Microsoft Defender for Office 365 – Safe Attachments and Safe Links for Small Businesses in Berlin
Email is the primary attack vector for ransomware, business email compromise, and credential phishing against small businesses. Standard Exchange Online Protection (EOP) — included in all Microsoft 365 subscriptions — filters known malware and spam using signature-based detection. Microsoft Defender for Office 365 (MDO, formerly ATP) adds behavioral analysis: detonating attachments in a sandbox before delivery, scanning URLs at click-time rather than delivery time, and applying machine learning to detect impersonation attacks that bypass signature detection. For Berlin SMBs on Business Premium (which includes MDO Plan 1), these capabilities are already licensed — they need to be configured.
Microsoft Defender for Office 365 Plan Comparison
| Feature | EOP (Base) | MDO Plan 1 | MDO Plan 2 |
|---|---|---|---|
| Anti-spam / Anti-malware | ✓ | ✓ | ✓ |
| Safe Attachments | ✗ | ✓ | ✓ |
| Safe Links | ✗ | ✓ | ✓ |
| Anti-phishing (impersonation) | Basic | Advanced | Advanced |
| Threat Explorer / Real-time detections | ✗ | Real-time detections | Threat Explorer (full) |
| Attack Simulation Training | ✗ | ✗ | ✓ |
| Automated Investigation and Response | ✗ | ✗ | ✓ |
Business Premium includes MDO Plan 1. Most Berlin SMBs will operate at Plan 1 and access the Microsoft 365 Defender portal (security.microsoft.com) to configure policies.
Safe Attachments
Safe Attachments detonates email attachments in a cloud-hosted sandbox before delivering them to the recipient’s mailbox. A malicious Office document that renders in a real environment triggers execution, behavioral analysis catches the payload, and the email is blocked or delivered with the attachment replaced by a warning.
Key policy settings:
| Setting | Recommended Value | Notes |
|---|---|---|
| Safe Attachments unknown malware response | Block | Block detects and delivers notification instead of attachment |
| Enable redirect for detected attachments | On — redirect to admin mailbox | Allows reviewing blocked attachments without exposing recipients |
| Safe Attachments for SharePoint, OneDrive, Teams | Enabled | Extends detonation to files shared via Teams/SharePoint, not just email |
| Priority | Apply to all recipients (no scoping) | Don’t leave service accounts or shared mailboxes unprotected |
The Dynamic Delivery option (deliver the email body immediately, hold the attachment during detonation, then deliver the scanned attachment separately) reduces end-user complaints about email delays at the cost of slightly more complex delivery behavior. For SMBs where email is business-critical and users complain about delays, Dynamic Delivery is a reasonable compromise over Block mode.
Safe Links
Safe Links rewrites URLs in email at delivery time and then re-checks them against a real-time threat feed at click time. This catches two categories that delivery-time URL scanning misses:
- Time-of-click phishing: A URL is benign at delivery time (attacker has a clean site) but redirects to a phishing page after the email bypasses scanning
- Legitimate site compromise: A URL pointing to a legitimate website is delivered safely, but the site is later compromised and starts serving malware
Key policy settings:
| Setting | Recommended Value |
|---|---|
| On: Safe Links checks a list of known, malicious links when users click links in email | Enabled |
| Apply real-time URL scanning for suspicious links and links that point to files | Enabled |
| Do not allow users to click through to original URL | Enabled (block click-through) |
| Track user clicks | Enabled (for incident investigation) |
| Safe Links in Microsoft Teams | Enabled |
Do not add internal domains to the “do not rewrite” exclusion list unless you have a specific operational reason. Every exclusion is a potential gap. The Microsoft 365 Admin Center and commonly used Microsoft domains are automatically excluded by Microsoft — you don’t need to add them manually.
Anti-Phishing Policy (Impersonation Protection)
MDO’s anti-phishing extends beyond signature-matching to detect impersonation attacks:
- User impersonation: An email appearing to be from your CEO (typosquatting the domain or spoofing the display name) is caught even if the sender domain is different
- Domain impersonation: Domains that look similar to yours (itexperts-berlin.de vs itexperts-ber1in.de) are flagged
- Mailbox intelligence: ML models learn each user’s typical communication graph; an email that mimics a known contact but comes from an unusual source is flagged
Configuration: Add your executives and high-value targets (CEO, CFO, HR lead) to the user impersonation protection list, and add your primary domains and any similar-looking domains you own to the domain impersonation list. Set the action to “Move to Junk” for suspected impersonation (rather than quarantine) to reduce false-positive impact on legitimate email.
Threat Explorer (Real-Time Detections)
Under the Microsoft 365 Defender portal → Email & collaboration → Explorer (or Real-time detections for Plan 1), you can investigate:
- Which emails were delivered vs. quarantined vs. blocked in the last 30 days
- Specific URL clicks by user and time
- Attachment detonation results
- The full message trace for a specific email including all applied detections
When a user reports a suspicious email, Threat Explorer is the starting point: look up the sender domain, check if similar emails were sent to others in the organization, and determine whether the URL or attachment was flagged by Safe Attachments/Links or only caught after click.
Preset Security Policies
For SMBs that want to skip manual policy tuning, Microsoft provides two preset security policies that apply Microsoft-recommended settings automatically: Standard Protection and Strict Protection. These are accessible under Threat Policies → Preset security policies and apply consistent settings across EOP + MDO.
Standard Protection is the appropriate starting point for most Berlin SMBs. Apply it to all users as a baseline, then layer custom policies on top for specific groups (e.g., Strict Protection for executives).
Defender for Office 365 does not eliminate the need for security awareness training — it reduces the blast radius when a user does click something malicious. The combination of MDO filtering, Entra ID Protection for risk-based access, and Conditional Access gives Berlin SMBs a layered email security posture that matches what much larger organizations deploy.