Fix Microsoft Defender for Office 365 Problems
Why This Is Happening
I've seen this play out on dozens of tenant setups: an IT admin enables Microsoft Defender for Office 365, assumes the default policies cover everything, and then three weeks later discovers that phishing emails are still landing in inboxes, safe attachment scanning isn't triggering, or legitimate emails from a trusted partner are vanishing into quarantine with no explanation. If this sounds familiar, you're not alone , and the problem usually isn't a bug. It's configuration.
Microsoft Defender for Office 365 is layered, and that layering is exactly what trips people up. There are three tiers at play: built-in security features that come with every cloud mailbox by default, Plan 1 (which adds Safe Attachments, Safe Links, and advanced anti-phishing), and Plan 2 (which adds threat simulation, post-breach investigation, and automated response). The error messages you get, or more often, the complete absence of any error message, rarely tell you which layer is missing or misconfigured.
The most common reasons people land on this page include:
- Email authentication is broken. SPF, DKIM, or DMARC records are wrong, missing, or pointing to an old mail relay. This causes Microsoft 365 to flag your own outbound mail as spoofed, or to let spoofed inbound mail through because there's no authentication baseline to check against.
- Safe Attachments and Safe Links aren't actually applied. The policies exist in the portal, but they're not assigned to the right users, groups, or domains. Policy scope is one of the most commonly skipped configuration steps.
- Plan confusion. Someone bought Microsoft 365 Business Premium thinking it included full Defender for Office 365 Plan 2, it includes Plan 1. Features like Attack Simulator and advanced hunting just aren't there.
- Preset security policies conflict with custom policies. Running both Standard/Strict preset policies and custom anti-phishing or anti-spam policies at the same time creates priority conflicts that nobody warned you about.
- Quarantine is swallowing legitimate mail. The default quarantine policies are more aggressive than many organizations expect, and nobody set up end-user quarantine notifications.
I know this is frustrating, especially when it's blocking business communication or letting threats slip through despite paying for a security product. The good news is that almost every one of these problems has a clear fix once you know what you're looking at. Let's work through it. Browse all Microsoft fix guides →
The Quick Fix, Try This First
Before you dig into anything complex, run the Configuration Analyzer. This is Microsoft's built-in tool inside the Defender portal that compares your current settings against Standard and Strict preset security policy recommendations. It takes about two minutes and instantly highlights gaps that would take hours to find manually.
Here's how to get there:
- Open a browser and go to security.microsoft.com
- In the left nav, expand Email & Collaboration, then click Policies & Rules
- Click Threat policies, then scroll down to the Others section
- Click Configuration analyzer
- Select either the Standard recommendations or Strict recommendations tab depending on your organization's risk tolerance
- Review every row flagged as Not recommended, click the individual item to see exactly what setting is wrong and what it should be
Pay particular attention to anything flagged under Anti-phishing and Anti-spam. In my experience, impersonation protection settings, specifically user and domain impersonation thresholds, are almost always under-configured on fresh tenants. The analyzer tells you the exact gap without requiring you to manually compare policy tables.
If the analyzer shows your policies are fine but you're still seeing problems, the next likely culprit is email authentication. Check whether SPF, DKIM, and DMARC are correctly configured for every domain your organization sends mail from, including secondary or alias domains. A single domain without proper authentication records can undermine your entire anti-spoofing posture.
This is the foundation everything else builds on. If your DNS authentication records are wrong, Microsoft Defender for Office 365 can't accurately tell legitimate mail from spoofed mail, and your anti-phishing policies lose half their effectiveness before they even run.
SPF (Sender Policy Framework): Your SPF TXT record in DNS tells receiving mail servers which IP addresses are allowed to send mail on behalf of your domain. For a standard Microsoft 365 setup with no on-premises relay, the record should look like this:
v=spf1 include:spf.protection.outlook.com -allThe -all at the end is a hard fail, it tells other servers to reject anything not on the list. If you're using a third-party sender (like a marketing platform or ticketing system), you need to add their include statement before the -all. To verify your current record, use a DNS lookup tool and query TXT records for your domain. If you have more than one SPF record, delete the duplicates, multiple SPF records cause immediate authentication failures.
DKIM (DomainKeys Identified Mail): DKIM adds a cryptographic signature to outbound mail. In the Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies, then find Email authentication settings under the Rules section. Click your domain and toggle DKIM signing to Enabled. Microsoft will generate two CNAME records that you need to publish in your DNS. Wait for propagation (up to 48 hours), then click Rotate DKIM keys to confirm the signing is active.
DMARC (Domain-based Message Authentication): DMARC tells receiving servers what to do when SPF or DKIM fails. A basic starting policy looks like this:
v=DMARC1; p=quarantine; pct=100; rua=mailto:dmarc-reports@yourdomain.comStart with p=quarantine rather than p=reject until you've monitored reports for two to four weeks. If you jump straight to reject and something in your mail flow isn't authenticated properly, you'll lose legitimate mail with no warning. Once reports show clean results, move to p=reject.
When all three records are correctly configured, you'll see the Spoof intelligence insight in the Defender portal start producing meaningful data within a few days.
Here's a situation I've run into repeatedly: the admin portal shows Safe Attachments and Safe Links policies as enabled, but emails with malicious attachments are still getting through. Nine times out of ten, the policy exists but isn't assigned to anyone.
Safe Attachments and Safe Links are Defender for Office 365 Plan 1 features, meaning you need the right license first. To check, go to the Microsoft 365 admin center at admin.microsoft.com, then navigate to Billing > Licenses and confirm you have either Microsoft 365 Business Premium, a Microsoft 365 A5/E5/G5 plan, or a standalone Defender for Office 365 Plan 1 (or Plan 2) add-on license assigned to your users.
Once you've confirmed licensing, check policy assignment:
- Go to security.microsoft.com
- Navigate to Email & Collaboration > Policies & Rules > Threat policies
- Click Safe Attachments
- Click your policy and scroll to the Applied to section
If this section shows no recipients, domains, or groups, the policy is doing nothing. Add the appropriate scope, for most organizations, adding your primary domain here is the fastest way to cover everyone. For Safe Attachments specifically, also check the Settings section. The action should be set to Block or Dynamic Delivery, not Off or Monitor. Monitor mode detects but does not block, a common misconfiguration that gives false confidence.
For Safe Links, repeat the same check under the Safe Links policy. Additionally, make sure that Safe Links for Microsoft Teams and Safe Links for Office 365 Apps are toggled on if your users work in Teams and desktop Office apps, the email-only policy doesn't cover those surfaces automatically.
After scoping the policies correctly, send a test email with a benign test file attachment (EICAR test file works well) to a mailbox in scope. You should see a detonation delay of a few seconds before the message arrives, that's Dynamic Delivery working.
The built-in anti-phishing policies that come with every Microsoft 365 mailbox handle spoofing fairly well. But user impersonation protection and domain impersonation protection, the features that catch emails pretending to be your CEO or a trusted partner domain, those only exist in Defender for Office 365 Plan 1 and Plan 2.
To configure impersonation protection:
- Go to security.microsoft.com > Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing
- Click on the default policy (or your custom policy if you've created one)
- Click Edit on the Phishing threshold & protection section
Under User impersonation, add the specific email addresses you want protected, typically your C-suite: CEO, CFO, CTO, and anyone else whose identity a business email compromise (BEC) attack would target. Add up to 350 addresses. Under Domain impersonation, add your primary domain and any partner domains that regularly send you mail.
The Mailbox intelligence toggle uses your users' contact history and communication patterns to detect anomalous senders. Turn this on, it's included in Plan 1 and adds meaningful signal without any manual configuration overhead.
Set the Phishing email threshold to at least 2 (Aggressive) for most organizations. The default of 1 (Standard) misses more sophisticated multi-signal phishing attempts. At setting 4 (Most Aggressive), expect more false positives on unusual but legitimate mail, calibrate based on your user base's tolerance for quarantine notifications.
Under Actions, set the response for impersonated users and impersonated domains to Quarantine the message rather than just moving it to junk mail. Junk mail is still accessible, quarantine means the user has to explicitly request the message, giving your security team time to review it first.
You should see the impersonation insight in the Defender portal populate within 24 to 48 hours of enabling these settings. That insight shows you detected impersonation attempts over the past seven days and is genuinely useful for weekly security reviews.
I hear this complaint constantly: "Legitimate emails are disappearing and nobody can find them." Quarantine is doing its job, but when users don't know quarantine exists or how to access it, it feels like mail is just vanishing. And when security teams are the only ones who can release quarantined mail, the help desk gets flooded.
First, make sure quarantine notifications are configured:
- Go to security.microsoft.com > Email & Collaboration > Policies & Rules > Threat policies > Quarantine policies
- Either edit the DefaultFullAccessPolicy or create a custom policy
- Enable End-user spam notifications and set the frequency to daily or every 3 days, weekly is too infrequent
Once notifications are on, users get an email digest showing what's been quarantined on their behalf. They can release non-spam items themselves without IT involvement, which dramatically reduces false-positive complaints.
For systematic false positives, specific senders or domains that keep getting flagged incorrectly, use the Tenant Allow/Block List:
- Go to security.microsoft.com > Email & Collaboration > Policies & Rules > