Microsoft Defender for Office 365 Features service description

What's new in Microsoft Defender for Office 365

We are continuing to add new features to Defender for Office 365. To learn more about new features coming to Defender for Office 365 (or Microsoft 365 in general), see the following resources:

Defender for Office 365 capabilities

Safe Attachments

Safe Attachments protects against unknown malware and viruses, and provides zero-day protection to safeguard your messaging system. All messages and attachments that don't have a known virus/malware signature are routed to a special environment where Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.

Note

Safe Attachments scanning takes place in the same region where your Office 365 data resides. For more information about data center geography, see Where is your data located?

The Safe Links feature proactively protects your users from malicious URLs in a message or in an Office document. The protection remains every time they select the link, as malicious links are dynamically blocked while good links can be accessed.

Safe Links is available for URLs in the following apps:

  • Microsoft 365 Apps for enterprise on Windows or Mac

  • Office for the web (Word for the web, Excel for the web, PowerPoint for the web, and OneNote for the web)

  • Word, Excel, and PowerPoint on Windows

  • Microsoft Teams channels and chats

Note

Users must be licensed for Defender for Office 365*, must be included in Safe Links policies, and must be signed in on their devices for protection to be in place.

* For organization-wide Defender for Office 365 licenses (for example, ATP_ENTERPRISE_FACULTY), you don't need to assign Defender for Office 365 licenses to individual users.

For more information about Safe Links protection, see Safe Links in Microsoft Defender for Office 365.

Safe Documents

The Safe Documents feature uses Microsoft Defender for Endpoint to scan documents and files that are opened in Protected View.

What do you need to know before you begin?

  • Safe Documents is now generally available to users with Office Version 2004 (12730.x) or greater! This feature is off by default and will need to be enabled by the Security Administrator.

  • This feature is only available to users with the Microsoft 365 E5 or Microsoft 365 E5 Security license (not included in Defender for Office 365 plans).

  • Word, Excel, and PowerPoint on Windows

  • Microsoft Teams channels and chats

Note

Users must be licensed for Microsoft 365 E5 or Microsoft 365 E5 Security*, must be included in Safe Documents policies, and must be signed in on their devices for protection to be in place.

For more information about Safe Documents protection, see Safe Documents in Microsoft 365 E5.

Protection for SharePoint, OneDrive, and Microsoft Teams

Protection for SharePoint, OneDrive, and Microsoft Teams helps detect and block files that are identified as malicious in team sites and document libraries. In addition, Safe Links protection is now available in Microsoft Teams channels and chats.

Anti-phishing policies

Anti-phishing checks incoming messages for indicators that a message might be a phishing attempt. When users are covered by Defender for Office 365 policies (Safe Attachments, Safe Links, or anti-phishing), incoming messages are evaluated by multiple machine learning models that analyze messages and the appropriate action is taken, based on the configured policies.

Real-time reports

Monitoring capabilities available in the Security & Compliance Center include real-time reports and insights that let your security and compliance administrators focus on high-priority issues, such as security attacks or increased suspicious activity. In addition to highlighting problem areas, smart reports and insights include recommendations and links to view and explore data and also take quick actions.

Threat Explorer

Threat Explorer (also referred to as Explorer) is a real-time report that lets authorized users identify and analyze recent threats. By default, this report shows data for the past seven days; however, views can be modified to show data for the past 30 days.

Explorer contains views, such as Malware (for email and content), Submissions, Phish, and All Email. To see how Explorer compares with real-time detections, download this PDF.

For more information about Explorer (in Microsoft Defender for Office 365 Plan 2) and real-time detections (in Microsoft Defender for Office 365 Plan 1), see Threat Explorer and real-time detections.

Real-time detections

Real-time detections is a real-time report that lets authorized users identify and analyze recent threats. Similar to Explorer, by default, this report shows data for the past seven days.

Real-time detections contain views, such as Malware (for email and content), Submissions, and Phish. To see how real-time detections compare with Explorer, download this PDF.

For more information about Explorer (in Microsoft Defender for Office 365 Plan 2) and real-time detections (in Microsoft Defender for Office 365 Plan 1), see Threat Explorer and real-time detections.

Threat Trackers

Threat Trackers are informative widgets and views that provide authorized users with intelligence on cybersecurity issues that might impact your organization.

Automated investigation & response

Automated investigation & response (AIR) capabilities available in Defender for Office 365 Plan 2 let you run automated investigation processes in response to well-known threats that exist today. By automating certain investigation tasks, your security operations team can operate more efficiently and effectively. Remediation actions, such as deleting malicious email messages, are taken upon approval by your security operations team. To learn more, see How AIR works in Office 365.

Attack simulation training

Attack simulation training is an intelligent social risk management tool that automates the creation and management of phishing simulations. Simulations help customers detect, prioritize, and remediate phishing risks by using real world phish lures and hyper-targeted training to change employee behaviors.

  • Attack simulation training is now available in WW and GCC (will be in GCC from June 21).
  • For more information on how to get started, see Get started using Attack simulation training.
  • Various attack techniques that apply de-weaponized, real-world phish payloads are available that replicate real world attacker behavior to make phishing simulations relevant.
  • This service is available to organizations that have either Microsoft 365 E5, Office 365 E5, or Microsoft Defender for Office 365 Plan 2 licenses. A subset of capabilities is offered to E3 customers as a trial.
  • To learn more and try out a simulation, see Simulate a phishing attack.