Differences Between Built-in, Standard, and Strict Preset Security Policy

You can secure your Microsoft 365 tenant using the following Microsoft Defender security policies: i) Built-in Protection, ii) Standard Preset Security, and iii) Strict Preset Security as discussed in the Microsoft Preset Security Policy article. Now, let’s understand the differences between these policies so that you can choose the one that fits your organization the best.

Built-in Protection vs. Standard/Strict Preset Security Policy

Built-in protection pretty much covers everything when it comes to safe attachments and safe links policy, with some exceptions that have been listed below.

Built-in protection Standard and Strict Protection
Safe Attachments policy No difference No difference
Safe Links Policy
Let users click through to the original URL Selected Not Selected
Do not rewrite URLs Selected Not Selected
Apply Safe Links to internal email Not Selected Selected

The built-in protection policy exposes your Microsoft 365 tenant to security threats by having certain security controls turned on or off as shown in the table above.

The built-in protection:

  • Lets users click through to the original URL: With the Safe Links policy you can prevent users from clicking through to the original URL, once a potentially malicious link is detected, by turning off the ‘Letting users to click through to the original URL’ security control. But the built-in protection has this turned on, exposing your users to cyber threats.
  • Does not rewrite what might be malicious URLs: : Rewritten or wrapped URLs direct your users to an intermediatory endpoint before they reach the original destination, thus saving users from malicious websites by masking their private information. To rewrite URLs, the ‘Do not rewrite URLs’ security control should be turned off. But the built-in protection has this turned on, exposing your users to cyber threats.
  • Does not apply safe links to messages sent within the organization: Safe links policy can also be applied to internal mails. Doing so can safeguard employees from impersonation of any sort. To apply the safe links policy to internal mails, the ‘Apply Safe Links to email messages sent within the organization’ security control should be left turned on. But the built-in protection has this turned off.

These are some of the reasons why built-in protection preset policy alone isn’t sufficient for your tenant’s security.

Standard vs. Strict Preset Security Policy

The strict security policy is more aggressive than the standard security policy when it comes to dealing with security threats (but this may also mean unnecessary false positives in some cases). The major difference between the two is in the way they handle anti-spam and anti-phishing policies as shown in the table below.

Standard Policy Strict Policy
Safe Attachments policy No difference No difference
Safe Links Policy No difference No difference
Anti-spam Policy
Spam mail Move to junk email folder Quarantine email for admin review
Bulk spam email threshold 6 5
Bulk spam action Move to junk email folder Quarantine email for admin review
Anti-phishing Policy
Phishing email threshold 3 4
Show first contact safety tip Selected Not selected
If mailbox intelligence detects an impersonated user Move mail to junk email folder Quarantine email for admin review
If spoof intelligence detects a spoof message Move mail to junk email folder Quarantine email for admin review

The Strict security policy has less tolerant anti-spam and anti-phishing policies which quarantine suspicious mails. Once a mail gets quarantined, it gets checked by the security administrators who then decide whether the mail can be released or not to the intended recipient. [More on where you can access the quarantined mails below].

A brief explanation of the security terminology used in the table above:

  • Bulk Spam Email Threshold : indicates the limit (6 for standard policy and 5 for strict policy) for labeling bulk emails as spam; the lower the limit, the lesser the tolerance.
  • Phishing Email Threshold : indicates the limit (3 for standard policy and 4 for strict policy) for labeling mails as phishing mails; the lower the limit, the lesser the tolerance
  • Mailbox Intelligence: feature that is a part of anti-phishing policy which you can enable to study user email patterns to identify potential impersonation attempts.

To know more about the differences between the built-in, standard, and strict security policies, read this Microsoft 365 security doc: Preset security policies | Microsoft Learn

Basic Spam Email Test for Checking How Standard and Strict Security Policies Work

You can perform a simple spam email test to understand how the Standard and Strict Security Policies work. Once a mail is deemed as spam, the standard security policy sends it to the user’s junk folder; while the strict security policy quarantines it for admin review.

Creating the spam mail

The mail should contain the following string (without any whitespaces in-between) in the message body: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X as shown in Figure 1. Send the spam mail from an external mail account (like Gmail) to two users in your Microsoft 365 tenant; ensure one is governed by standard security policy and the other by strict security policy.

Note: If copying/pasting the above string doesn’t work, get the link directly from here: SpamAssassin: The GTUBE (apache.org). Spam assassin is a simple tool that helps you simulate spam mails so that you can test your email security. As they suggest on their website, the preset standard and strict security policies contain the spam filter that recognizes the string pattern as spam and acts on the mail as per their security controls.

Figure 1: Sending spam string in mail

Testing the result for user governed by the standard security policy

The Microsoft 365 user governed by the standard security policy receives the mail in the junk folder as shown in Figure 2. Once the standard security policy recognizes the mail as spam, it junks the mail so that the user is not disturbed by it.

Figure 2: Standard Security Policy Junks the Spam Mail

Testing the result for user governed by the strict security policy

The Microsoft 365 user governed by the strict security policy does not receive the mail. Once the strict security policy recognizes the mail as spam, it quarantines the mail for admin review as shown in Figure 3.

Figure 3: Strict Security Policy Quarantines the Spam Mail for Admin Review

The administrator, after reviewing the mail, can choose to release the mail to the recipient or block the sender as indicated in Figure 4.

Figure 4: Quarantined mail can be released to the recipient or blocked

Note: You should visit Email & collaboration >> Review page >> Select Quarantine section in the Microsoft Defender portal to access and review the quarantined messages as shown in Figure 5.

Figure 5: Quarantined emails can be accessed from the Quarantine section of the Review page

Further analysis of the mail header

The Spam Confidence Level (SCL) score is what helps both standard security policy and strict security policy decide whether the incoming mail is spam and trigger their respective actions. You can test the spam confidence level your spam mail inspired by having its header analyzed by Microsoft’s Message Header Analyzer (mha.azurewebsites.net) as shown in Figure 6.

Figure 6: Analysing email message header using Microsoft Message Header Analyzer

A spam confidence level between 5-6 is what is needed to trigger:

  • the Standard Preset Security policy to junk spam mail and
  • the Strict Preset Security policy to quarantine the spam mail

To know more about spam confidence level, refer to this Microsoft 365 security docs link: ,Spam confidence level | Microsoft Learn

How to get the message header so that it can be analyzed?

Select the quarantined mail and select the View message headers option from the mail details flyout that opens up as shown in Figure 7. Then click the Copy message header button to copy the message header from the Message header section as shown in Figure 8.

Figure 7: Viewing the message header of the quarantined mail
Figure 8: Copying the message header of the quarantined mail

What's Next?

Now that you know the differences between the Standard and Strict Preset Security policy and have carried out a simple spam email test to check how they work, in the next article let’s focus on how Microsoft Defender’s in-built Simulation Attacks help you spread security awareness among your users.

How to use this guide?

It is best to read the articles in the order they are written. And since Microsoft 365 security is a vast topic, remember to watch out for this corner for new articles every week.

**** Articles marked in red will be uploaded soon! Keep an eye on this corner!

© Your Site Name. All Rights Reserved. Design by HTML Codex