Skip to main content
Microsoft Security

How Office 365 protects your organization from modern phishing campaigns

This post is authored by Debraj Ghosh, Senior Product Marketing Manager, Microsoft 365 Security. 

We often allude to the benefits of having an integrated threat protection stack in Office 365. Today we wanted to take the opportunity to walk you through how the combined features and services in the Office 365 threat management stack help your organization protect, detect, and respond to a potential phishing attack. Phishing is the term for socially engineered attacks designed to harvest credentials or personally identifiable information (PII). Attackers use a variety of strategies to make the recipient believe the email is coming from a legitimate source. Phish emails often convey a sense of urgency to the recipient to take an action described in the email. We see phishing emails come in a variety of forms including:

In this post, we’ll review how Office 365 threat protection services provide holistic end-to-end protection against today’s most sophisticated phishing campaigns.

End to end security focus

The Office 365 threat protection stack combines a rich set of features designed to prevent phishing attacks, as well as capabilities offered to security teams that more effectively and efficiently enable detection and response to phishing attacks. Our services help:

  1. Protect – set up and configure Office 365’s security services to keep end users secure.
  2. Detect – determine if a threat has entered the tenant and who or what was impacted.
  3. Respond – remediate a threat or attack to return your tenant to a ‘safe, no threat’ state


Our protection investments begin with a view to eliminating attacks before they impact your organization. Office 365 offers a rich, robust, comprehensive, and multi-layered solution to address phish attacks. Figure 1 shows the Anti-Phish stack leveraged by Office 365. During the mail-flow protection stage, all emails must pass our authentication which includes explicit anti-spoof frameworks including SPF, DMARC, and DKIM. Emails must also pass implicit authentication built on additional machine learning models which determine email authenticity. Additionally, our newly launched anti-impersonation features are designed to flag highly targeted and advanced spear-phishing emails. Content in the form of attachments, links, and images are examined. Further, attachments and links are detonated and examined for malicious content. Soon we will launch internal safe links enabling protection from compromised user accounts.

Figure 1. Office 365 threat protection anti-phish stack

Office 365 threat protection also offers organizations the ability to train users to be more vigilant against the variety of threat scenarios that impact organizations. Attack Simulator is a new feature in public preview offered to Office 365 Threat Intelligence customers. One of the initial threat simulations available in Attack Simulator is a Display Name Spear Phishing Attack. Spear phishing is a subset of phishing attacks which is targeted, often aimed at a specific group, individual, or organization. These attacks are customized and tend to leverage a sender name or common domain that creates trust with the recipient. Attack Simulator harnesses signal from Office 365 Threat Intelligence which provides visibility into an organization’s most targeted and potentially most vulnerable users and enables admins to launch simulated threats targeting those very same users. This provides the most targeted users with training on how to recognize phish emails and provides admins visibility on how those users behave during an attack – enabling optimal policy updates and security protocols. Figure 2 shows an example of a simulated phish email created with Attack Simulator.

Figure 2. Example spear phishing email created with Attack Simulator

We believe customers will benefit from Attack Simulator and the ability to help train end users to spot malicious emails. One key aspect of that training is to inspect the URL behind the hyperlink. With the ‘Native Link Rendering’ feature launching later this year, end users can hover over hyperlinks in their email and view where the link is pointing to. This is useful since the actual destination of a link can provide important indicators of whether the link is trustworthy or linking to a malicious site. Figure 3 demonstrates how native link rendering allows the user to inspect a link in the body of an email.

Figure 3. Native Link Rendering


If an Office 365 Advanced Threat Protection (ATP) user does click on a malicious link, they will be protected by ATP Safe Links at the time of click. This is part of the post-delivery protection layer shown in Figure 1. Time-of-click protection offered by ATP Safe Links is important because many of today’s advanced threats leverage some form of link morphing. The email initially includes a benign link and passes through basic security filters undetected. Once past these filters, the link morphs and points to a malicious site. Therefore, time-of-click protection is essential for protecting users from these threats.

In the event an end user believes a link might be malicious, they can submit the email directly to Microsoft for analysis. Admins should enable the “Report Message” (Figure 4) add-in which end users can use to submit suspicious emails directly to Microsoft. Our 3500+ security engineering team will review the email and determine if it is actually malicious. If Microsoft classifies the email as malicious, new instances of the email are flagged and blocked across all Office 365 tenants.

Figure 4. Report Message Button

Giving end users the ability to report messages directly enables Microsoft to quickly expand its telemetry and depth of the threat landscape and broaden protection for all our customers. In fact, customers using the Exchange Online Protection (EOP) secure email gateway service, which is available with every Office 365 license, also benefit from our powerful integration and signal sharing across the Microsoft ecosystem.

Another key post-delivery anti-phishing feature is Zero-hour Auto Purge (ZAP), which moves all instances of malicious emails that Microsoft discovers to the junk mail folder – even after it has landed in a user inbox. This process happens quickly and emails that are not initially classified malicious but flagged by Office 365 ATP (or even services from our Windows platform such as Windows Defender Advanced Threat Protection) will be ‘ZAPed’ to the junk mail folder. This new threat telemetry integrates with the Microsoft Intelligent Security Graph so that future instances of the newly classified malicious email will be blocked across the entire Microsoft ecosystem. We can evolve and stay ahead of the changing threat landscape by leveraging the direct threat telemetry from end users, continuously, and rapidly enhancing our protection for all our customers.

Figure 5. EOP ZAP Protection


With the newly released real-time ATP reports, customers have visibility into all malicious emails that targeted the tenant and blocked by Office 365. Administrators that use ATP can also see all emails that have been flagged and submitted by their end users as potential threats. With the User-reported threats view (Figure 6), admins can identify the sender of the email, the number of instances of the email, and the number of users who received the email. The ability to view emails submitted by end users is an extremely valuable tool because it empowers organizations’ security teams to identify malicious emails and trigger investigations on potential threats and impacts. The combination of these reports provides administrators and security teams a comprehensive view into the breadth and depth of different phishing campaigns targeting their organization. The User-reported submissions are also sent to Microsoft for further analysis.

Figure 6. User submissions report


We have demonstrated how Office 365 protects organizations from phishing campaigns using a multi-layered approach. Office 365 Threat Intelligence completes the threat protection stack by allowing organizations to more effectively and efficiently investigate, respond to, and remediate attacks to the organization. In fact, since Microsoft IT began leveraging Office 365 Threat Intelligence average time to resolution for social engineering incidents has reduced by 80 percent, and case throughput has increased 37 percent per month. Many enterprises have security operations teams whose goal is to assess the impact of threats to an organization. Using the Threat Explorer feature in the Security and Compliance Center, security analysts and administrators can search for all instances of potentially malicious emails. Thanks to a back-end designed specifically for efficient threat investigation and remediation, malicious emails can be quickly and easily identified with Threat Explorer. As shown in Figure 7, Threat Explorer provides many filtering and search options such as ‘sender’, ‘recipient’, ‘subject’, and several more to find the malicious emails. From the User-reported threats view, admins gain visibility into the sender of the email. This is critical since emails that are part of a phishing campaign often come from a unique sender address. Threat Explorer allows admins to filter by ‘sender’ to find all emails sent from a specific email address. Once this filter has been applied, all emails sent from the unique address will be displayed in Threat Explorer. The admin can then select all the emails that need to be investigated from a specific sender from the message list at the bottom of the Threat Explorer.

Figure 7. Threat Explorer

After selecting the emails to investigate, admins can choose a variety of actions that can be taken on the messages including: ‘move to junk’, ‘move to deleted items’, ‘soft delete’, ‘hard delete’, and ‘move to inbox’ as shown in Figure 8. Analysts can easily trigger the action to purge the malicious email campaign from all mailboxes in the organization or queue the incident for a manager to approve the action.

Figure 8. Triggering an action

There are common security issues admins may need to check over time for phish or other problems. Whether just reviewing events, getting alerts, or determining threat trends and reporting, Office 365’s Threat Intelligence Threat Tracker enables ongoing supervision of your security tasks. The Tracker Saved Query feature shown in Figure 9 allows you to save frequent searches, so admins can navigate quickly to a consistent set of events in Explorer. In case you need ongoing monitoring, you can setup tracking on the queries to get trending information on phish, malware, or other security events.

Figure 9. Saving an Explorer query in Office 365 Threat Intelligence

Office 365 Threat Protection

Microsoft has heavily invested in helping secure our customers for several years. In the last few years, as the level of cybercrime has increased, we have also increased our efforts and focus on developing and continuously enhancing advanced security solutions to protect customers from a wide variety of threats and types of attack. In this phishing scenario, you see a part of this continued focus on engineering security services giving end users ultimate protection from modern threats, while giving administrators a powerful set of tools with maximum control and flexibility for their security requirements. To begin experiencing best of breed protection for all your Office 365 users, we invite you to sign up for an Office 365 E5 trial today. Make sure to provide us your feedback so we can continue delivering the features and enhancements needed to keep your organization secure.