You can secure your Microsoft 365 tenant using the following Microsoft Defender security policies: i) Built-in Protection, ii) Standard Preset Security, and iii) Strict Preset Security as discussed in the Microsoft Preset Security Policy article. Now, let’s understand the differences between these policies so that you can choose the one that fits your organization the best.
Built-in protection pretty much covers everything when it comes to safe attachments and safe links policy, with some exceptions that have been listed below.
Built-in protection | Standard and Strict Protection | |
Safe Attachments policy | No difference | No difference |
Safe Links Policy | ||
Let users click through to the original URL | Selected | Not Selected |
Do not rewrite URLs | Selected | Not Selected |
Apply Safe Links to internal email | Not Selected | Selected |
The built-in protection policy exposes your Microsoft 365 tenant to security threats by having certain security controls turned on or off as shown in the table above.
The built-in protection:
These are some of the reasons why built-in protection preset policy alone isn’t sufficient for your tenant’s security.
The strict security policy is more aggressive than the standard security policy when it comes to dealing with security threats (but this may also mean unnecessary false positives in some cases). The major difference between the two is in the way they handle anti-spam and anti-phishing policies as shown in the table below.
Standard Policy | Strict Policy | |
Safe Attachments policy | No difference | No difference |
Safe Links Policy | No difference | No difference |
Anti-spam Policy | ||
Spam mail | Move to junk email folder | Quarantine email for admin review |
Bulk spam email threshold | 6 | 5 |
Bulk spam action | Move to junk email folder | Quarantine email for admin review |
Anti-phishing Policy | ||
Phishing email threshold | 3 | 4 |
Show first contact safety tip | Selected | Not selected |
If mailbox intelligence detects an impersonated user | Move mail to junk email folder | Quarantine email for admin review |
If spoof intelligence detects a spoof message | Move mail to junk email folder | Quarantine email for admin review |
The Strict security policy has less tolerant anti-spam and anti-phishing policies which quarantine suspicious mails. Once a mail gets quarantined, it gets checked by the security administrators who then decide whether the mail can be released or not to the intended recipient. [More on where you can access the quarantined mails below].
A brief explanation of the security terminology used in the table above:
To know more about the differences between the built-in, standard, and strict security policies, read this Microsoft 365 security doc: Preset security policies | Microsoft Learn
You can perform a simple spam email test to understand how the Standard and Strict Security Policies work. Once a mail is deemed as spam, the standard security policy sends it to the user’s junk folder; while the strict security policy quarantines it for admin review.
The mail should contain the following string (without any whitespaces in-between) in the message body: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X as shown in Figure 1. Send the spam mail from an external mail account (like Gmail) to two users in your Microsoft 365 tenant; ensure one is governed by standard security policy and the other by strict security policy.
Note: If copying/pasting the above string doesn’t work, get the link directly from here: SpamAssassin: The GTUBE (apache.org). Spam assassin is a simple tool that helps you simulate spam mails so that you can test your email security. As they suggest on their website, the preset standard and strict security policies contain the spam filter that recognizes the string pattern as spam and acts on the mail as per their security controls.
The Microsoft 365 user governed by the standard security policy receives the mail in the junk folder as shown in Figure 2. Once the standard security policy recognizes the mail as spam, it junks the mail so that the user is not disturbed by it.
The Microsoft 365 user governed by the strict security policy does not receive the mail. Once the strict security policy recognizes the mail as spam, it quarantines the mail for admin review as shown in Figure 3.
The administrator, after reviewing the mail, can choose to release the mail to the recipient or block the sender as indicated in Figure 4.
Note: You should visit Email & collaboration >> Review page >> Select Quarantine section in the Microsoft Defender portal to access and review the quarantined messages as shown in Figure 5.
The Spam Confidence Level (SCL) score is what helps both standard security policy and strict security policy decide whether the incoming mail is spam and trigger their respective actions. You can test the spam confidence level your spam mail inspired by having its header analyzed by Microsoft’s Message Header Analyzer (mha.azurewebsites.net) as shown in Figure 6.
A spam confidence level between 5-6 is what is needed to trigger:
To know more about spam confidence level, refer to this Microsoft 365 security docs link: ,Spam confidence level | Microsoft Learn
Select the quarantined mail and select the View message headers option from the mail details flyout that opens up as shown in Figure 7. Then click the Copy message header button to copy the message header from the Message header section as shown in Figure 8.
Now that you know the differences between the Standard and Strict Preset Security policy and have carried out a simple spam email test to check how they work, in the next article let’s focus on how Microsoft Defender’s in-built Simulation Attacks help you spread security awareness among your users.
It is best to read the articles in the order they are written. And since Microsoft 365 security is a vast topic, remember to watch out for this corner for new articles every week.
**** Articles marked in red will be uploaded soon! Keep an eye on this corner!
© Your Site Name. All Rights Reserved. Design by HTML Codex