Microsoft Defender for Office 365: Workflow, Features, and Plans

What is Microsoft Defender for Office 365?

This cloud-based solution offers email filtering and investigation features that can help mitigate threats facing email communication. Microsoft Defender for Office 365 can prevent phishing schemes, email-based malware attacks, and account takeover of business emails. This Microsoft security service includes filtering, hunting, remediation, and investigation capabilities.

Here are the three main use cases for Defender for Office 365:

  • On-premises email environments—you can use this solution primarily for filtering to protect on-premises SMTP email solutions like Microsoft Exchange Server.

  • Cloud-hosted mailboxes—you can enable this solution to protect mailboxes hosted in Microsoft Exchange Online.

  • Hybrid deployments—you can configure the solution to protect messaging environments and control email routing across cloud and on-premises mailboxes.


The solution adds more security capabilities to Exchange Online Protection (EOP), an inbound email filtering engine which is included with Exchange Online by default.

Microsoft Defender for Office Protection Workflow

The image below shows the basic components of Microsoft Defender for Office 365 and how it protects incoming email messages from threats.


Image Source: Microsoft

The workflow is as follows (numbers refer to the image above):

  1. The sender’s host server connects to your organization’s email server via Exchange Online (EXO) or an SMTP gateway that relays traffic to EXO.

  2. Exchange Online Protection verifies the inbound connection, checks message headers and content, and applies relevant policies and tags.

  3. EXO uses Microsoft Defender for Office 365, providing data about the incoming message and receiving recommendations for advanced threat protection and mitigation.

  4. If the message is not detected as malicious, not blocked, and not quarantined, it is delivered to an EXO recipient. At this point the user’s preferences with regard to mailbox filters, rules, and junk email are processed.

  5. EXO can integrate with Azure AD Connect, and use it to access on-premises Active Directory domains, to provision and synchronize mail-related objects and settings.

  6. In an on-premises environment, Microsoft recommends deploying Exchange Server to manage and administer email-related attributes of Active Directory.

  7. At the end of the process, Microsoft Defender for Office 365 shares email-related threat signals with the Microsoft 365 Defender suite to enable broader processing of events and incidents as part of Microsoft’s eXtended Detection and Response (XDR).


Related content: Read our guide to Microsoft 365 Defender

Microsoft Defender for Office 365 Features and Plans

Microsoft offers Defender plans designed to protect the Office 365 workspace. You can choose the plan that suits your needs and use them together as a flexible security stack.

Exchange Online Protection (EOP)

EOP provides cloud-based filtering to Exchange Online mailboxes within Microsoft 365 subscriptions. It helps protect against malicious software (malware) attacks, spam, and various email threats. EOP aims to prevent malicious emails from arriving at employees' inboxes.

EOP offers basic protection, which is not enough to protect against the daily emergence of new and sophisticated attacks. Microsoft offers additional security features through Defender for Office 365 plans 1 and 2 to provide more layers of control, investigation, and security.

Defender for Office: Plan 1

Microsoft Defender for Office P1 expands on EOP’s basic threat prevention features by offering threat detection capabilities. Here are the core features of Microsoft Defender for Office 365 P1:

  • Safe attachments—Microsoft Defender P1 quickly scans attachments in communication between users to validate their safety and prevent threats. EOP offers a limited version of the safe attachments feature. P1 extends safe attachment protection to include OneDrive, Microsoft Teams, and SharePoint.

  • Safe links—Defender P1 uses Microsoft's database and tests links within controlled environments to detect suspicious activities.

  • Anti-phishing protection—Defender P1 protects against phishing threats by pointing out or quarantining suspicious communication that asks your users to provide information.

  • Real-time detection—Defender P1 lets you see threats in real-time and can integrate with a SIEM.


The following security features are offered in the basic Office 365 license, and also available as part of Plan 1:

  • Anti spam—inbound email messages are automatically protected against spam, using centrally-defined anti-spam policies.

  • Anti malware—inbound email messages are automatically protected against viruses, spyware, and ransomware.

Defender for Office: Plan 2

Plan 2 includes all P1 features and more. It extends security to include threat investigation and response, automation capabilities for security protocols, and security education. Here are the core features of Defender for Office P2:

  • Threat trackers—lets you see the path of a certain threat across the organization. Threat tracking offers insights into potential security breaches.

  • Threat explorer—this feature provides a real-time report of threats to help you identify recent threats.

  • Automated investigation and response (AIR)—provides security playbooks that you can launch automatically through triggers or manually when responding to threats. It can help security teams save time when responding to security incidents.

  • Attack simulation training—enables you to run realistic attack scenarios for penetration testing - for example, brute force attacks, spear-phishing attacks, and malicious email attachments.

Related content: Read our guide to the Microsoft 365 E5 enterprise plan, which includes Defender for Office and other security features.

What is Microsoft Defender for Office Evaluation Mode?

Microsoft provides an evaluation mode feature that enables you to make informed decisions on purchases and upgrades. It aims to eliminate device and environment configuration complexities and provide a smooth evaluation experience. You can use it to assess security capabilities and determine whether it can help perform daily security operations.

When enabled, the feature sends all messages to Exchange Online mailboxes that you can evaluate without pointing any MX records to Microsoft. However, it applies only to email protection. You cannot use it for Office Clients such as Word, Teams, or SharePoint.

Here are the core benefits of the evaluation mode feature:

  • Protection—the evaluation feature sets up policies for you, including safe attachments, mailbox intelligence in anti-phishing, and safe links. Note that Defender for Office 365 creates policies in non-enforcement mode. It means these policies exist in the background and are invisible to users.

  • Filtering—evaluation mode sets up the enhanced filtering for connector configuration, improving accuracy by saving sender address and IP.

  • Reports—aggregated report of threats detected by EOP and Defender for Office 365 and EOP detections, which can be filtered by time.

Managed Detection & Response

Microsoft Security with BlueVoyant

Deploy the Microsoft security tools you already have and eliminate the headaches and cost of disparate security products.

Platform Core MDR Microsoft Lower total cost of ownership