Secure by default in Office 365

Tip

Did you know you can try the features in Microsoft Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

"Secure by default" is a term used to define the default settings that are most secure as possible.

However, security needs to be balanced with productivity. This can include balancing across:

  • Usability: Settings shouldn't get in the way of user productivity.
  • Risk: Security might block important activities.
  • Legacy settings: Some configurations for older products and features might need to be maintained for business reasons, even if new, modern settings are improved.

Microsoft 365 organizations with mailboxes in Exchange Online are protected by Exchange Online Protection (EOP). This protection includes:

  • Email with suspected malware is automatically quarantined. Whether recipients are notified about quarantined malware messages is controlled by the quarantine policy and the settings in the anti-malware policy. For more information, see Configure anti-malware policies in EOP.
  • Email identified as high confidence phishing is handled according to the anti-spam policy action. See Configure anti-spam policies in EOP.

For more information about EOP, see Exchange Online Protection overview.

Because Microsoft wants to keep our customers secure by default, some tenants overrides aren't applied for malware or high confidence phishing. These overrides include:

  • Allowed sender lists or allowed domain lists (anti-spam policies)
  • Outlook Safe Senders
  • IP Allow List (connection filtering)
  • Exchange mail flow rules (also known as transport rules)

If you want to temporarily allow certain messages that are still being blocked by Microsoft, do so using admin submissions.

More information on these overrides can be found in Create safe sender lists.

Note

The Move message to Junk Email folder action for a High confidence phishing email verdict in EOP anti-spam policies has been deprecated. Anti-spam policies that use this action for high confidence phishing messages are converted to Quarantine message. The Redirect message to email address action for high confidence phishing messages is unaffected.

Secure by default isn't a setting that can be turned on or off, but is the way our filtering works out of the box to keep potentially dangerous or unwanted messages out of your mailboxes. Malware and high confidence phishing messages should be quarantined. By default, only admins can manage messages that are quarantined as malware or high confidence phishing, and they can also report false positives to Microsoft from there. For more information, see Manage quarantined messages and files as an admin in EOP.

More on why we're doing this

The spirit of being secure by default is: we're taking the same action on the message that you would take if you knew the message malicious, even when a configured exception would otherwise allow the message to be delivered. This is the same approach that we've always used on malware, and now we're extending this same behavior to high confidence phishing messages.

Our data indicates that a user is 30 times more likely to click a malicious link in messages in the Junk Email folder versus Quarantine. Our data also indicates that the false positive rate (good messages marked as bad) for high confidence phishing messages is very low, and admins can resolve any false positives with admin submissions.

We also determined that the allowed sender and allowed domain lists in anti-spam policies and Safe Senders in Outlook were too broad and were causing more harm than good.

To put it another way: as a security service, we're acting on your behalf to prevent your users from being compromised.

Exceptions

You should only consider using overrides in the following scenarios: