Laptop screen showing a security quarantine list with an option highlighted to "Release from quarantine."

Microsoft Defender for Office 365: Baseline Configuration for SMB Security

19 Views

Email is still the front door for most small and mid-sized organizations, and it is also where credential theft, business email compromise (BEC), and ransomware delivery attempts tend to show up first. Microsoft Defender for Office 365 can blunt a lot of that risk quickly, but only if the baseline is set correctly and applied consistently across mailboxes, Teams, and files.

For Sacramento area SMBs, that baseline matters even more when operations include regulated data, vendor billing portals, or healthcare workflows tied to an EMR. A single successful phish can turn into lateral movement, fraudulent ACH changes, or unauthorized access to patient information.

Start with the right “baseline” mindset

A good baseline configuration has three traits:

It applies to everyone by default, including shared mailboxes and new hires.
It quarantines risky content instead of hoping users recognize danger in Junk Email.
It produces usable alerts and audit trails, so someone can verify what happened and when.

In practice, the fastest path is usually to start with Microsoft’s built-in protection presets (Standard or Strict) and then tighten the few settings that SMBs commonly leave too permissive.

Licensing and prerequisites that change what you can enforce

Before tuning policies, confirm what you actually own. Many organizations assume they have Defender for Office 365 features because they see Exchange Online Protection (EOP) settings in the portal. EOP is the baseline mail hygiene layer. Defender for Office 365 Plan 1 (often included with Microsoft 365 Business Premium) adds key protections like Safe Links and Safe Attachments.

At a minimum, plan for:

Defender for Office 365 Plan 1 features (Safe Links, Safe Attachments, impersonation protections)
A sign-in control baseline with Security Defaults or Conditional Access that requires MFA for every user
Dedicated admin accounts that are not used for daily email and web browsing

That MFA piece is not “email security,” yet it is one of the most effective controls against phish-based account takeover. If a user gives up a password, MFA and risk-based sign-in controls can still stop the login.

Use Microsoft’s presets, then verify scope and exceptions

Microsoft’s Standard and Strict presets exist for a reason. They apply a broad set of recommended controls across anti-spam, anti-phishing, and anti-malware, with far less guesswork.

After enabling a preset, the most important work is verification:

Are all accepted domains covered?
Are all users included, including shared mailboxes and service accounts that receive mail?
Are there legacy bypass rules, third-party filters, or “allow lists” that silently defeat the preset?

A small number of exceptions is normal. A long list of exceptions is usually a sign of underlying mail flow problems (bad SPF/DKIM, broken relay configuration, or vendors sending on your behalf without proper alignment).

Baseline policy targets that work well for SMBs

The table below summarizes a practical baseline that fits most SMB environments, including healthcare clinics, professional services, and multi-site organizations around Sacramento and Elk Grove.

Area	Baseline setting to target	Why it matters for SMBs
MFA and identity	Security Defaults or Conditional Access with MFA for all users and admins	Stops most password-only takeovers tied to phishing
Anti-spam	Quarantine high and medium confidence spam, lower Bulk Complaint Level threshold (often 5 to 6)	Keeps risky mail out of inboxes and reduces “junk-folder phish”
Anti-phishing	Higher phish threshold (Standard 3, Strict 4), enable mailbox intelligence	Cuts down credential phish and lookalike sender attacks
Impersonation	Turn on targeted user and targeted domain protection, quarantine on detection	BEC attacks often target executives, billing, and HR
Safe Links	Enable for email, Teams, and Office apps; real-time scanning; no click-through	Protects users even when they click
Safe Attachments	Enable for Exchange plus SharePoint, OneDrive, and Teams; block unknown malware	Sandboxes attachments before delivery and blocks ransomware droppers
Quarantine access	Admin-only release for malware and high confidence threats	Prevents users from releasing dangerous items under pressure
Visibility	Alert subscriptions, incident queue review, audit logging	Makes response repeatable and defensible

Anti-spam and quarantine: get aggressive, but keep it manageable

SMBs often leave spam actions set to “Move to Junk,” which trains users to rummage through the Junk folder. That is a predictable failure point.

A cleaner baseline is to quarantine higher risk classes and let low confidence spam behave normally until you see real-world volume. Also review bulk mail handling. Bulk messages are not always malicious, but they are a common wrapper for credential harvest pages and drive-by downloads.

After you set quarantine actions, make quarantine access policy decisions early. If users can self-release everything, a good chunk of the protection disappears. Many organizations do best with admin-only release for malware and high confidence phish, and limited self-service for low risk spam, paired with clear internal guidance.

A practical “first pass” tuning set many SMBs use looks like this:

High confidence spam: Quarantine
Medium confidence spam: Quarantine
Bulk mail threshold: Lower than default if bulk mail is a consistent problem
User education: Stop telling staff to “check your junk folder” for missed invoices

Anti-phishing: prioritize BEC resistance, not just generic phish

Generic phishing is noisy. BEC is quieter and financially dangerous. Defender’s anti-phishing stack becomes much more valuable when you use impersonation features and quarantine the results.

After enabling the preset, focus on these controls:

Raise the phish threshold level to a more aggressive setting (commonly 3 for Standard, 4 for Strict).
Enable mailbox intelligence, so Defender can recognize unusual sender patterns.
Enable targeted user protection and targeted domain protection and actually populate the lists.

Those lists should include executives, finance, HR, and anyone who can approve payments, change vendor banking details, or release sensitive records. For healthcare, add billing contacts and people who interact with payers and labs.

Here are two policy areas that deserve special attention because they are often left too weak:

User impersonation action: Quarantine message, not “deliver” or “move to junk”
Domain impersonation action: Quarantine message with appropriate quarantine policy

Safe Links: protect clicks across email, Teams, and Office

Safe Links should be treated as a baseline, not a premium extra. Threat actors rotate URLs constantly, and “time of click” checks help catch malicious links that were clean during initial delivery.

A solid Safe Links baseline usually includes:

URL rewriting enabled
URL scanning enabled
Enable for internal senders (internal account compromise is common)
Enable for Teams
Enable for Office apps
Click tracking enabled
No user click-through when Microsoft flags the URL as malicious

Those last two choices matter operationally. Tracking provides visibility during incident response. Blocking click-through reduces the chance that a rushed employee overrides the warning during a busy clinic day or end-of-month billing run.

Safe Attachments and ZAP: assume something will get through

Safe Attachments sandboxing is one of the most effective controls against malicious documents and weaponized PDFs. For SMBs, “monitor mode” tends to create risk without real benefit. Blocking is the safer baseline.

Also confirm that Safe Attachments is not limited to Exchange mail only. File-based collaboration is where malware likes to hide in plain sight. Enabling protection for SharePoint, OneDrive, and Teams closes that gap.

Zero-hour auto purge (ZAP) is the cleanup crew. It removes messages after delivery if Microsoft later classifies them as malicious. Keep it enabled, and make sure someone reviews what ZAP is removing so you can tune policies without losing visibility.

Domain authentication: SPF, DKIM, and DMARC should be part of the baseline

Defender policies work better when your domain is properly authenticated. This is also one of the most common causes of false positives and broken deliverability.

A baseline approach that fits most SMBs:

Set SPF correctly for every service that sends mail as your domain.
Enable DKIM signing for each sending domain in Microsoft 365.
Publish a DMARC record and move toward enforcement as your sending sources are verified.

DMARC enforcement is not always day one. Many organizations start with monitoring and reporting, then progress to quarantine or reject once they have validated all legitimate senders. The key is to treat it as an IT security control, not a marketing-only DNS change.

Admin roles, least privilege, and device hygiene

Email security settings are only as strong as the accounts that control them. A common SMB risk pattern is one highly privileged admin account used for everything. If it gets phished, the attacker can create allow rules, disable protections, or set up forwarding.

A safer baseline uses dedicated admin accounts, minimal global admins, and role-based access.

This is one area where a short checklist helps:

Global Admins: Keep to a small number, reserve for tenant-wide changes
Security Admin and Exchange Admin: Use for day-to-day policy and investigation work
Break-glass accounts: Separate, protected, monitored, not used for routine tasks
Admin workstation standards: Patched OS, strong endpoint protection, limited browser extensions

Alerting and operational habits that keep the baseline effective

A baseline configuration is not “set once and forget.” It needs a light operating rhythm so real threats are handled fast and false positives do not pile up.

Most SMBs do well with a simple cadence:

Daily review of high severity incidents and quarantine items that match active campaigns
Weekly review of mailflow and threat reports for trend changes
Monthly review of allow lists, mail flow rules, and forwarding settings
Quarterly review of impersonation target lists and key vendor domains

After that cadence exists, you can tighten controls with less disruption because you have feedback loops and someone accountable for outcomes.

Common baseline mistakes that create avoidable risk

These issues show up often in small and mid-sized environments, including well-run organizations that just have limited time.

Overusing allow lists: Allowing whole domains or IP ranges to “fix” delivery problems
Leaving phishing in Junk: Treating high confidence phish as user training material
Not covering Teams and files: Protecting Exchange while leaving SharePoint and Teams open
User self-release for malware: Letting users override sandbox decisions
Weak impersonation lists: Not listing finance and operations contacts, only executives

In many Sacramento-area SMBs, a good baseline is less about buying new tools and more about removing bypasses, tightening quarantine actions, and making sure identity controls backstop email controls.

Where this fits for Sacramento SMBs and healthcare organizations

Local organizations often have practical constraints: small IT teams, a mix of managed and unmanaged devices, and vendors that still rely on emailed PDFs and portal links. Healthcare adds HIPAA-driven expectations around access controls, auditability, and timely incident response.

A Defender for Office 365 baseline can support those expectations when it is paired with strong identity security, endpoint protection, and a clear process for handling suspicious messages. Many businesses also benefit from integrating signals into a SOC-driven monitoring workflow, so email threats, sign-in risk, and endpoint alerts are reviewed together instead of in separate silos.

For organizations selecting or operating an EMR, it is worth treating email as part of the EMR security boundary. Reset links, statements, lab notifications, and vendor remittance details often arrive through email. Hardening Defender policies reduces the chance that an attacker can use email to pivot into clinical or billing systems.