Protecting Against, Phishing, Malware, and Spam
Protecting Against, Phishing, Malware, and Spam

This course shows how to set up Microsoft Defender for Microsoft 365 through a series of practical demonstrations from the Microsoft 365 platform. You will learn about some general cybersecurity practices before being shown how Microsoft Defender can help you implement them.

Learning Objectives

  • Understand how to protect against phishing, malware, and spam using Microsoft Defender
  • Learn about safe links and safe attachments and configure them
  • Learn how to enable zero-day malware protection

Intended Audience

This course is intended for those who wish to learn how to configure protection in Microsoft Defender for Office 365.


To get the most out of this course, you should have a basic understanding of Microsoft 365.


Welcome to protecting against phishing, malware, and spam. Exchange Online Protection, or EOP, uses anti-spam policies to protect Exchange Online mailboxes and on-prem mailboxes that are protected with a standalone EOP subscription from spam. The default anti-spam policy provides basic protections. Admins can view it, edit it, and configure settings within it, but they cannot delete the default anti-spam policy. That said, admins can create custom anti-spam policies if needed. They can be applied to certain users, groups, or domains within the organization.

Custom anti-spam policies will always take precedence over the default policy. In cases where there are multiple defined custom policies, you can change the priority of those policies to control the order in which they are processed. You can use the Security and Compliance Center or PowerShell to configure anti-spam policies. Each policy includes two parts, a spam filter policy which determines what actions to take and what notifications to take if the policy fires, and it includes the spam filter rule which determines the priority of the policy and who the policy applies to.

Settings for an anti-spam policy that are related to the name, priority, recipient filters, and whether or not the policy is enabled, are all part of the spam filter rule. Everything else is part of the spam filter policy. Defender for Office 365 offers several advanced anti-phishing features, including anti-phishing policies, campaign views, and attack simulator. The anti-phishing policies available in Microsoft Defender for Office 365 allow you to create custom policies to fit your needs, and they allow you to configure anti-impersonation settings that can be used to protect against impersonation threats. You can also configure mailbox intelligence settings and set adjustable advanced phishing thresholds.

Campaign Views use machine learning and other intelligence to identify messages that are involved in coordinated phishing attacks against you. The Attack Simulator can be used to create and send fake phishing messages to your internal users. You use the Attack Simulator as a way to teach your users about phishing attacks and what to look out for.

Anti-malware policies are used to protect against dangerous malware. Each anti-malware policy consists of a malware filter policy and a malware filter rule. The malware filter policy is used to specify recipient notification settings, sender and admin notification, ZAP, and it includes the Common Attachment Types Filter settings. The malware filter rule is used to specify the priority for the policy and who the policy applies to. 

When you create an anti-malware policy, what you are actually doing is creating both the policy and the rules at the same time. Things like the name, priority, recipient filters, and the status of the policy are all part of the malware filter rule, while other settings like recipient notification, sender and admin notification, ZAP, and the Common Attachment Types Filter are part of the malware filter policy.

A default anti-malware policy is built-in to every organization, it's actually called Default. This default anti-malware policy provides basic protections and it's automatically applied to all recipients within the organization. The priority assigned to this default policy is set to lowest and it cannot be changed. This means that this default policy is always applied last. If you create custom anti-malware policies, those policies will always have a higher priority than the default policy. I should also mention that you cannot delete the default policy either.

Over the next few lessons, I'll show you how to perform some basic policy creations. We'll configure a basic anti-phishing policy, a basic anti-malware policy, and a basic anti-spam policy.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.