1. Safe Links & Safe Attachments (The Core Shields)

  • Safe Links: Provides time-of-click verification of URLs in emails, Teams messages, and Office apps.
    • URL Rewriting: URLs are wrapped in a Microsoft prefix. If a site is later identified as malicious, the user is blocked from visiting even if they click the link hours or days after receipt.
    • Advanced Settings: Ensure “Wait for URL scanning to complete before delivering the message” is enabled for high-security environments.
  • Safe Attachments: Uses a virtual sandbox environment (detonation chamber) to open attachments and check for malicious behavior before delivery.
    • Dynamic Delivery: The recommended setting for user experience. It delivers the body of the email immediately with a placeholder attachment while scanning occurs, replacing the placeholder once the file is cleared.
    • Block vs. Replace: Avoid “Monitor” in production; use “Block” to prevent delivery entirely or “Replace” to deliver the message without the malicious file.

2. Anti-Phishing & Impersonation Protection

  • Impersonation Detection: Specifically protects high-profile users (C-Suite) and internal domains.
    • User Impersonation: Protects against look-alike names (e.g., “John Doe” using a personal Gmail account).
    • Domain Impersonation: Protects against look-alike domains (e.g., cont0so.com vs contoso.com).
  • Mailbox Intelligence: Uses AI to learn a user’s frequent contacts. It triggers alerts if an email arrives from a sender who looks like a frequent contact but is not.
  • Safety Tips: Enable visual cues in Outlook (e.g., “This sender is new to you” or impersonation warnings) to provide real-time user education.

3. Automated Investigation and Response (AIR)

  • The Playbook: When a high-confidence phish or malware is detected, Defender can trigger an automated investigation.
  • Investigation Steps: The system automatically analyzes the message, identifies other recipients of the same “campaign,” and checks if the user clicked the link or downloaded the file.
  • Remediation Actions:
    • Pending Approval: AIR will suggest actions (e.g., “Soft delete 15 messages,” “Block the sender,” “Reset user’s password”).

4. Threat Explorer & Campaign Discovery

  • Threat Explorer: The primary hunting tool. Use it to search for all emails from a specific sender IP, sender domain, or containing a specific URL/File Hash.
  • Campaign Views: Aggregates individual phishing attempts into “Campaigns.” This allows you to see the scope of an attack and determine if it was targeted (spear-phishing) or a broad broadcast.
  • Message Header Analysis: Accessible directly within the portal. Check the X-MS-Exchange-Organization-PCL (Probability Level) and SCL (Spam Confidence Level) to determine why a message was or wasn’t blocked.

5. Attack Simulation Training

  • Purpose: Proactively test user vulnerability to phishing.
  • Templates: Use real-world harvested payloads (e.g., “Password Reset,” “HR Policy Update”) to simulate attacks.
  • Outcome-Based Learning: Automatically assign mandatory training modules (e.g., “How to spot a phish”) to users who fail the simulation by clicking or providing credentials.

6. Essential PowerShell Cmdlets (Security & Compliance)

  • Connection: Connect-IPPSSession
  • Safe Links Management:
    • Get-SafeLinksPolicy (Lists policies)
    • Get-SafeLinksRule (Lists the scoping/priorities of the rules)
  • Safe Attachment Management:
    • Get-SafeAttachmentPolicy
    • Get-SafeAttachmentRule
  • Investigative Cmdlets:
    • Get-MalwareFilterPolicy (Review the anti-malware settings)
    • Get-PhishFilterPolicy (Review impersonation and anti-phish settings)