---

Implementing Email Security in Microsoft 365: A Deep-Dive for Admins

Email is still the biggest attack surface in most organizations. Phishing, malware, spoofing, and business email compromise often start from one simple message that lands in someone’s inbox at the wrong time.

Microsoft 365 gives you several layers of email protection through Exchange Online Protection (EOP) and Microsoft Defender for Office 365. But to get real value, you need to understand what each layer does and how to configure it properly.

This post goes in depth on:

• How email protection works in Microsoft 365
• IP and sender reputation
• Anti-malware and sandboxing
• Anti-spam and Spam Confidence Levels (SCL)
• Anti-phishing policies and impersonation protection
• Safe Links and Safe Attachments
• How to design and tune policies in the Microsoft Defender portal

---

1. The email threat problem in real life

Common attacks you’ll see:

• Malicious attachments
  • Macro-enabled Office docs
  • Script files (JS, VBS, PS1)
  • Embedded executables or archives
• Phishing and credential harvesting
  • Fake password reset messages
  • Fake “invoice,” “shipment,” or “unusual login” emails
  • Links to lookalike sign-in pages
• Business email compromise (BEC)
  • Impersonation of executives or finance staff
  • “Urgent” wire transfer or payment change requests

Most of these rely on users clicking something they shouldn’t. Your goal as an admin is to reduce what reaches the inbox and make sure anything that does arrive is clearly flagged, contained, or blocked.

---

2. The main components of email security in Microsoft 365

At a high level, Microsoft uses multiple engines and signals to protect mail:

• Exchange Online Protection (EOP)
  • Core anti-spam and anti-malware for all Exchange Online tenants
• Microsoft Defender for Office 365 (plan dependent)
  • Safe Links
  • Safe Attachments
  • Advanced phishing protections
  • Threat intelligence and advanced reporting
• Policy layers
  • Anti-phishing policies
  • Anti-spam (inbound/outbound + connection filtering)
  • Anti-malware policies
  • Safe Links policies
  • Safe Attachments policies

All of these are configured in the Microsoft Defender portal under Email & collaboration → Policy & rules → Threat policies.

---

3. IP and sender reputation: the first gate

Before anything else, Microsoft evaluates who is sending the email and from where.

IP reputation

Each sending IP address has a reputation score based on:

• Past spam history
• Volume and sending patterns
• Complaints and abuse reports
• Presence on known blocklists

Bad IP reputation increases the likelihood of:

• Rejection at the edge
• Throttling or temporary failures
• Aggressive filtering and classification as spam

Sender (domain) reputation

Beyond the IP, Microsoft tracks:

• Domain history (spam, bulk mail, reputation)
• Non-delivery report (NDR) rates
• Recipient engagement
  • Do users open and read the mail?
  • Do they report it as junk?

A domain with bad behavior is more likely to have its mail flagged as spam or junk, even if IPs change.

Why this matters

You can tune downstream policies as much as you want, but if the sender is on a bad IP with a bad domain reputation, you’re already in risky territory. EOP uses these signals automatically; you don’t configure this directly, but you should understand it when troubleshooting why messages are blocked or junked.

---

4. Anti-malware in Microsoft 365: more than just signatures

Microsoft doesn’t just rely on simple signature-based virus checks.

Heuristic clustering

Email attachments that look similar (similar content or behavior) are grouped into a cluster. When Microsoft sees something suspicious:

• It selects one or more samples from that cluster.
• It sends them to a sandbox for deeper analysis.

Sandboxing and behavior analysis

In the sandboxed environment, Microsoft:

• Opens the attachment safely.
• Watches for:
  • Memory changes
  • Registry modifications
  • Attempts to encrypt files or storage
  • Changes to system settings
  • Unusual network connections (for example, to command-and-control servers)
  • Obfuscation or anti-analysis tricks

If malware behavior is detected, protections are updated quickly so future messages with the same or similar payload are blocked or quarantined.

