8.2 Defender for Office 365

Protecting Email and Collaboration

Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection / ATP) protects email and collaboration workloads against phishing, business email compromise, malware, and malicious links. Its scope is the Microsoft 365 productivity stack: Exchange Online email, plus Microsoft Teams, SharePoint, and OneDrive collaboration content. When an SC-900 scenario describes protecting mailboxes, inbound messages, links in email, or files shared in Teams/SharePoint, the answer is Defender for Office 365.

The two signature, exam-tested features are Safe Attachments and Safe Links.

Safe Attachments — Sandbox Detonation

Safe Attachments protects against malicious files. Before a message reaches the recipient, the attachment is opened in an isolated virtual environment and its behavior is observed — a process called detonation. If the file behaves maliciously (for example, ransomware or unknown malware), it is blocked. This catches zero-day threats that signature-based antivirus would miss because detection is based on behavior, not a known signature. Safe Attachments also extends to SharePoint, OneDrive, and Microsoft Teams, scanning stored/shared files and blocking detected malware.

Safe Links — Time-of-Click URL Protection

Safe Links protects against malicious URLs. It rewrites links in email (and supports Teams and Office apps) and re-checks the destination at the moment the user clicks — "time-of-click" verification. This matters because a URL can be benign when the email is delivered and weaponized hours later; Safe Links re-evaluates at click time and blocks the user if the destination has turned malicious. It also provides URL detonation and warning pages.

Plan 1 vs. Plan 2

Defender for Office 365 ships in two plans; SC-900 may test the broad split between preventive controls and post-breach investigation:

A useful memory hook: Plan 1 keeps the threat out (protect), Plan 2 helps you investigate and respond (detect/respond). Attack Simulation Training — running benign phishing simulations to train users — is a distinctive Plan 2 cue.

Common Traps

• Do not pick Microsoft Purview just because the scenario mentions Office content. Purview is compliance and data governance (labels, DLP, retention, eDiscovery). Defender for Office 365 is security — stopping email/collaboration threats.
• Do not pick Defender for Endpoint — that protects devices, not mailboxes.
• Do not pick Microsoft Sentinel — Sentinel is SIEM/SOAR; Defender for Office 365 is the workload protection service whose alerts feed the wider XDR/SIEM picture.

Quick cues

• Email, phishing, malicious attachment, malicious link, Teams/SharePoint file scanning → Defender for Office 365.
• "Detonate the file in a sandbox before delivery" → Safe Attachments.
• "Re-check the URL when the user clicks" → Safe Links.
• "Run a simulated phishing campaign to train users" → Attack Simulation Training (Plan 2).

The Bigger Picture: Layered Email Defense

Defender for Office 365 does not work alone — it layers on top of Exchange Online Protection (EOP), the baseline anti-spam and anti-malware engine included with every Exchange Online mailbox. EOP filters known bad mail (signature-based malware, spam, bulk mail); Defender for Office 365 adds the advanced layer for the threats EOP cannot catch on its own: zero-day malware (Safe Attachments), weaponized-after-delivery links (Safe Links), and sophisticated impersonation/business-email-compromise attacks (anti-phishing with mailbox intelligence).

For SC-900 you do not need EOP's internals, but it helps to know Defender for Office 365 is the premium tier that sits above the built-in protection.

A few more capabilities round out the picture and commonly appear in scenarios:

• Zero-hour auto purge (ZAP) retroactively removes messages from mailboxes when a link or attachment is found malicious after delivery — protection does not stop at the inbox door.
• Threat Explorer / real-time detections (Plan 2) let analysts hunt across email events to see who received a campaign and what happened to it.
• Automated investigation and response (AIR) (Plan 2) auto-triages alerts and recommends or takes remediation, such as soft-deleting malicious mail across affected mailboxes.
• Attack Simulation Training (Plan 2) launches benign, realistic phishing simulations and assigns targeted training to users who fall for them — addressing the human layer, not just the technical one.

Worked Selection Scenario

"Finance staff keep receiving emails with PDF invoices that turn out to carry never-before-seen malware, and links that pass initial scanning but redirect to credential-harvesting pages minutes later. " The malware-laden attachments call for Safe Attachments sandbox detonation; the delayed-weaponization links call for Safe Links time-of-click checking; the phishing test plus targeted training is Attack Simulation Training. All three are Defender for Office 365 (the simulation feature specifically requires Plan 2).

Critically, none of this is Microsoft Purview — Purview would be the answer only if the scenario were about governing or protecting the data itself (labels, DLP, retention), not stopping the email threat.