Microsoft Defender for Office 365: Fine-Tuning

In incident response, most business email compromise doesn’t start with “sophisticated zero-day malware.” It starts with configuration gaps: forwarding mail outside the tenant, users clicking through Safe Links warnings, impersonation policies left at day-one defaults, or post-delivery cleanup still relying on a human analyst at 2:00 AM. Those gaps are what attackers actually exploit.  

This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements: 

1. Core fine-tuning actions every email or security admin should land right now

2. Data-driven bulk mail tuning (BCL and Bulk Mail Insights)

3. Impersonation and anti-phishing policy hygiene for executive protection

4. Automate post-delivery cleanup by enabling Automated Remediation 

Each section includes a short video and practical guidance you can apply immediately in Microsoft Defender for Office 365. 

These recommendations align with Microsoft’s “secure by default” direction: applying the Standard and Strict preset security policies to users, using Configuration analyzer to catch configuration drift, and enforcing least-privilege release of high-risk mail.  

When possible, enable the Preset security policies to give you Microsoft’s recommended settings for Safe Links, Safe Attachments, Anti-Phishing, and Anti-Spam.  

If you use custom policies (or if you exclude users from the Presets) then use Configuration analyzer regularly to compare custom policies to the Standard/Strict baselines, since those get updated as Microsoft updates the Preset policies.   

Core Fine-Tuning Checklist for Defender for Office 365 

This section highlights six controls we recommend implementing broadly. These are “day one hardening” items we repeatedly validate with customers.

1. Block automatic external forwarding by default
   Attackers often create hidden inbox rules that quietly forward mail (invoices, purchase orders, wire info) to an external account they control. Use outbound spam policies to block automatic external forwarding for the entire org and then create tightly scoped exceptions only for the handful of mailboxes that legitimately need it.  
   
   This prevents data leakage and payment fraud scenarios where mail auto-forwards out of your tenant without anyone noticing. Although this setting is on by default (“System Controlled” means that external forwarding is disabled), we’ve found many tenants where this was disabled because the admin didn’t know how to create a custom policy for authorized forwarders. The trick is to order custom outbound policies to run as a higher priority than the default outbound policy which should be set to block auto-forwarded emails. It is a good idea to regularly review the auto forwarded message report (located in the Exchange Admin Center). 
   
   
2. Use Enhanced Filtering for Connectors (“skip listing”) when necessary
   If you’re routing inbound mail through a third-party Secure Email Gateway or an on-prem hop before Microsoft 365, Defender will see that intermediary as the source IP instead of the original sending IP, which degrades anti-spoofing effectiveness.Enhanced Filtering for Connectors — also called skip listing — lets Microsoft 365 look past that last hop and evaluate the real sending IP and headers, so SPF / DKIM / DMARC and anti-spam logic work correctly. 
   
   This setting does not support centralized mail routing (unless the routing is linear; see the Enhanced Filtering for Connectors learn article), so make sure you are not using that before enabling Enhanced Filtering. Centralized routing is sometimes used by organizations running a hybrid Exchange deployment, connecting Exchange Online with an on-premises Exchange Server organization. 
   
   Important: Do this instead of blanket SCL -1 transport rules that “bypass spam filtering for anything coming from our gateway.” Over-bypassing means phishing that slipped through the third-party filter can sail straight to user inboxes, which Microsoft specifically warns against.  
   
   
3. Turn on Safe Attachments protection beyond email (SharePoint, OneDrive, Teams) 
   In the Safe Attachments “Global settings,” make sure Defender for Office 365 is set to protect files in SharePoint, OneDrive, and Microsoft Teams. When enabled, if a file is identified as malicious, Defender automatically locks the file in-place so users can’t open it in Teams or OneDrive. This gives you malware detonation and containment in collaboration channels, not just email.  
   
   This step closes a gap we still see a lot: customers protect mail attachments well, but shared files and Teams chats are wide open. In the 1st part of this blog series, Microsoft MVP Purav Desai describes (here) how to prevent users from downloading malicious files by running a SharePoint PowerShell cmdlet: 
   

   Set-SPOTenant -DisallowInfectedFileDownload $true

    
   
4. Don’t let users click through Safe Links warnings 
   Safe Links rewrites and time-of-click scans URLs in mail, Office apps, and Teams. In the Safe Links policy, clear “Let users click through to the original URL.” That prevents the classic “I know it says it’s malicious, but I really need to see it…” moment. Users get blocked instead of “warned but allowed.”  
   
   This setting is also enforced in Microsoft’s Standard AND Strict preset security policies where click-through is explicitly disabled.  
   
   
5. Go beyond the default Common Attachment filter
   The anti-malware policy’s Common Attachment filter blocks known dangerous file extensions (executable content, scriptable content, etc.). Microsoft ships a default list (historically 50+ high-risk extensions), and you can customize it to block additional file types common in malware delivery, like HTML droppers or password-protected archives. Messages with those file types are treated as malware and quarantined.  
   Do this centrally rather than relying on users to “spot a suspicious attachment.” Automation beats user judgment here. 
   
   
6. Use custom quarantine policies that require admin approval (instead of self-release)
   If you are not using the Preset Policies, you can create a quarantine policy to customize the user experience with quarantined messages. For anything phishing-related, I recommend creating a custom policy that allows the user to “request release from admin.” That means users can raise a hand if they think something should not have been quarantined, and an Incident is created for administrators to review before it is released. To me, this strikes the best balance between security and productivity. 
    

 
This keeps containment intact and gives the SOC final say. It also creates an auditable workflow: who asked for release, who approved it, and why. 

Bulk Mail Insights: Tune BCL using your tenant’s mail 

Bulk email (“graymail”) is noisy. Payroll alerts and benefits notifications are legitimate, but they look exactly like phishing. At the same time, true marketing email (graymail) are also bulk. The traditional response (“just whitelist the sender so users stop complaining”) often opens the door for attacker-looking mail to get delivered straight to executives.  

Defender for Office 365 gives you something better: Bulk Mail Insights (a.k.a. Bulk senders insight). This report shows, over the last 60 days, how much mail at each Bulk Complaint Level (BCL 1–9) was delivered vs. blocked, which senders are generating volume, and where users are likely to experience false positives or false negatives. You can interactively simulate raising or lowering the bulk threshold and immediately see, “If we tighten BCL, how many more messages get quarantined? How many of those were probably junk? How many were probably wanted?”  

Why this matters: 

• You stop tuning bulk mail based on anecdotes and start tuning based on real telemetry from your own tenant. 

• You can justify decisions to leadership and audit (“We set BCL at X because here is the simulation showing false positive/false negative impact”). 

• You avoid blanket allow rules. Instead, you adjust bulk thresholds for legitimate high-volume senders while keeping stricter actions for everyone else.  

Note: You can modify the BCL threshold in your default or custom anti-spam policy, but you can’t change it inside the Standard (BCL:6) or Strict (BCL:5) preset security policies themselves. Standard and Strict are already aligned to Microsoft’s recommended baselines.  

Additional Links: 

• https://security.microsoft.com/senderinsights  
• https://learn.microsoft.com/en-us/defender-office-365/anti-spam-bulk-senders-insight  
• https://learn.microsoft.com/en-us/defender-office-365/mdo-deployment-guide#step-2-configure-threat-policies  
• https://learn.microsoft.com/en-us/defender-office-365/preset-security-policies#policy-settings-in-preset-security-policies  
• https://learn.microsoft.com/en-us/defender-office-365/recommended-settings-for-eop-and-office365  
• https://www.microsoft.com/en-us/security/blog/2025/07/17/transparency-on-microsoft-defender-for-office-365-email-security-effectiveness/  

Anti-Phishing / Impersonation Tuning: Protect the people attackers actually spoof 

Business email compromise very often looks like this: “Hi, can you handle this payment today?” sent from an address that looks like your CFO or CEO. Microsoft Defender for Office 365 includes targeted impersonation protection, but it only really works if you target your most targeted executives. 

Here are five pitfalls we see over and over: 

1. Empty or stale VIP list 
   Populate “users to protect / high value targets” with executives, finance approvers, legal, anyone authorized to move money or data. Review it monthly. Roles change, and you only get a finite number of protected users (for example, ~350 entries). An out-of-date list silently weakens protection for the people attackers actually impersonate. 
   
   
2. Phishing email threshold stuck at 1 forever
   We find organizations that are not using the preset policies have left their phishing threshold values at the default “1” because of initial false positives. We recommend raising it to match the Standard Preset (“3”) or Strict (“4”). 
   
   
3. Weak action
   If suspicious “CFO” mail just goes to Junk, users can still act on it. High-confidence impersonation of executives should be quarantined with AdminOnly or request-release workflows, not left in end-user control. Tie this back to the custom quarantine policies (discussed later in this article). 
   
   
4. Common-name overload
   If your CEO’s name is something extremely common, you’ll get noise. Expect it. Don’t “turn off” protection for that name — add that address to the Trusted Senders otherwise it will be blocked as an impersonation attempt. Use Trusted Senders / Trusted Domains for known-good partners and vendors so you keep protection high without drowning in alerts. Add only legitimate senders/domains to the Trusted Senders or Trusted Domains instead of lowering enforcement. 
   
   
5. No scheduled review
   This control can’t be “set and forget.” Put impersonation tuning and spoof intelligence review on a monthly checklist. That lets you catch new vendors pretending to be finance, new “urgent wire” lure patterns, and any drift from Standard / Strict baseline that Configuration analyzer will also call out.
   
   When done right, impersonation protection is not just “spam reduction.” It’s payment fraud prevention. 

Automated Investigation & Response (AIR): Let Defender remove malicious email before your SOC has to! 

One of the biggest wins you can land quickly is letting Microsoft Defender for Office 365 automatically remove clusters of malicious messages — without waiting for analyst approval on every single item. 

Here’s how it works. Defender’s Automated Investigation and Response (AIR) groups messages into “clusters” based on shared indicators like the same malicious URL or malicious file hash. If you opt in to automatic remediation for those cluster types, AIR will go find every matching copy of that threat across the tenant and soft-delete those messages, not just the one that triggered the alert.  

Why this matters: 

• It turns post-delivery cleanup into something that happens immediately instead of “after Tier 1 has time to review.” 

• It removes known-bad messages from user mailboxes (and related collaboration surfaces like Teams) before a target can click.  

• It dramatically cuts the classic “Did anyone else get this?” manual hunt-and-purge work that burns out SOC analysts. 

When you configure AIR automation settings in the Microsoft Defender portal (Settings > Email & collaboration > MDO automation settings), you’ll see checkboxes for “Similar files” and “Similar URLs.” Selecting those opts you into automatic soft delete for those clusters. Today, soft delete is the default supported action for these automatic remediations, enabling administrators to undo a deletion, if necessary. 

This is Defender for Office 365 Plan 2 / Microsoft 365 E5 functionality, and it’s exactly the kind of “secure operations by default” Microsoft has been pushing: detect, contain, and clean up automatically, then let humans investigate with context instead of manually chasing every copy of a phish.  

This automation triggers when malicious clusters are detected. For automating the classification and triage of user-submitted phishing incidents, check out the Security Copilot Phishing Triage Agent (Preview). 

Additional Links: 

• GA Announcement: https://techcommunity.microsoft.com/blog/-/auto-remediation-of-malicious-messages-in-automated/4418047  
• Docs: https://learn.microsoft.com/en-us/defender-office-365/air-auto-remediation  

Final Thoughts 

Defender for Office 365 is more than “email filtering.” It’s part of your security operations surface. The decisions you make about automated remediation (AIR), bulk mail thresholds, Safe Links/Attachment behavior, outbound forwarding, connector hygiene, quarantine policy, and impersonation tuning directly determine how easy — or how hard — it is for an attacker to penetrate your organization.  

Microsoft’s current guidance is clear: 

• Apply Standard or Strict preset security policies so users get the recommended protections by default (for example, Safe Links with no click-through). 

• If you must use a custom policy, review the recommendations from the Configuration analyzer monthly for new recommendations, or to catch and correct drift whenever someone weakens a control. 

• Align internal procedures with the excellent Security Operations Guide for Defender for Office 365. 

• Lock down quarantine so only admins can release high-risk messages, with an auditable “request release” path for users. 

• Turn on automated remediation so Defender can remove malicious clusters of messages before anyone clicks.  

Organizations that land these basics are in a dramatically better position during an incident. Instead of “Who clicked the link?” you can say, “AIR already pulled it, users were blocked from clicking through, outbound forwarding is disabled, and impersonation of the CFO is quarantined for admin review.” That’s what “secure by default” actually looks like in production.  

________
This blog was authored by Joe Stocker, Microsoft Security MVP and Founder of Patriot Consulting Technology Group, in partnership with the Microsoft Defender for Office 365 product team, including Paul Newell, Senior Product Manager, Microsoft Defender for Office 365. 

Joe Stocker
Microsoft Security MVP 

Learn More and Meet the Author

1) December 16th Ask the Experts Webinar: 

Microsoft Defender for Office 365 | Ask the Experts: Tips and Tricks (REGISTER HERE)
DECEMBER 16, 8 AM US Pacific

You’ve watched the latest Microsoft Defender for Office 365 best practices videos and read the blog posts by the esteemed Microsoft Most Valuable Professionals (MVPs). Now bring your toughest questions or unique situations straight to the experts. In this interactive panel discussion, Microsoft MVPs will answer your real-world scenarios, clarify best practices, and highlight practical tips surfaced in the recent series. We’ll kick off with a who’s who and recent blog/video series recap, then dedicate most of the time to your questions across migration, SOC optimization, fine-tuning configuration, Teams protection, and even Microsoft community engagement. Come ready with your questions (or pre-submit here) for the expert Security MVPs on camera, or the Microsoft Defender for Office 365 product team in the chat! REGISTER NOW for 12/16. 

2) Additional MVP Tips and Tricks Blogs and Videos in this Four-Part Series: 

1. Microsoft Defender for Office 365: Migration & Onboarding by Purav Desai 
2. Safeguarding Microsoft Teams with Microsoft Defender for Office 365 by Pierre Thoor
3. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365 by Mona Ghadiri
4. (This post) "Microsoft Defender for Office 365: Fine-Tuning" by Joe Stocker

Learn and Engage with the Microsoft Security Community 

• Log in and follow this Microsoft Defender for Office 365 blog and follow/post in the Microsoft Defender for Office 365 discussion space.
  • Follow = Click the heart in the upper right when you're logged in 🤍
• Learn more about the Microsoft MVP Program.
• Join the Microsoft Security Community and be notified of upcoming events, product feedback surveys, and more.
• Get early access to Microsoft Security products and provide feedback to engineers by joining the Microsoft Customer Connection Community.
• Join the Microsoft Security Community LinkedIn