Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

Microsoft Defender for Office 365

What Defender for Office 365 actually protects against — phishing, malware, and business email compromise — and how its plan tiers differ.

4 min read
Microsoft 365

Exchange Online Protection (EOP), included in every Microsoft 365 plan, filters spam and known malware. Microsoft Defender for Office 365 is a separate, licensed add-on layered on top of it, built specifically to catch the attacks EOP's baseline filtering misses — targeted phishing, zero-day malware, and business email compromise. Understanding where EOP ends and Defender begins is the first step to evaluating whether your current protection actually matches your risk.

EOP vs. Defender for Office 365

Exchange Online Protection vs. Defender for Office 365
CapabilityEOP (baseline, all plans)Defender for Office 365
Known spam/malware filteringYesYes
Anti-phishing (known bad senders/domains)YesYes, plus advanced impersonation detection
Safe Links (time-of-click URL rewriting)NoYes
Safe Attachments (sandbox detonation)NoYes
Business email compromise / impersonation protectionLimitedYes — brand and user impersonation detection
Automated investigation and responseNoYes (Plan 2)
Attack simulation trainingNoYes (Plan 2)
EOPKnown spam & malwareAnti-PhishingImpersonation detectionSafe AttachmentsSandbox detonationSafe LinksTime-of-click rewriteDelivered to inboxA message failing any layer is quarantined or blocked at that stage — it never needs to pass every remaining check to be stopped.
Each layer catches a different threat class — no single layer is sufficient alone, which is why EOP's baseline filtering plus Defender's added layers work together.

Plan 1 vs. Plan 2

Defender for Office 365 Plan 1 covers Safe Links, Safe Attachments, and anti-phishing/impersonation protection — the core protective layer beyond EOP. Plan 2 adds automated investigation and response (AIR), threat hunting tools, attack simulation training, and richer reporting — oriented toward organizations with a dedicated security function that will actually use the deeper investigative tooling, not just the protective controls.

Plan 2's value depends on who's actually using it

Plan 2's automated investigation and threat-hunting features deliver real value when someone is actively reviewing the findings and simulation results. An organization licensing Plan 2 but not staffing time to use its investigative tooling is often better served by Plan 1 plus a managed security service that actively monitors and responds — see Security Assessment Services.

Safe Links rewrites URLs in email at delivery and re-checks them at the moment of click, not just at delivery time — this catches "time-bomb" phishing links that are benign when the email arrives but weaponized after evading initial delivery-time scanning. Safe Attachments detonates attachments in an isolated sandbox environment before delivery, catching malware that static scanning alone wouldn't identify, at the cost of a small delivery delay for scanned attachments.

Business email compromise protection

Business email compromise (BEC) — an attacker impersonating an executive, vendor, or known contact to request a fraudulent payment or data transfer — doesn't always involve malware or a malicious link, which is exactly why baseline malware/phishing filtering alone often misses it. Defender for Office 365's impersonation protection specifically models known-good senders (executives, frequently contacted domains) and flags messages that impersonate them, even when the message itself contains no obviously malicious payload.

How this fits with Conditional Access and identity protection

Email security and identity security are complementary, not substitutes for each other: Defender for Office 365 reduces the chance a phishing email reaches or successfully deceives a user, while Multi-Factor Authentication: Methods and Best Practices and Microsoft Entra ID Protection reduce the damage if a credential is compromised anyway — no email filter catches every phishing attempt, which is exactly why layered defense (see Microsoft 365 Security Architecture) matters.

Common mistakes

  • Assuming EOP alone is sufficient protection because "we have Microsoft 365 security built in" — EOP's baseline filtering does not include Safe Links, Safe Attachments, or advanced impersonation protection.
  • Licensing Plan 2 without staffing time to use its investigative and simulation tooling, paying for capability that goes unused.
  • Treating email security as a substitute for MFA, rather than a complementary layer — see Authentication Attacks for how phishing that gets through email filtering is stopped (or not) at the authentication layer.
  • Not running attack simulation training (Plan 2) despite having it licensed, missing a low-cost way to measure and improve actual user phishing susceptibility.

FAQ

Do we need Defender for Office 365 if we already have a strong spam filter? A third-party spam filter and EOP both address known spam/malware; Defender for Office 365's specific value — time-of-click URL protection, attachment sandboxing, and impersonation detection — targets a different, more targeted class of attack that generic spam filtering isn't designed to catch.

Does Defender for Office 365 protect against phishing links clicked outside of email, e.g., in Teams or a shared document? Coverage varies by configuration and licensing — Safe Links can extend to Office apps and Teams in supported configurations, but confirm current scope directly against your licensed plan, since this has expanded over time.

How does this relate to Microsoft Defender for Endpoint or Defender for Cloud Apps? Those are separate, related products in the broader Microsoft Defender family covering endpoints and cloud app usage respectively — Defender for Office 365 is specifically the email/collaboration workload protection. See Microsoft 365 Security Architecture for how the full Defender family fits together.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT