blog.johlem.net

Microsoft Defender for Office 365 and Phishing: What the Layers Actually Do

Microsoft Defender for Office 365 is the central control plane for phishing protection in Microsoft 365 mailboxes, and to most people it is a black box — phishing goes in, hopefully gets caught, occasionally does not. But its anti-phishing protection is actually a stack of distinct layers, each designed to catch a different category of attack, and understanding what each layer does is the difference between configuring it competently and trusting it blindly. The layers are not interchangeable, and the attacks they miss are as instructive as the ones they catch.

This is a practitioner’s map of what Defender’s anti-phishing layers actually do, grounded in how the product is built.

The foundation: email authentication

Before any of Defender’s layers do their best work, the foundation is email authentication, and this is where most misconfiguration hides. Threat policies work best when the source email domains are correctly authenticated, and the three standards do distinct jobs: SPF authorizes which services may send mail for your domain, DKIM signs messages so recipients can verify they weren’t altered, and DMARC tells recipient systems how to handle messages that fail authentication and whether it aligns with the visible From domain.

The practical point: Defender’s anti-phishing intelligence is more effective when authentication is correct, because authentication gives it reliable signal about whether a sender is who they claim. Skipping the authentication foundation and expecting the ML layers to compensate is the most common way organizations under-perform their own licensing. Get SPF, DKIM, and DMARC right first; everything above works better for it.

The layers, and what each catches

Defender’s anti-phishing protection stacks several distinct mechanisms:

Spoof intelligence — the “is this sender forged” layer. Basic anti-phishing features are provided to all Microsoft 365 cloud mailboxes, including spoof intelligence, which detects when a sender is being forged. The spoof intelligence insight lets you review detected spoofed senders and manually allow or block them. This catches the forged-sender category — mail pretending to come from a domain it does not.

Impersonation protection — the “is this pretending to be someone specific” layer. This is a Defender for Office 365 (not basic) capability and a distinct category from spoofing. Defender for Office 365 provides protection against user, domain, and sender impersonation — catching mail that impersonates specific protected people or domains (an executive, a partner domain) rather than outright forging headers. You identify specific senders to protect individually or by domain. This is the layer aimed at targeted attacks like CEO-fraud and BEC.

Mailbox intelligence — the “does this fit normal communication patterns” layer. This applies behavioral knowledge of a mailbox’s normal correspondents to spot anomalous sender behavior — a contextual layer that improves impersonation detection by knowing who you actually communicate with.

Safe Links — the “is this URL malicious at click time” layer. Safe Links dynamically scans URLs in emails and documents, blocking access to malicious websites, with the crucial property that it checks at time-of-click. This matters because a link benign at delivery can be weaponized later; time-of-click checking catches the URL that turned malicious after the email arrived.

Safe Attachments — the “is this attachment malicious” layer. Safe Attachments scans email attachments in a virtual environment to detect malicious content before it reaches the inbox — detonating attachments in isolation rather than relying on signatures alone.

Adjustable thresholds and presets. Customizable phishing thresholds let you fine-tune detection, and rather than managing custom policies, Microsoft typically recommends the Standard and/or Strict preset security policies. The presets encode Microsoft’s recommended configuration, which is usually a better starting point than hand-rolling policy.

Why the layers matter as distinct things

The key insight for using Defender well: each layer catches a different attack category, and they are not substitutes for each other. Spoofing (forged sender) and impersonation (pretending to be a specific protected identity) are genuinely different attacks needing different detection — spoof intelligence does nothing for a well-crafted impersonation that does not forge headers, and impersonation protection does nothing for raw spoofing. Safe Links addresses the URL vector; Safe Attachments the file vector; mailbox intelligence the behavioral-anomaly vector.

This means configuration is not “turn on Defender” but “ensure each layer is properly enabled and tuned for the attack category it covers.” The common failure — found repeatedly in real environments — is organizations that own these capabilities through their licensing but have only enabled a fraction, leaving whole attack categories uncovered while believing they are protected. Knowing the layers is knowing which categories you have actually covered.

What Defender’s layers cannot do

A practitioner take has to name the gaps:

Sophisticated targeted phishing still gets through. Microsoft itself acknowledges the difficulty: with the growing complexity of attacks, it’s even difficult for trained users to identify sophisticated phishing messages. The layers catch categories of attack; a sufficiently tailored spear-phish or BEC, especially one not relying on forged headers or known-bad URLs, can evade them. Defender reduces the volume and catches the categorical attacks; it does not make phishing a solved problem.

The human layer remains essential. Because sophisticated targeted attacks evade automated detection, user reporting and awareness remain part of the system — which is why Defender for Office 365 Plan 2 includes attack simulation training. The technology layer and the human layer are complementary, not alternatives.

Configuration is your responsibility. The capabilities only protect what they are configured to protect. Impersonation protection covers the specific identities you tell it to protect; thresholds are only right if you tune them. Defender provides the mechanisms; the protection depends on configuring them correctly for your organization.

The takeaway

Defender for Office 365’s anti-phishing protection is a stack of distinct layers — authentication foundation, spoof intelligence, impersonation protection, mailbox intelligence, Safe Links, Safe Attachments, tunable thresholds — each catching a different category of attack, none substituting for the others. Using it well means getting email authentication right first, ensuring each layer is actually enabled and tuned for its category (rather than running a fraction of what you own), and recognizing that sophisticated targeted phishing still requires the human layer the technology cannot replace.

The reframe to carry: Defender’s anti-phishing is layers, not a switch — each covers a specific attack category, the most common failure is leaving categories uncovered while feeling protected, and the sophisticated targeted attack is exactly the one that still needs people. Map the layers to the attacks, configure each deliberately, and pair the technology with the human reporting that catches what slips through.


An independent piece by johlem.net — IT security consulting, Luxembourg. Email security and Microsoft 365 protection for regulated financial entities.