If you’re on Defender for Office 365 Plan 1 (MDO P1), you already have a strong toolkit—as long as it’s configured well. This guide turns the knobs for you: what to enable, what to avoid, and how to keep users safe without drowning your helpdesk.
1) Begin with Microsoft’s baselines
Turn on Preset Security Policies and target them by risk:
- Strict → executives, finance, IT, and anyone historically targeted
- Standard → everyone else
Presets apply Microsoft’s recommended settings across EOP + MDO and keep them updated automatically.
Optional: Run Configuration analyzer to compare any custom policies against Standard/Strict and close gaps quickly.
References:
https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies
https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365
2) Tighten EOP anti-spam & anti-malware (inbound)
Bulk mail threshold (BCL):
- 6 for Standard, 5 for Strict (cuts promotional/bulk junk)
Recommended actions
- High confidence phishing → Quarantine (AdminOnly)
- Phishing → Quarantine
- High confidence spam → Quarantine
- Spam → Move to Junk (Standard) or Quarantine (Strict)
- Retention → 30 days for quarantined spam/phish
Zero-hour auto purge (ZAP): Ensure it’s on for phishing, spam, and malware so delivered bad mail is automatically removed.
Anti-malware policy:
- Enable Common Attachment Types filter
- Keep ZAP for malware enabled
Quarantine policies & notifications: Create user-friendly quarantine policies and enable end-user spam notifications (daily/weekly). Let users self-triage spam—but don’t allow release of high-confidence phish.
References:
https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge https://learn.microsoft.com/en-us/defender-office-365/quarantine-policies
3) Max out Plan 1 protections (Safe Attachments, Safe Links, Anti-phishing)
Safe Attachments (Email):
- Action: Block for unknown malware (no redirect)
- Scope: Apply to all recipients (via presets or custom)
Safe Attachments for SharePoint/OneDrive/Teams:
- Turn it on so malicious files are detonated and locked post-delivery.
Safe Links:
- Enable for Email, Office apps, and Teams
- Time-of-click scanning on
- Wait for URL scan before delivery on
- Disable user click-through (no bypass)
- Apply to internal mail as well
Anti-phishing (MDO policy):
- Phishing threshold: 3 (Standard) or 4 (Strict)
- User impersonation protection for VIPs
- Domain impersonation for your domains + key partners
- Keep Mailbox intelligence enabled
4) Stop risky bypasses & manage allow/block the right way
- Avoid tenant allowlists (last resort only). They can bypass critical filters and spoof protection.
- Prefer Tenant Allow/Block List with scoped, expiring entries created through Submissions.
- Do not use global mail-flow rules that set SCL = -1 or otherwise bypass EOP/MDO.
- For security tools and phishing simulations, use Advanced delivery (SecOps mailbox + Phishing simulation) instead of whitelisting.
References:
https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365
https://learn.microsoft.com/en-us/defender-office-365/advanced-delivery-policy-configure
5) Authenticate your mail: SPF, DKIM, DMARC
- Make sure SPF includes every sending source.
- Enable DKIM for each custom domain.
- Publish DMARC: start with p=none (reporting), analyze results, then move to quarantine/reject.
This boosts your reputation and slashes spoof success.
Reference:
https://learn.microsoft.com/en-us/defender-office-365/email-authentication-spf-configure
6) Reduce account-compromise fallout (outbound)
- Block automatic external forwarding in the Outbound spam policy (the default “Automatic” now effectively means Off).
- If forwarding is truly needed, allow it only for specific senders/domains via Remote domains or targeted rules.
- Keep Outbound spam notifications/review enabled to flag compromised senders fast.
References:
https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-policies-configure
7) Connection & spoof hygiene
- Use the Connection filter sparingly—only to block known-bad IPs. Avoid broad IP allows.
- When you must trust a tool/sender, prefer Advanced delivery over blanket allow rules.
- Monitor Spoof intelligence. Allow only legitimate, verified spoofing (e.g., specific SaaS senders) and use Tenant Allow/Block spoof overrides—not domain-wide allowlists.
Reference:
https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about
8) Empower users to report (no add-in required)
Enable the built-in Report button (User reported settings) and set the Reported message destination to Microsoft + your SecOps mailbox. You’ll improve Microsoft’s models and alert your team immediately—without extra plugins.
Rollout tips that save time (and tickets)
- Pilot Strict with high-risk users first, then expand.
- Review Submissions weekly to tune allow/block entries and catch gaps.
- Audit mail flow rules monthly for any legacy “bypass” logic.
- Quarterly: check Configuration analyzer and preset drift after product updates.
One-page checklist
- Presets: Strict (high-risk users) / Standard (everyone else)
- EOP: BCL 6/5, ZAP on (phish/spam/malware), quarantine actions & 30-day retention
- Anti-malware: Common Attachment Types + malware ZAP on
- Safe Attachments (Email + SPO/OD/Teams): Block, apply to all
- Safe Links: email/apps/Teams on, time-of-click on, wait-to-deliver on, no user bypass, internal mail covered
- Anti-phish: threshold 3/4, user & domain impersonation, mailbox intelligence on
- Bypass hygiene: No SCL=-1, no tenant allowlists (use expiring Tenant Allow/Block via Submissions), Advanced delivery for tools/sims
- Auth: SPF, DKIM, DMARC (p=none → quarantine/reject)
- Outbound: Block external auto-forward, enable outbound spam notifications
- Connection/Spoof: minimal IP allows, monitor Spoof intelligence
- Reporting: Built-in Report → Microsoft + SecOps mailbox
Hardened correctly, MDO Plan 1 punches well above its weight—and your users feel the difference where it matters most: in their inbox.