Admin control via anti-malware policies

You manage anti-malware behavior in Threat policies → Anti-malware:

• Which file types to treat as risky (common attachments filter)
• What to do when malware is detected:
  • Reject the message with an NDR
  • Quarantine it for admin/user review
• Who is notified and how

The default policy is usually a good baseline, but you can create higher-priority policies for high-risk users or specific domains.

---

5. Anti-spam and Spam Confidence Level (SCL)

After basic checks, messages run through spam filtering.

Spam Confidence Level (SCL)

Each message is assigned a spam score that maps to an SCL value inserted into the header:

• SCL = -1
  • Message skipped spam filtering (trusted source, safe list, etc.).
  • Deliver to Inbox.
• SCL = 0 or 1
  • Filtering decided “not spam.”
  • Deliver to Inbox.
• SCL = 5 or 6
  • Determined to be spam.
  • With default policies, send to Junk Email.
• SCL = 7, 8, or 9
  • High confidence spam.
  • Also goes to Junk Email by default, possibly with more restrictive handling (depending on your configuration).

Signals used for spam classification

Spam filtering uses:

• Known spam patterns and signatures
• Domain and IP reputation
• Header analysis and sender authentication results
• Machine learning trained on large mail volumes
• User feedback from both enterprise and Outlook.com consumer base

Custom anti-spam policies

In Threat policies → Anti-spam, you can:

• Define inbound anti-spam policies with custom actions for spam/high confidence spam.
• Set bulk mail thresholds (how tolerant you are of marketing and newsletter-type mail).
• Configure detection options:
  • Empty messages
  • Messages with suspicious HTML tags
  • Foreign language patterns
  • Specific words or phrases

You can also manage:

• Allowed senders / domains
• Blocked senders / domains

These policies can be scoped to:

• Specific users
• Groups
• Domains

And their priority defines which policy wins when multiple match.

---

6. Advanced phishing protection and impersonation defenses

Phishing is more than spam. Some messages are specifically engineered to bypass basic filters and trick people using social engineering.

In Threat policies → Anti-phishing, you can configure:

Phishing email threshold levels

Microsoft lets you choose a phishing threshold:

• Lower levels are less aggressive.
• Higher levels treat more messages as suspicious.

Example behaviors at higher levels:

• Messages classified as medium or high confidence phishing are treated as very high confidence.
• More messages are sent to Junk/Quarantine before they ever reach inboxes.

This setting is a key part of hardening Exchange.

Impersonation protection

You can define up to 350 protected users/domains:

• Executives (CEO, CFO, etc.)
• Finance/HR leaders
• High-value external partners

The system will then:

• Look for display name spoofing (e.g., “CEO Name” from a random external address).
• Flag or block messages that appear to impersonate those users or domains.

Spoof intelligence

Spoof intelligence helps detect when a sender is:

• Using your domain in unauthorized ways.
• Sending from unusual infrastructure or patterns.

You can review and allow/block specific spoofed senders and subdomains if needed.

Actions for phishing messages

For messages judged as phishing, you can choose to:

• Move to Junk Email
• Quarantine for admin or user action
• Reject outright

Many organizations choose quarantine for high confidence phishing so admins and security can review patterns and campaigns.

---

7. Safe Links and Safe Attachments

Safe Links and Safe Attachments are core features of Microsoft Defender for Office 365. They add “time-of-click” and “time-of-open” protection on top of standard filtering.

Safe Links

Safe Links:

• Rewrites URLs in email messages and Office docs.
• When a user clicks a link, Microsoft checks it at that moment.
• If the destination is known to be malicious or suspicious:
  • The user is blocked or warned.
  • The attack is stopped even if the original message looked benign when first scanned.

This is important because attackers often send a “clean” link, then weaponize the destination after the mail is delivered.

Safe Links policies let you define:

• Which users and groups the policy applies to
• Whether links are scanned:
  • In email
  • In Teams messages
  • In Office documents
• What happens for click detections:
  • Block
  • Warn and allow override (optional)

Safe Attachments

Safe Attachments:

• Detonates attachments in a protected sandbox.
• Relies on real-time analysis to decide if the attachment is safe.

Policy options include:

• Block the message
• Replace the attachment with a warning file
• Quarantine the message for review
• Monitor (detect only, no blocking)

There’s a default Safe Attachments policy, but you can create additional policies for high-risk user groups, such as:

• Finance teams
• Executives
• Helpdesk or IT staff

---

8. Designing your email security policy strategy

You can configure many policies. Without a clear strategy, it gets messy fast. A sensible approach:

Step 1: Start from Secure Score

In the Microsoft Defender portal:

1. On the Home page, review your Secure Score.
2. Click Improve your score.
3. Filter for recommendations related to email and collaboration.

These often include:

• Increasing phishing thresholds
• Enabling specific Defender features
• Tightening spam and malware handling

Each recommendation shows:

• Description
• Impact (how many points you gain)
• Steps to configure

Use this as a roadmap.

Step 2: Use layered, scoped policies

Avoid one giant “catch-all” policy. Instead:

• Keep the default policies as a safety net.
• Create higher-priority policies for:
  • VIP users
  • High-risk departments (finance, HR, legal)
  • External-facing teams

Policy priority (order) matters: lower numbers = higher priority.

Step 3: Start with audit/monitoring where possible

For big changes (like more aggressive phishing thresholds or new Safe Links behavior), start in a less disruptive mode when available:

• Report or monitor only (for features that support it).
• Gather data first, then tighten enforcement.

This helps avoid breaking legitimate mail flows.

Step 4: Align actions with user training

Technical controls are only one side. Make sure your actions match your user awareness program:

• If users see more mail in Junk/Quarantine, explain why.
• Teach users how to:
  • Check quarantine notifications
  • Report false positives
  • Report suspicious messages

Well-tuned tech + trained users is much stronger than either alone.

---

9. Step-by-step: building core email security in Defender

Here’s a condensed workflow you can follow.

9.1 Anti-phishing policy

• Go to Threat policies → Anti-phishing.
• Create a new policy:
  • Scope it to your primary domain or key users.
  • Set an appropriate phishing threshold (often Level 2 or higher for stronger protection).
  • Turn on impersonation protection for executives and key roles.
  • Enable spoof intelligence.
  • Set actions (Junk / Quarantine) for phishing and high-confidence phishing.

9.2 Anti-spam inbound policy

• Go to Threat policies → Anti-spam.
• Create a new inbound policy for your main domain:
  • Adjust bulk mail threshold to control marketing mail.
  • Turn on settings for empty messages, web bugs, suspicious HTML, etc.
  • Decide how to handle spam and high-confidence spam (often Junk / Quarantine).
  • Configure allowed and blocked senders and domains thoughtfully.

9.3 Anti-malware policy

• Go to Threat policies → Anti-malware.
• Review the default policy and:
  • Turn on common attachments filter (block script/executable types).
  • Decide whether to quarantine or reject malicious messages.
  • Configure notifications for admins and possibly recipients.

9.4 Safe Attachments and Safe Links

• Safe Attachments:
  • Enable for at least high-risk groups.
  • Consider blocking or quarantining malicious attachments.
• Safe Links:
  • Turn on URL rewriting and click-time protection.
  • Extend to Office docs and Teams if supported by your licensing and risk model.

---

10. Ongoing tuning and monitoring

Email security is not “set and forget.” You should:

• Regularly review:
  • Quarantine queues
  • Threat Explorer / reports
  • User-reported phishing
• Adjust:
  • Allowed/blocked lists
  • Phishing thresholds
  • Bulk mail settings
• Look for:
  • Patterns in false positives
  • New campaigns targeting your users
  • Abuse of your own domain or brand

Every adjustment should have a reason: reduce risk, cut noise, or improve user experience.

---

Final thoughts

Email remains a prime target for attackers, but Microsoft 365 gives you strong tools to push that risk down:

• Reputation filtering and smart spam detection
• Behavior-based anti-malware
• Advanced anti-phishing and impersonation protection
• Safe Attachments and Safe Links
• Rich policy controls and Secure Score guidance

If you approach email security as a layered system rather than a single switch, you can build a resilient configuration that balances protection and usability—and keeps the most dangerous messages away from your users’ inboxes.