defender for Office 365 - YouTube.

Avoid costly breaches by preventing user compromise

Get alerted to potential compromise and automatically limit the impact of these threats to prevent attackers from gaining deeper access to your environment.

• Review compromised user alerts.
• Investigate and respond to compromised users.

Watch this video to learn more: Detect and respond to compromise in Microsoft Defender for Office 365 - YouTube.

Use Threat Explorer to investigate malicious email

Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using Threat Explorer.

• Find suspicious email that was delivered: Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation.
• Check the delivery action and location: This check lets you know the location of problem email messages.
• View the timeline of your email: Simply hunting for your security operations team.

See campaigns targeting your organization

See the bigger picture with Campaign Views in Defender for Office 365, which gives you a view of the attack campaigns targeting your organization and the impact they have on your users.

• Identify campaigns targeting your users.

• Visualize the scope of the attack.

• Track user interaction with these messages.

  

Watch this video to learn more: Campaign Views in Microsoft Defender for Office 365 - YouTube.

Use automation to remediate risks

Respond efficiently using Automated investigation and response (AIR) to review, prioritize, and respond to threats.

• Learn more about investigation playbooks.
• View details and results of an investigation.
• Eliminate threats by approving remediation actions.

Step 3: Advanced content in blocking mode

Dive deep into data with query-based hunting

Use Advanced hunting to write custom detection rules, proactively inspect events in your environment, and locate threat indicators. Explore raw data in your environment.

• Build custom detection rules.
• Access shared queries created by others.

Watch this video to learn more: Threat hunting with Microsoft 365 Defender - YouTube.

Train users to spot threats by simulating attacks

Equip your users with the right knowledge to identify threats and report suspicious messages with Attack simulation training in Defender for Office 365.

• Simulate realistic threats to identify vulnerable users.

• Assign training to users based on simulation results.

• Track progress of your organization in simulations and training completion.

  

Auditing mode

Step 1: Get started in auditing mode

Start your Defender for Office 365 evaluation

After you've completed the setup process, it may take up to 2 hours for changes to take effect. We've automatically configured Preset Evaluation policies in your environment.

Evaluation policies ensure no action is taken on email that's detected by Defender for Office 365.

Enable users to report suspicious content in auditing mode

Defender for Office 365 enables users to report messages to their security teams and allows admins to submit messages to Microsoft for analysis.

• Deploy the Report Message add-in or the Report Phishing add-in.
• Establish a workflow to Report false positives and false negatives.
• Use the Submissions portal.

Watch this video to learn more: Learn how to use the Submissions portal to submit messages for analysis - YouTube.

Review reports to understand the threat landscape in auditing mode

Use the reporting capabilities in Defender for Office 365 to get more details about your environment.

• The Evaluation dashboard provides an easy view of the threats detected by Defender for Office 365 during evaluation.
• Understand threats received in email and collaboration tools with the Threat protection status report.

Step 2: Intermediate steps in auditing mode

Use Threat Explorer to investigate malicious email in auditing mode

Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using Threat Explorer.

• Find suspicious email that was delivered: Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation.
• Check the delivery action and location: This check lets you know the location of problem email messages.
• View the timeline of your email: Simply hunting for your security operations team.

Convert to Standard Protection at the end of evaluation period

When you're ready to turn on Defender for Office 365 policies in production, you can use "Convert to Standard Protection" within the evaluation management experience to easily move to Standard protection in preset security policies.

1. On the Microsoft Defender for Office 365 evaluation page at https://security.microsoft.com/atpEvaluation, click Manage.

   

2. In the flyout that opens, click Convert to Standard protection

   

3. In the Convert to standard protection dialog that opens, click Continue to initiate the setup.

Migrate from a third-party protection service or device to Defender for Office 365

If you already have an existing third-party protection service or device that sits in front of Microsoft 365, you can migrate your protection to Microsoft Defender for Office 365 to get the benefits of a consolidated management experience, potentially reduced cost (using products that you already pay for), and a mature product with integrated security protection.

For more information, see Migrate from a third-party protection service or device to Microsoft Defender for Office 365.

Step 3: Advanced content in auditing mode

Train users to spot threats by simulating attacks in auditing mode

Equip your users with the right knowledge to identify threats and report suspicious messages with Attack simulation training in Defender for Office 365.

• Simulate realistic threats to identify vulnerable users.

• Assign training to users based on simulation results.

• Track progress of your organization in simulations and training completion.

  

Additional resources

• Interactive guide: Unfamiliar with Defender for Office 365? Review the interactive guide to understand how to get started.
• Fast Track Get Started Guide*: Microsoft Defender for Office 365
• Microsoft docs: Get detailed information on how Defender for Office 365 works and how to best implement it for your organization. Visit Docs.
• What's included: For a full list of Office 365 email security features listed by product tier, view the Feature Matrix.
• Why Defender for Office 365: The Defender for Office 365 Datasheet shows the top 10 reasons customers choose Microsoft.