Why do I need Microsoft Defender for Office 365? - Microsoft Defender for Office 365 (original) (raw)

Although all organizations with cloud mailboxes include built-in security features, Microsoft Defender for Office 365 is the primary email and collaboration security solution for Microsoft 365.

This article explains the protection ladder for email and collaboration. The ladder starts with the built-in security features for all cloud mailboxes, and continues to Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2.

This article is intended for Security Operations (SecOps) personnel, Microsoft 365 admins, or decision makers who want to learn more about Defender for Office 365.

The protection ladder in Defender for Office 365 contains the following elements:

The built-in security features for all cloud mailboxes: Included in all Microsoft 365 subscriptions with cloud mailboxes.
Defender for Office 365 Plan 1: Included in some Microsoft 365 subscriptions that cater to small to medium-sized businesses (for example, Microsoft 365 E3/A3/G3 and Microsoft 365 Business Premium).
Defender for Office 365 Plan 2: Included in some Microsoft 365 subscriptions that cater to enterprise organizations (for example, Microsoft 365 A5/E5/G5).

Defender for Office 365 is also available as an add-on subscription to many Microsoft 365 subscriptions with cloud mailboxes.

Defender for Office 365 Plan 1 contains a subset of the features that are available in Plan 2. Defender for Office 365 Plan 2 contains many features that aren't available in Plan 1.

The following descriptions summarize the protection ladder in Defender for Office 365:

The built-in security features for all cloud mailboxes prevent broad, volume-based, known email attacks.
Defender for Office 365 Plan 1 protects email and collaboration features from zero-day malware, phishing, and business email compromise (BEC).
Defender for Office 365 Plan 2 adds phishing simulations, post-breach investigation, hunting, and response, and automation.

However, you can also think about the architecture of protection in Defender for Office 365 as cumulative layers of security, where each layer has a different security emphasis. This architecture is shown in the following diagram:

All levels of the protection ladder are capable of protecting, detecting, investigating, and responding to threats. But as you move up the protection ladder, the available features and automation increase.

Whether you're using the onmicrosoft.com domain only or custom domains for email in Microsoft 365, it's important to configure email authentication for your used and unused domains. SPF, DKIM, and DMARC records in DNS allow Microsoft 365 to more accurately protect against spoofing attacks. For more information, see Email authentication.

The Defender for Office 365 security ladder

It can be difficult to identify the advantages of Defender for Office 365. The following subsections describe the capabilities of each product using the following security emphases:

Preventing and detecting threats.
Investigating threats.
Responding to threats.

Capabilities of the built-in security features for all cloud mailboxes

The built-in security features included in all organizations with cloud mailboxes are summarized in the following table:

Prevent/Detect	Investigate	Respond
Anti-malware protectionAnti-spam protection, including bulk email protection Anti-phishing (spoofing) protection*, including the Spoof intelligence insight Outbound spam protection Connection filtering Quarantine and quarantine policiesFalse positives and false negative reporting by admin submissions to Microsoft and user reported messages Allow and block entries in the Tenant Allow/Block List for: Domains and email addressesSpoofURLsFiles	Audit log search Message Trace Email security reports	Zero-hour auto purge (ZAP) for emailRefine and test entries in the Tenant Allow/Block List

* The associated features are available in default threat policies, custom threat policies, and the Standard and Strict preset security policies. For help with deciding which method to use, see Determine your threat policy strategy.

For more information, see Built-in security features for all cloud mailboxes.

Defender for Office 365 Plan 1 capabilities

Defender for Office 365 Plan 1 adds more prevention and detection capabilities.

The extra features you get in Defender for Office 365 Plan 1 on top of the built-in security features for all cloud mailboxes are described in the following table:

Prevent/Detect	Investigate	Respond
The following extra features in anti-phishing policies, including the impersonation insight: User and domain impersonation protectionMailbox intelligence impersonation protection (contact graph)Phishing email thresholds Safe Attachments in email Safe Attachments for files in SharePoint, OneDrive, and Microsoft Teams Safe Links in email, Office clients, and TeamsEmail & collaboration alerts at https://security.microsoft.com/viewalertsv2Security information and event management (SIEM) integration from Office 365 Management APIs for alerts. For more information, see Security and Compliance Alerts schema.Tenant Allow/Block List for Teams domains and addresses User-reported Teams items Teams messages in quarantine	Real-time detectionsUser tags, including Priority account The Email entity pageSIEM integration from Office 365 Management APIs for detections*. For more information, see Microsoft Defender for Office 365 and Threat Investigation and Response schema.URL trace Defender for Office 365 reports Teams message entity panel	Zero-hour auto purge (ZAP) for Teams

* The presence of Email & collaboration > Real-time detections in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 1 and Plan 2.

Defender for Office 365 Plan 2 capabilities

Defender for Office 365 Plan 2 expands on the investigation and response capabilities of Plan 1 with the addition of automation.

The extra features that you get in Defender for Office 365 Plan 2 on top of Defender for Office 365 Plan 1 are described in the following table:

Prevent/Detect	Investigate	Respond
Attack simulation training Priority account protection	Threat Explorer (Explorer) instead of Real-time detections.*Threat Trackers Campaigns Advanced hunting on Teams messages	Automated Investigation and Response (AIR): AIR from Threat ExplorerAIR for compromised usersSIEM Integration from Office 365 Management APIs for automated investigations. For more information, see Automated investigation and response events in Microsoft Defender for Office 365 Plan 2.SIEM Integration from Office 365 Management APIs for Attack simulation training. For more information, see Attack sim schema in Microsoft Defender for Office 365 Plan 2.SIEM Integration from Defender XDR APIs for Advanced hunting, Incidents, and Streaming. For more information, see Overview of Microsoft Defender XDR APIs.Remove users from Teams chats

* The presence of Email & collaboration > Explorer in the Microsoft Defender portal is a quick way to differentiate between Defender for Office 365 Plan 2 and Plan 1.

Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet

This quick-reference section summarizes the different capabilities between Defender for Office 365 Plan 1 and Plan 2 that aren't included in the built-in security features for all cloud mailboxes.

To compare the different capabilities between Defender for Office 365 Plan 1 and Plan 2 for Microsoft Teams, see Microsoft Defender for Office 365 support for Microsoft Teams.

Defender for Office 365 Plan 1	Defender for Office 365 Plan 2
Prevent and detect capabilities: Anti-phishing policies with impersonation protection and phishing email thresholds Safe Attachments, including Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Safe Links Tenant Allow/Block List for Teams User-reported Teams items Investigate and respond capabilities: Real-time detections User tags, including Priority account The Email entity page Teams message entity panel ZAP for Teams	Everything in Defender for Office 365 Plan 1 --- plus --- Prevent and detect capabilities: Attack simulation training Priority account protection Investigate and respond capabilities: Threat Explorer (Explorer)Threat Trackers AIR Proactively hunt for threats with advanced hunting in Microsoft Defender XDR Investigate incidents in Microsoft Defender XDR Investigate alerts in Microsoft Defender XDR Advanced hunting on Teams messages Remove users from Teams chats

Defender for Office 365 Plan 1

Defender for Office 365 Plan 2

Prevent and detect capabilities: Anti-phishing policies with impersonation protection and phishing email thresholds Safe Attachments, including Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Safe Links Tenant Allow/Block List for Teams User-reported Teams items Investigate and respond capabilities: Real-time detections User tags, including Priority account The Email entity page Teams message entity panel ZAP for Teams

Everything in Defender for Office 365 Plan 1 --- plus --- Prevent and detect capabilities: Attack simulation training Priority account protection Investigate and respond capabilities: Threat Explorer (Explorer)Threat Trackers AIR Proactively hunt for threats with advanced hunting in Microsoft Defender XDR Investigate incidents in Microsoft Defender XDR Investigate alerts in Microsoft Defender XDR Advanced hunting on Teams messages Remove users from Teams chats

For more information, see Feature availability across Defender for Office 365 plans.
Safe Documents is available to users with the Microsoft 365 A5 or Microsoft Defender Suite licenses (not included in Defender for Office 365 plans).
If your current subscription doesn't include Defender for Office 365 Plan 2, you can try Defender for Office 365 free for 90 days. Or, contact sales to start a trial.
Organizations with Defender for Office 365 Plan 2 have access to Microsoft Defender integration to efficiently detect, review, and respond to incidents and alerts.