Open in app

Sign in

Write

Sign in

Understanding Defender for Office 365 Plans — Which is Right for Your Organization?

Bart de Leeuw
6 min readApr 22, 2024

Defender for Office 365 is designed to enhance the security of email traffic and collaboration tools including Microsoft Teams and OneDrive. It offers two distinct plans: Plan 1 and Plan 2. This article explores the differences between these plans, focusing particularly on the comprehensive capabilities of Defender for Office 365 Plan 2.

Microsoft Defender for Office 365 Plan 1:

  • Anti-Phishing: Policies that raise protection against phishing e-mails.
  • Anti-Spam: Policies that raise protection against spam e-mails.
  • Anti-Malware: Policies that raise protection against malware such as the possibility of blocking specific filetypes.
  • Safe Links: Defender for Office 365 scans URLs and rewrites malicious URLs to redirect to a safe page.
  • Safe Attachments: Malicious attachments are sandboxed and analyzed by Microsoft. Attachments can only be viewed once deemed harmless.
  • Real-Time Reports: Offers reports of which malicious links or files were sent or received. Whether these links were quarantined and which users or machines were involved.
The policy settings in the security.microsoft.com > Email & collaboration > Policies & rules

Microsoft Defender for Office 365 Plan 2:

  • All features of Defender for Office 365 Plan 1.
  • Attack Simulation Training: A versatile phishing simulation tool with the possibilities of selecting different social engineering techniques, targeting specific users and assigning trainings.
  • Threat Explorer: An enhancement over Plan 1’s ‘Real-Time Reports,’ Threat Explorer offers additional critical features. Unlike the Real-Time Reports, which only track emails flagged by Microsoft as malicious, Threat Explorer extends its monitoring to all email traffic within your organization. It includes advanced analytics such as identifying if a malicious email is part of a coordinated campaign, or whether a URL within an email, Teams message, SharePoint file, or OneDrive document was accessed by a user. Additionally, Threat Explorer offers enhanced filtering and query-saving options, simplifying the investigation process. It also provides a broader range of actions that can be taken on emails, as illustrated in the screenshot below.
Defender for Office 365 Plan 1: Real-Time Reports “Message actions”
Defender for Office 365 Plan 2: Threat Explorer “Message actions”
  • Threat Tracker: This tab provides all queries that were saved in the Threat Explorer. Additionally, you can create “Tracked Queries” that can run periodically in the Explorer and results will display in the Threat Tracker. Furthermore, Trending Campaigns in the Threat Tracker will highlight new email threats received by your organization according to Microsoft.
  • Microsoft Defender XDR Integration: The specific reasons why Microsoft Defender XDR is only integrated with Plan 2 are not entirely clear, but the integration undoubtedly adds significant value. In Plan 1, alerts from Defender for Office 365 are confined to the “Email & Collaboration Alerts” tab, which offers limited investigative capabilities. In contrast, with Plan 2, these alerts are elevated to the more comprehensive “Alerts” and “Incidents” tabs, while the “Email & Collaboration Alerts” tab is eliminated. This arrangement enhances the overall functionality and allows for more detailed investigations and quicker response actions.
The “Email & collaboration alerts” tab of Plan 1
  • Advanced Hunting in Defender XDR: The integration of Defender XDR introduces the Advanced Hunting tool. This query-based feature enables users to delve into up to 30 days of raw data using the Kusto Query Language (KQL), providing a powerful means for detailed data analysis and investigation.
  • Automated Investigation & Response (AIR): AIR can be activated either directly through an alert or manually by an analyst via the Threat Explorer. This feature conducts automated investigations by compiling data associated with the alert and suggesting appropriate actions. By automating these processes, AIR significantly reduces the time and effort required from your analysts.

Business Case

Company Profile:

“SecureFinance” is a medium-sized financial services firm that deals with a lot of sensitive client information, including personal data and financial transactions. The firm is under constant threat from phishing and targeted cyber-attacks, making cybersecurity a top priority.

