Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Recommended email and collaboration threat policy settings for cloud organizations
Tip
Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.
Although all organizations with cloud mailboxes include built-in security features, Microsoft Defender for Office 365 is the primary email and collaboration security solution for Microsoft 365.
We recommend two security levels: Standard and Strict. Although customer environments and needs are different, these levels of filtering help keep unwanted email out of user mailboxes in most situations.
To automatically apply the Standard or Strict settings to users, use Preset security policies.
This article describes the default threat policy settings, and also the recommended Standard and Strict settings to help protect users. The tables contain the settings in the Microsoft Defender portal and Exchange Online PowerShell.
Note
Threat policies work best when the source email domains for your organization are correctly authenticated. Before tuning anti-phishing or other threat policies, verify the email authentication settings for outbound mail from each sending domains:
- Sender Policy Framework (SPF): Authorizes the services permitted to send mail on behalf of your domain.
- DomainKeys Identified Mail (DKIM): Signs messages so recipients can verify the message wasn't altered and is authorized by the signing domain.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC): Tells recipient systems how to handle messages that fail authentication and whether authentication aligns with the visible From: domain.
If SPF, DKIM, or DMARC are missing or misconfigured, legitimate messages might be delivered to the Junk Email folder or quarantine, even with the recommended threat policy settings. Fix authentication first, then review and tune policy settings.
You can use the configuration analyzer to compare the settings in custom threat policies to the recommended Standard or Strict values. For more information, see Configuration analyzer for threat policies.
The Office 365 Advanced Threat Protection Recommended Configuration Analyzer (ORCA) module for PowerShell can help admins find the current values of these settings. Specifically, the Get-ORCAReport cmdlet generates an assessment of anti-spam, anti-phishing, and other message hygiene settings. You can download the ORCA module at https://www.powershellgallery.com/packages/ORCA/.
We recommend that you leave the Junk Email Filter in Outlook set to No automatic filtering to prevent unnecessary conflicts (both positive and negative) with the spam filtering verdicts from Microsoft 365. For more information, see the following articles:
Built-in security features for all cloud mailboxes
The the built-in security features in this section are available in all organizations with cloud mailboxes. We recommend the Standard or Strict configurations as described in the tables in the following subsections.
Anti-malware policy settings
To create and configure anti-malware policies, see Configure anti-malware policies.
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
The policy named AdminOnlyAccessPolicy enforces the historical capabilities of messages quarantined as malware as described in the table in this article.
Users can't release their own messages quarantined as malware, regardless of how the quarantine policy is configured. If the policy is configured for users to release these quarantined messages, users are instead allowed to request the release of these quarantined messages.
| Security feature name | Details |
|---|---|
| Protection settings | |
| Enable the common attachments filter (EnableFileFilter) | |
| Common attachment filter notifications: When these file types are found (FileTypeAction) | |
| Enable zero-hour auto purge for malware (ZapEnabled) | |
| Quarantine policy (QuarantineTag) | |
| Admin notifications | |
| Notify an admin about undelivered messages from internal senders (EnableInternalSenderAdminNotifications and InternalSenderAdminAddress) | |
| Notify an admin about undelivered messages from external senders (EnableExternalSenderAdminNotifications and ExternalSenderAdminAddress) | |
| Customize notifications | Comment: We have no specific recommendations for these settings. |
| Use customized notification text (CustomNotifications) | |
| From name (CustomFromName) | |
| From address (CustomFromAddress) | |
| Customize notifications for messages from internal senders | |
| Subject (CustomInternalSubject) | |
| Message (CustomInternalBody) | |
| Customize notifications for messages from external senders | Comment: These settings are used only if Notify an admin about undelivered messages from external senders is selected. |
| Subject (CustomExternalSubject) | |
| Message (CustomExternalBody) |
Anti-spam policy settings
To create and configure anti-spam policies, see Configure anti-spam policies.
Wherever you select Quarantine message as the action for a spam filter verdict, a Select quarantine policy box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
If you change the action of a spam filtering verdict to Quarantine message as you create anti-spam policies in the Defender portal, the Select quarantine policy box is blank by default. A blank value means the default quarantine policy for that spam filtering verdict is used. These default quarantine policies enforce the historical capabilities of the spam filter verdict that quarantined the message as described in the table in this article. When you later view or edit the anti-spam policy settings, the quarantine policy name is shown.
Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft Defender portal.
| Security feature name | Details |
|---|---|
| Bulk email threshold & spam properties | |
| Bulk email threshold (BulkThreshold) | |
| Bulk email spam (MarkAsSpamBulkMail) | |
| Increase spam score settings | |
| Mark as spam settings | |
| Contains specific languages (EnableLanguageBlockList and LanguageBlockList) | |
| From these regions (EnableRegionBlockList and RegionBlockList) | |
| Test mode (TestModeAction) | |
| Actions | |
| Spam detection action (SpamAction) | |
| Quarantine policy for Spam (SpamQuarantineTag) | |
| High confidence spam detection action (HighConfidenceSpamAction) | |
| Quarantine policy for High confidence spam (HighConfidenceSpamQuarantineTag) | |
| Phishing detection action (PhishSpamAction) | |
| Quarantine policy for Phishing (PhishQuarantineTag) | |
| High confidence phishing detection action (HighConfidencePhishAction) | |
| Quarantine policy for High confidence phishing (HighConfidencePhishQuarantineTag) | |
| Bulk compliant level (BCL) met or exceeded (BulkSpamAction) | |
| Quarantine policy for Bulk compliant level (BCL) met or exceeded (BulkQuarantineTag) | |
| Bulk moves enabled (currently in Preview) (BulkMovesEnabled) | |
| Intra-Organizational messages to take action on (IntraOrgFilterState) | |
| Retain spam in quarantine for this many days (QuarantineRetentionPeriod) | |
| Enable spam safety tips (InlineSafetyTipsEnabled) | |
| Enable zero-hour auto purge (ZAP) for phishing messages (PhishZapEnabled) | |
| Enable ZAP for spam messages (SpamZapEnabled) | |
| Allow & block list | |
| Allowed senders (AllowedSenders) | |
| Allowed sender domains (AllowedSenderDomains) | |
| Blocked senders (BlockedSenders) | |
| Blocked sender domains (BlockedSenderDomains) |
¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy. Quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
ASF settings in anti-spam policies
For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see Advanced Spam Filter (ASF) settings in anti-spam policies.
| Security feature name | Details |
|---|---|
| Image links to remote sites (IncreaseScoreWithImageLinks) | |
| Numeric IP address in URL (IncreaseScoreWithNumericIps) | |
| URL redirect to other port (IncreaseScoreWithRedirectToOtherPort) | |
| Links to .biz or .info websites (IncreaseScoreWithBizOrInfoUrls) | |
| Empty messages (MarkAsSpamEmptyMessages) | |
| Embed tags in HTML (MarkAsSpamEmbedTagsInHtml) | |
| JavaScript or VBScript in HTML (MarkAsSpamJavaScriptInHtml) | |
| Form tags in HTML (MarkAsSpamFormTagsInHtml) | |
| Frame or iframe tags in HTML (MarkAsSpamFramesInHtml) | |
| Web bugs in HTML (MarkAsSpamWebBugsInHtml) | |
| Object tags in HTML (MarkAsSpamObjectTagsInHtml) | |
| Sensitive words (MarkAsSpamSensitiveWordList) | |
| SPF record: hard fail (MarkAsSpamSpfRecordHardFail) | |
| Sender ID filtering hard fail (MarkAsSpamFromAddressAuthFail) | |
| Backscatter (MarkAsSpamNdrBackscatter) | |
| Test mode (TestModeAction) |
Note
ASF adds X-CustomSpam: X-header fields to messages after Exchange mail flow rules (also known as transport rules) processes messages, so you can't use mail flow rules to identify and act on messages filtered by ASF.
Outbound spam policy settings
To create and configure outbound spam policies, see Configure outbound spam filtering.
For more information about the default sending limits in the service, see Sending limits.
