All insights
ProtectMicrosoft SecurityHow-To Guide

Configuring Defender for Office 365: Safe Links, Safe Attachments, and anti-phishing

A click-by-click walkthrough to turn on the right email protection in Microsoft Defender for Office 365, from preset policies to custom impersonation rules and the quarantine queue.

Wired CIOJune 5, 2026
The short version
  • Apply the Standard preset to everyone and the Strict preset to executives and finance.
  • Build a custom anti-phishing policy that names your key people and owned domains.
  • Turn on mailbox intelligence and set quarantine as the action for impersonation hits.
  • Work the quarantine and submissions queues weekly to train the system.
Bottom line: Most of Defender for Office 365 does nothing until you turn it on and point it at your users, so apply the presets and add one custom anti-phishing policy.

Email is still the front door for most attacks on small and mid-sized businesses, and if you have Microsoft Defender for Office 365 (the email and collaboration protection that ships with many Microsoft 365 plans, sometimes called MDO), you already own strong protection. The catch is that a lot of it does nothing until someone turns it on and points it at your users. This guide is for the IT generalist, office manager, or owner-operator who has the licenses but has never opened the security settings. By the end you'll have the Standard and Strict preset policies applied, Safe Links and Safe Attachments doing their job, a custom anti-phishing policy guarding your domain and key executives, a sensible quarantine policy, and a routine for working the quarantine and submissions queues.

Defender for Office 365 setup flow STEP 1 Apply preset policies STEP 2 Safe Links and Attachments STEP 3 Custom anti-phishing for execs STEP 4 Work the quarantine
From preset policies to a weekly quarantine routine.

Before you start

  • A Microsoft 365 plan that includes Defender for Office 365 Plan 1 or Plan 2 (common in Business Premium and the E5 plans). If you only have Exchange Online Protection, Safe Links and Safe Attachments won't be available.
  • An account with the Security Administrator or Global Administrator role.
  • A short list of your most-impersonated people (owner, finance lead, anyone who signs checks) and your primary sending domains.
  • 30 to 45 minutes, ideally outside peak email hours.

Step 1: Open the Defender portal and find threat policies

  1. Go to https://security.microsoft.com and sign in with your admin account.
  2. In the left navigation, expand Email & collaboration.
  3. Select Policies & rules, then Threat policies.

This is the home base for everything below. If the left navigation looks collapsed, click the hamburger menu at the top left to expand the labels.

Step 2: Apply the preset security policies

The fastest way to get strong, Microsoft-maintained protection is the preset policies. There are two you'll configure: Standard (a good baseline for everyone) and Strict (a tighter profile for high-value targets).

  1. On the Threat policies page, under Templated policies, click Preset security policies.
  2. Find the Standard protection section and click Manage protection settings (or the toggle to turn it on if it's off).
  3. Step through the wizard. For Apply Exchange Online Protection and Apply Defender for Office 365 protection, choose All recipients so everyone in your tenant is covered.
  4. Leave the Safe Links and Safe Attachments sub-settings at their preset values. The whole point of presets is that Microsoft tunes them for you.
  5. Finish the wizard and turn Standard protection on.
  6. Now repeat for Strict protection, but scope it to your priority people. In the recipient step, choose Specific recipients and add the users, groups, or domains for your executives and finance team.

Strict applies more aggressive actions than Standard. Where both presets would match a user, Strict wins, so your executives get the tighter profile and everyone else gets Standard.

You Already Have a Floor

Built-in protection is already on by default and gives everyone basic Safe Links and Safe Attachments coverage. Applying the Standard and Strict presets layers stronger, configurable protection on top of that floor.

Step 3: Understand and tune Safe Links

Safe Links rewrites and re-checks URLs at the moment a user clicks them, so a link that was clean when the email arrived but went malicious later still gets blocked. The presets enable this for you, but it helps to know what it's doing.

  1. Back on Threat policies, click Safe Links under Policies.
  2. You'll see the preset-managed policies (named after the presets) plus any custom ones. Open the Standard preset policy to view (not edit) its settings.
  3. Confirm these behaviors are on: URL scanning for email, links rewritten so clicks are checked in real time, and scanning applied to links inside Office apps and Teams.

If you need an exception, for example an internal marketing tool that wraps its own links, create a custom Safe Links policy scoped to just that group rather than weakening the preset.

Step 4: Understand and tune Safe Attachments

Safe Attachments opens incoming attachments in an isolated environment (a sandbox) and watches what they do before delivering them. The default action for unknown malware in both Standard and Strict presets is Block.

  1. On Threat policies, click Safe Attachments.
  2. Open the preset policy to confirm the unknown-malware response is Block.
  3. Consider turning on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams so files shared internally get the same scan. You'll find this as a global setting on the Safe Attachments page (look for Global settings).

The trade-off with Safe Attachments is a short delivery delay while files are scanned. For most businesses that delay is worth it.

Step 5: Build a custom anti-phishing policy

The presets include anti-phishing, but impersonation protection works best when you name the specific people and domains worth protecting. That requires a custom policy.

  1. On Threat policies, click Anti-phishing.
  2. Click Create, give the policy a name like "Exec and domain impersonation," and set the recipient scope (usually your whole domain).
  3. On the impersonation step, turn on Enable users to protect and add your key people by name and email address (the owner, finance lead, and anyone who approves payments).
  4. Turn on Enable domains to protect, then add Include domains I own and any partner domains attackers might spoof.
  5. Turn on Enable mailbox intelligence and Enable mailbox intelligence for impersonation protection. Mailbox intelligence learns each person's normal contacts and flags messages that pretend to come from them.
  6. For the action when impersonation is detected, choose Quarantine the message for the strongest protection, and pick a quarantine policy (covered next).
  7. Set the spoof intelligence and Honor DMARC options to their recommended defaults, then save.
Protect Roles, Not Just People

Protect roles and addresses, not just individuals. Add the generic finance alias (like ap@yourcompany.com) as well as the person, because attackers spoof both.

Step 6: Set the quarantine policy

A quarantine policy controls what end users can do with messages that get quarantined and whether they get notified.

  1. On Threat policies, click Quarantine policies.
  2. Review the built-in DefaultFullAccessPolicy (users can preview, release, and request release) and the more restrictive defaults.
  3. For most SMBs, create a policy that lets users request release (so an admin approves) rather than release on their own, and turn on quarantine notifications so people see what was held.
  4. Make sure your anti-phishing and anti-spam policies reference this quarantine policy in their action settings.

Notifications matter: if people don't know a real message was held, they'll assume it was never sent and you'll get the support call anyway.

Step 7: Work the quarantine and submissions queues

Protection is not set-and-forget. Build a short weekly habit.

  1. Go to Email & collaboration > Review > Quarantine to see held messages. Filter by date, sort by recipient, and release anything that's clearly legitimate.
  2. When you release a false positive, also go to Email & collaboration > Submissions and submit it to Microsoft as Should not have been blocked. This trains the system.
  3. If a phishing message slipped through, submit it under Submissions as Should have been blocked, which also lets you pull copies from other inboxes.

Verify your setup

  • In Preset security policies, confirm Standard shows On for all recipients and Strict shows On for your priority scope.

  • Send yourself the EICAR test file (a harmless industry-standard test) from an external address to confirm Safe Attachments blocks it.

  • Use the Configuration analyzer on the Threat policies page to compare your settings against Microsoft's Standard and Strict recommendations and fix any drift it flags.

What to do next

Once this is solid, look at multifactor authentication and conditional access so a stolen password alone can't get someone in. If working the quarantine and submissions queues every week isn't realistic for your team, that's exactly the kind of routine an MSP takes off your plate. We're happy to review your current Defender configuration and tune it for the way your business actually runs email.

Filed under
How-To Guide
Read more insights
Free strategy session

See where you stand. Then move forward.

Book a free intro call. We'll talk through where you are today and map a strategic plan for growth, protection, automation, and alignment.

A 30-minute discovery call, no obligationA full team of specialists at a fraction of in-house costA clear next step before you spend a dollar
Loading scheduler…