Scenario with Defender for Office 365 Plan 1:

SecureFinance initially subscribes to Defender for Office 365 Plan 1 to bolster their email security. This plan provides them with essential protections including anti-phishing, anti-spam, anti-malware policies, and features like Safe Links and Safe Attachments, which are crucial for safeguarding against common threats.

  • Pros: The firm benefits from the basic security layers that prevent many standard email threats. Real-Time Reports offer insights into the nature of the threats that are being automatically handled.
  • Cons: SecureFinance faces sophisticated threats that sometimes bypass these initial defenses. The limited investigative and response capabilities in Plan 1 mean they cannot delve deeply into more complex threats or analyze patterns over time.

Experience and Limitations:

While Plan 1 reduces the volume of direct threats, SecureFinance’s IT team finds it challenging to address sophisticated attacks effectively. The basic reports do not provide enough information to analyze or anticipate advanced threats, leading to a few instances where threats were detected too late.

Transition to Defender for Office 365 Plan 2:

Recognizing the need for enhanced capabilities, SecureFinance upgrades to Defender for Office 365 Plan 2. This plan includes all the features of Plan 1 and adds powerful tools such as Attack Simulation Training, Threat Explorer, Advanced Hunting with the integration of Defender XDR, and Automated Investigation & Response (AIR).

  • Pros: With Threat Explorer, the security team can now view all email traffic, not just threats flagged by Microsoft, allowing them to spot and respond to unusual patterns and potential threats proactively. Attack Simulation Training helps prepare employees for real-world phishing attempts, significantly reducing the risk of successful attacks. The integration with Microsoft Defender XDR allows the security team to manage alerts more efficiently, perform detailed investigations, and automate responses to common scenarios, which is crucial for a financial firm dealing with frequent targeted attacks.
  • Cons: Plan 2 comes at a higher subscription cost which may be a significant factor organizations with a limited budget. Additionally, a higher level of expertise and time commitment is required to analyze and manage the added features.

Business Impact:

With Plan 2, SecureFinance not only enhances its defensive capabilities but also significantly improves its ability to respond to incidents. The proactive measures reduce the number of successful breaches and help maintain client trust, a critical component of their business.

Business Conclusion:

For SecureFinance, upgrading to Defender for Office 365 Plan 2 proves essential given the complex nature of the threats they face in the financial sector. While Plan 1 offered foundational security measures suitable for general needs, Plan 2’s advanced features and proactive capabilities align better with the needs of a business handling sensitive information and facing sophisticated cyber threats.

This case highlights the importance of assessing the specific security needs and threat landscape of a business when deciding between these two plans.

Conclusion

Defender for Office 365 Plan 1 is primarily designed for Prevent & Detect capabilities, yet it lacks robust Investigate & Respond tools. In contrast, Plan 2 not only retains all the preventative features of Plan 1 but also introduces additional components such as Attack Simulation Training. However, the real value of Plan 2 lies in its comprehensive Investigate & Respond capabilities.

Both plans provide strong protections crucial for safeguarding email and collaboration tools. Defender for Office 365 Plan 1 is well-suited for organizations requiring basic security measures against common threats but may not have the resources or need for in-depth investigative tools. This makes Plan 1 a fitting choice for inclusion in Business Premium/Defender for Business licenses, targeting smaller organizations with up to 300 employees that typically possess limited investigative capabilities.

On the other hand, Defender for Office 365 Plan 2 is distinguished by its extensive approach that goes beyond mere Prevention and Detection, incorporating substantial investigation and response features. The inclusion of Attack Simulation Training, Threat Explorer, Microsoft Defender XDR Integration, Advanced Hunting, and Automated Investigation & Response (AIR) renders Plan 2 ideal for larger organizations or those seeking to enhance their security measures proactively. These advanced features not only improve the organization’s ability to respond swiftly to incidents but also equip them with the tools needed to proactively identify and neutralize potential threats before they can impact the business.

Tip: For an updated mapping of different Microsoft licenses and features you could navigate to M365 Maps, a great tool by Aaron Dinnage.

Microsoft
Security
Cybersecurity
Office 365
Microsoft Defender

--

--

Bart de Leeuw

Written by Bart de Leeuw

2 Followers

https://www.linkedin.com/in/de-leeuw/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams