Defender for office 365 Plan 1 & 2

Exchange online protection (EOP)

Prevents broad
Volume-based
Known attacks

Plan 1

Safe Attachments
Safe Links
Safe Attachments for SharePoint, OneDrive and Teams
Anti-Phishing Protection in defender for office 365
Real-Time detections.

Plan 2 - O365 E5, O365 A5 & M365 E5

Threat Trackers
Threat Explorer
Automated investigation and response
Attack simulation training
Proactively hunt for threats with advanced hunting in Microsoft 365 defender
Investigate incidents in Microsoft 365 defender
Investigate alerts in Microsoft 365 defender

Safe Documents - M365 A5 Faculty, M365 A5 for Students & M365 E5 Security.

Flow Diagram:

Microsoft defender for office 365 safeguards our organization against malicious threats posed by
email messages, links (URL), & Collaboration tools.

 Threat Protection Policies.

 Reports.
  Threat investigation and response capabilities.
 Automated investigation and response.

Primary ways that Defender for office 365 can be used,

 Defender for office 365 - Cloud-based email protection - On-premises exchange server
environment or any other on-premises SMTP e-mail solution.
 Defender for office 365 - Protect Exchange Online Cloud-hosted mailboxes.
 Hybrid Deployment - Protect our messaging environment & control mail routing when
we have a mix of on-premises and cloud mailboxes with EOP for inbound email filtering.

 SMTP - Simple Mail Transfer Protocol

The Simple Mail Transfer Protocol (SMTP) is an internet standard communication
protocol for electronic mail transmission. Mail servers and other message transfer
agents use SMTP to send and receive mail messages. User-level email clients typically
use SMTP only for sending messages to a mail server for relaying, and typically
submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For
retrieving messages, IMAP (which replaced the older POP3) is standard, but
proprietary servers also often implement proprietary protocols, e.g., Exchange
ActiveSync.

Safe Attachments - Provides Zero-day protection to safeguard our messaging system, by

checking email attachments for malicious content. It routes all messages and attachments that do
not have a virus/malware signature to a special environment, and then uses machine learning
and analysis techniques to detect malicious intent. If no suspicious activity is found, the message
is forwarded to the mailbox.

Safe Links - Provides time of click verification of URLs, Protection is ongoing and applies across
our messaging and office Environment. Links are scanned for each click, safe links remain
accessible and malicious links are dynamically blocked.

Safe Attachments for SharePoint, OneDrive & Microsoft Teams - Identify and block malicious
files in team sites and documented libraries.

Safe Documents – Safe document is a premium feature that uses the cloud backend of
Microsoft Defender for Endpoint to scan opened office documents in a protected view or
Application Guard for office.

Anti-phishing protection in Defender for Office 365 - Applies machine learning models and
advanced impersonation-detection algorithms to avert phishing attacks.

Real-Time Detections (P1) or Explorer (P2) - Malware detected by Microsoft 365 Security
features, View phishing URL and click verdict data, investigate malicious email and files detected
in SharePoint Online, OneDrive & Microsoft Teams & Start an automated investigation and
response process from Explorer (Only for Plan 2)
 Data Retention & Search Limit - 30 Days
 Export of records for threat explorer - Limit Updated from 9990 - 200000 records
New Features in Threat Explorer & Real-time detections
 View phishing emails sent to impersonated users and domain.
 Preview email header & download email body.
 Email timeline.
 Export URL click data.

Threat Trackers - Provide the latest intelligence on prevailing cybersecurity issues. - Noteworthy
trackers, Trending trackers, Tracked queries & Saved queries.

Attack Simulation Training - Allows our to run realistic attack scenarios in your organization to
identify vulnerabilities. Simulations of current types of attacks are available, including spear
phishing credential harvest and attachment attacks, and password spray and brute force
password attacks.

Automated Investigation and Response - (AIR) capabilities include a set of security playbooks
that can be launched automatically, such as when an alert is triggered, or manually