Protect against threats in Office 365

Office 365 includes a variety of threat protection features. Here's a quick-start guide you can use as a checklist to make sure your threat protection features are set up for your organization. If you're new to threat protection features in Office 365, or you're just not sure where to begin, use the following guidance as a starting point.

Important

Initial recommended settings are included for each kind of policy; however, many options are available, and you can adjust your settings to meet your specific organization's needs. Allow approximately 30 minutes for your policies or changes to work their way through your datacenter.

Prerequisites

You must be assigned an appropriate role to configure policies in the Security & Compliance Center. The following table includes some examples:

Role or role group Where to learn more
Office 365 Global Administrator About Office 365 admin roles
Security Administrator Administrator role permissions in Azure Active Directory
Exchange Online Organization Management Permissions in Exchange Online
and
Exchange Online PowerShell

To learn more, see Permissions in the Office 365 Security & Compliance Center.

Part 1 - Anti-malware

Anti-malware protection is available in subscriptions that include Exchange Online Protection (EOP).

  1. In the Security & Compliance Center, choose Threat management > Policy > Anti-malware.
  2. Double-click the Default policy, and then choose settings.
  3. Specify the following settings:
    • In the Malware Detection Response section, keep the default setting of No.
    • In the Common Attachment Types Filter section, choose On.
  4. Click Save.

To learn more about anti-malware policy options, see Configure anti-malware policies.

Part 2 - Zero-day protection

Zero-day protection is available in subscriptions that include Office 365 Advanced Threat Protection (ATP), and is set up through ATP Safe Links and ATP Safe Attachments policies.

ATP Safe Attachments policies

  1. In the Security & Compliance Center, choose Threat management > Policy > ATP safe attachments.
  2. Select the option Turn on ATP for SharePoint, OneDrive, and Microsoft Teams.
  3. In the Protect email attachments section, click the plus sign (+).
  4. Specify the following settings:
    • In the Name box, type Block malware.
    • In the response section, choose Block.
    • In the Redirect attachment section, select the option Enable redirect, and then specify the email address for your organization's security administrator or operator who will review detected files.
    • In the Applied to section, choose The recipient domain is. Then, select your domain, choose Add, and then click OK.
  5. Click Save.
  6. (Recommended additional step) As a global administrator or a SharePoint Online administrator run the Set-SPOTenant cmdlet with the DisallowInfectedFileDownload parameter set to true for your Office 365 environment. (This prevents people from opening, moving, copying, or sharing files that are detected as malicious.)

To learn more, see Set up Office 365 ATP Safe Attachments policies and Turn on Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams.

To set up ATP Safe Links, review your default policy and add a policy.

  1. In the Security & Compliance Center, choose Threat management > Policy > ATP Safe Links.
  2. Double-click the Default policy.
  3. In the Use safe links in section, select the option Office 365 ProPlus, Office for iOS and Android, and then click Save.
  4. In the Policies that apply to specific recipients section, click the plus sign (+).
  5. Specify the following settings:
    • In the Name box, type a name, such as Safe Links.
    • In the Select the action section, choose On.
    • Select these options:
      • Use safe attachments to scan downloadable content
      • Apply safe links to email messages sent within the organization
      • Do not let users click through safe links to original URL
    • In the Applied to section, choose The recipient domain is. Then, select your domain, choose Add, and then click OK.
  6. Click Save.

To learn more, see Set up Office 365 ATP Safe Links policies.

Part 3 - Anti-phishing

Anti-phishing protection is available in subscriptions that include EOP. Advanced anti-phishing protection is available in ATP. The following procedure describes how to configure an ATP anti-phishing policy. The steps are similar for configuring an anti-phishing policy (without ATP).

  1. In the Security & Compliance Center, choose Threat management > Policy > ATP anti-phishing.
  2. Click Default policy.
  3. In the Impersonation section, click Edit, and then specify the following settings:
    • On the Add users to protect tab, turn protection on. Then add users, such as your organization's board members, your CEO, CFO, and other senior leaders. (You can type an individual email address, or click to display a list.)
    • On the Add domains to protect tab, turn on Automatically include the domains I own. If you have custom domains, add those as well.
    • On the Actions tab, select Move message to the recipients' Junk Email folders for both impersonated user and impersonated domain, and turn on safety tips.
    • On the Mailbox intelligence tab, make sure mailbox intelligence is turned on.
    • On the Review your settings tab, after you have reviewed your settings, click Save.
  4. In the Spoof section, click Edit, and then specify the following settings:
    • On the Spoofing filter settings tab, make sure anti-spoofing protection is turned on.
    • On the Actions tab, choose Move message to the recipients' Junk Email folders.
    • On the Review your settings tab, after you have reviewed your settings, click Save. (If you didn't make any changes, click Cancel.)
  5. Close the default policy settings page.

To learn more about your anti-phishing policy options, see Set up Office 365 ATP anti-phishing and anti-phishing policies.

Part 4 - Anti-spam

Anti-spam protection is available in subscriptions that include EOP.

  1. In the Security & Compliance Center, choose Threat management > Policy > Anti-spam.
  2. On the Custom tab, turn Custom settings on.
  3. Expand Default spam filter policy, click Edit policy, and then specify the following settings:
    • In the Spam and bulk actions section, set the threshold to a value of 5 or 6.
    • In the Allow lists section, review (and if necessary, edit) your allowed senders and domains.
  4. Click Save.

To learn more about your anti-spam policy options, see Configure the anti-spam policies.

Part 5 - Service-wide settings

Zero-hour auto purge

Zero-hour auto purge (ZAP) is available in subscriptions that include EOP. This protection is turned on by default; however, the following conditions must be met for protection to be in effect:

  • Spam actions are set to Move message to Junk Email folder in anti-spam policies.
  • Users have kept their default junk email settings, and have not turned off junk email protection.

To learn more, see Zero-hour auto purge - protection against spam and malware.

Audit logging

Audit logging is available in subscriptions that include Exchange Online. In order to view data in threat protection reports, such as the Security Dashboard, email security reports, and Explorer, audit logging must be turned on for your organization. To learn more, see Turn Office 365 audit log search on or off.

Post-setup tasks

Watch for new features and service updates

See how ATP is working for your organization

Periodically review and revise your ATP policies