Note
Outbound spam policies aren't part of Standard or Strict preset security policies. The Standard and Strict values indicate our recommended values in the default outbound spam policy or custom outbound spam policies that you create.
| Security feature name | Details |
|---|---|
| Set an external message limit (RecipientLimitExternalPerHour) | |
| Set an internal message limit (RecipientLimitInternalPerHour) | |
| Set a daily message limit (RecipientLimitPerDay) | |
| Restriction placed on users who reach the message limit (ActionWhenThresholdReached) | |
| Automatic forwarding rules (AutoForwardingMode) | |
| Send a copy of outbound messages that exceed these limits to these users and groups (BccSuspiciousOutboundMail and BccSuspiciousOutboundAdditionalRecipients) | |
| Notify these users and groups if a sender is blocked due to sending outbound spam (NotifyOutboundSpam and NotifyOutboundSpamRecipients) |
Anti-phishing policy settings for all cloud mailboxes
The anti-phishing policy settings described in this section are part of the built-in security features included in all organizations with cloud mailboxes. For more information about these settings, see Spoof settings. To configure these settings, see Configure anti-phishing policies for all cloud mailboxes.
The spoof settings are inter-related, but the Show first contact safety tip setting has no dependency on spoof settings.
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy¹ is used if you don't select a quarantine policy. This policy enforces the historical capabilities of messages quarantined as spoof as described in the table in this article. When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.
Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft Defender portal.
| Security feature name | Details |
|---|---|
| Spoof | |
| Enable spoof intelligence (EnableSpoofIntelligence) | |
| Actions | |
| Honor DMARC record policy when the message is detected as spoof (HonorDmarcPolicy) | |
| If the message is detected as spoof and DMARC Policy is set as p=quarantine (DmarcQuarantineAction) | |
| If the message is detected as spoof and DMARC Policy is set as p=reject (DmarcRejectAction) | |
| If the message is detected as spoof by spoof intelligence (AuthenticationFailAction) | |
| Quarantine policy for Spoof (SpoofQuarantineTag) | |
| Show first contact safety tip (EnableFirstContactSafetyTips) | |
| Show (?) for unauthenticated senders for spoof (EnableUnauthenticatedSender) | |
| Show "via" tag (EnableViaTag) |
¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy. Quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
Microsoft Defender for Office 365 security
If your Microsoft 365 subscription includes Defender for Office 365 or you purchased Defender for Office 365 as an add-on, you get the extra security features as described in the following subsections. For the latest news and information about Defender for Office 365 features, see What's new in Defender for Office 365.
Important
The default anti-phishing policy in Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection and phishing email thresholds settings aren't configured in the default policy. To enable all anti-phishing protection features, do one or more of the following steps:
- Turn on and use the Standard and/or Strict preset security policies and configure impersonation protection there.
- Modify the default anti-phishing policy.
- Create custom anti-phishing policies.
Although there's no default Safe Attachments policy or Safe Links policy, the Built-in protection preset security policy provides Safe Attachments protection and Safe Links protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy, or in custom Safe Attachments or Safe Links policies. For more information, see Preset security policies.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams protection and Safe Documents protection have no dependencies on Safe Links policies.
Microsoft Teams protection settings in Microsoft Defender for Office 365 have no dependency on preset security policies, any custom threat policies, or the default threat policies.
We recommend the Standard or Strict configurations for Defender for Office 365 as described in the tables in the following subsections.
Anti-phishing policy settings in Microsoft Defender for Office 365
All Microsoft 365 organizations with cloud mailboxes get anti-phishing protection as previously described. But Defender for Office 365 includes more features and control to help prevent, detect, and remediate phishing attacks. To create and configure these anti-phishing policies, see Configure anti-phishing policies in Defender for Office 365.
Phishing email thresholds in anti-phishing policies in Microsoft Defender for Office 365
For more information about this setting, see Phishing email thresholds in anti-phishing policies in Microsoft Defender for Office 365. To configure this setting, see Configure anti-phishing policies in Defender for Office 365.
| Security feature name | Details |
|---|---|
| Phishing email threshold (PhishThresholdLevel) | Default: 1 - Standard (1)Standard: 3 - More aggressive ( 3)Strict: 4 - Most aggressive ( 4) |
Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365. To configure these settings, see Configure anti-phishing policies in Defender for Office 365.
Wherever you select Quarantine the message as the action for an impersonation verdict, an Apply quarantine policy box is available. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
Although the Apply quarantine policy value appears unselected when you create an anti-phishing policy in the Defender portal, the quarantine policy named DefaultFullAccessPolicy is used if you don't select a quarantine policy. This policy enforces the historical capabilities of messages quarantined as impersonation as described in the table in this article. When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.
Admins can create or use quarantine policies with more restrictive or less restrictive capabilities. For instructions, see Create quarantine policies in the Microsoft Defender portal.
| Security feature name | Details |
|---|---|
| Impersonation | |
| : Enable users to protect (EnableTargetedUserProtection and TargetedUsersToProtect) | |
| : Enable domains to protect | |
| Include domains I own (EnableOrganizationDomainsProtection) | |
| Include custom domains (EnableTargetedDomainsProtection and TargetedDomainsToProtect) | |
| Add trusted senders and domains (ExcludedSenders and ExcludedDomains) | |
| Enable mailbox intelligence (EnableMailboxIntelligence) | |
| Enable intelligence for impersonation protection (EnableMailboxIntelligenceProtection) | |
| Actions | |
| If a message is detected as user impersonation (TargetedUserProtectionAction) | |
| Quarantine policy for user impersonation (TargetedUserQuarantineTag) | |
| If a message is detected as domain impersonation (TargetedDomainProtectionAction) | |
| Quarantine policy for domain impersonation (TargetedDomainQuarantineTag) | |
| If mailbox intelligence detects an impersonated user (MailboxIntelligenceProtectionAction) | |
| Quarantine policy for mailbox intelligence impersonation (MailboxIntelligenceQuarantineTag) | |
| Show user impersonation safety tip (EnableSimilarUsersSafetyTips) | |
| Show domain impersonation safety tip (EnableSimilarDomainsSafetyTips) | |
| Show user impersonation unusual characters safety tip (EnableUnusualCharactersSafetyTips) |
¹ As described in Full access permissions and quarantine notifications, your organization might use NotificationEnabledPolicy instead of DefaultFullAccessPolicy. Quarantine notifications are turned on in NotificationEnabledPolicy and turned off in DefaultFullAccessPolicy.
Anti-phishing policy settings for all cloud mailboxes in Defender for Office 365
The previously described anti-phishing policy settings for all cloud mailboxes are also available in Defender for Office 365.
Safe Attachments settings
Safe Attachments in Defender for Office 365 includes global settings that have no relationship to Safe Attachments policies, and settings that are specific to each Safe Attachments policy. For more information, see Safe Attachments in Microsoft Defender for Office 365.
Although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients who aren't defined in the Standard or Strict preset security policies or in custom Safe Attachments policies. For more information, see Preset security policies.
Global settings for Safe Attachments
Note
The global settings for Safe Attachments are set by the Built-in protection preset security policy, but not by the Standard or Strict preset security policies. Either way, admins can modify these global Safe Attachments settings at any time.
The Default column in the following table shows the values before the existence of the Built-in protection preset security policy. The Built-in protection column shows the values that are set by the Built-in protection preset security policy, which are also our recommended values.
To configure these settings, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and Safe Documents in Microsoft 365 E5.
In Exchange Online PowerShell, you use the Set-AtpPolicyForO365 cmdlet for these settings.
| Security feature name | Details |
|---|---|
| Turn on Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams (EnableATPForSPOTeamsODB) | |
| Turn on Safe Documents for Office clients (EnableSafeDocs) | |
| Allow people to click through Protected View even if Safe Documents identified the file as malicious (AllowSafeDocsOpen) |
Safe Attachments policy settings
To configure these settings, see Set up Safe Attachments policies in Defender for Office 365.
In Exchange Online PowerShell, you use the New-SafeAttachmentPolicy and Set-SafeAttachmentPolicy cmdlets for these settings.
Note
As described earlier, although there's no default Safe Attachments policy, the Built-in protection preset security policy provides Safe Attachments protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy, or in custom Safe Attachments policies.
The Default in custom column in the following table refers to the default values in new Safe Attachments policies that you create. The remaining columns indicate (unless otherwise noted) the values that are configured in the corresponding preset security policies.
Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see Anatomy of a quarantine policy.
The policy named AdminOnlyAccessPolicy enforces the historical capabilities of messages quarantined as malware as described in the table in this article.
Users can't release their own messages quarantined as malware or phishing by Safe Attachments, regardless of how the quarantine policy is configured. If the policy is configured for users to release these quarantined messages, users are instead allowed to request the release of these quarantined messages.
| Security feature name | Details |
|---|---|
| Safe Attachments unknown malware response (Enable and Action) | |
| Quarantine policy (QuarantineTag) | |
| Redirect attachment with detected attachments : Enable redirect (Redirect and RedirectAddress) |
Safe Links policy settings
For more information about Safe Links protection, see Safe Links in Defender for Office 365.
Although there's no default Safe Links policy, the Built-in protection preset security policy provides Safe Links protection to all recipients who aren't defined in the Standard preset security policy, the Strict preset security policy or in custom Safe Links policies. For more information, see Preset security policies.
To configure Safe Links policy settings, see Set up Safe Links policies in Microsoft Defender for Office 365.
In Exchange Online PowerShell, you use the New-SafeLinksPolicy and Set-SafeLinksPolicy cmdlets for Safe Links policy settings.
Note
The Default in custom column refers to the default values in new Safe Links policies you create. The remaining columns indicate the values configured in the corresponding preset security policies.
| Security feature name | Details |
|---|---|
| URL & click protection settings | |
| Comment: The settings in this section affect URL rewriting and time of click protection in email messages. | |
| On: Safe Links checks a list of known, malicious links when users click links in email. URLs are rewritten by default. (EnableSafeLinksForEmail) | |
| Apply Safe Links to email messages sent within the organization (EnableForInternalSenders) | |
| Apply real-time URL scanning for suspicious links and links that point to files (ScanUrls) | |
| Wait for URL scanning to complete before delivering the message (DeliverMessageAfterScan) | |
| Do not rewrite URLs, do checks via Safe Links API only (DisableURLRewrite) | |
| Do not rewrite the following URLs in email (DoNotRewriteUrls) | |
| Teams | Comment: The setting in this section affects time of click protection in Microsoft Teams. |
| On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams. URLs are not rewritten. (EnableSafeLinksForTeams) | |
| Office 365 apps | Comment: The setting in this section affects time of click protection in Office apps. |
| On: Safe Links checks a list of known, malicious links when users click links in Microsoft Office apps. URLs are not rewritten. (EnableSafeLinksForOffice) | |
| Click protection settings | |
| Track user clicks (TrackClicks) | |
| Let users click through to the original URL (AllowClickThrough) | |
| Display the organization branding on notification and warning pages (EnableOrganizationBranding) | |
| Notification | |
| How would you like to notify your users? (CustomNotificationText and UseTranslatedNotificationText) |
Microsoft Teams protection settings in Microsoft Defender for Office 365
For more information about Microsoft Teams protection, see Microsoft Defender for Office 365 support for Microsoft Teams.
In Exchange Online PowerShell, you use the New-TeamsProtectionPolicy and Set-TeamsProtectionPolicy cmdlets for Microsoft Teams protection settings.
Note
Microsoft Teams protection isn't part of the Standard or Strict preset security policies, any custom threat policies, or the default threat policies. The Standard and Strict values indicate our recommended values.
| Security feature name | Details |
|---|---|
| Zero-hour auto purge (ZAP) (ZapEnabled) | |
| Quarantine policies | |
| Malware (MalwareQuarantineTag) | |
| High confidence phishing (HighConfidencePhishQuarantineTag) |
Related articles
Are you looking for best practices for Exchange mail flow rules (also known as transport rules)? See Best practices for configuring mail flow rules in Exchange Online.
Admins and users can submit false positives (good email marked as bad) and false negatives (bad email allowed) to Microsoft for analysis. For more information, see Report messages and files to Microsoft.
You can find Security baselines for Windows in the following articles:
- Group policy: Where can I get the security baselines?
- Microsoft Intune*: Use security baselines to configure Windows devices in Intune for Intune-based security.
- Comparison of Microsoft Defender for Endpoint and Microsoft Intune security baselines: Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines.
Feedback
Was this page helpful?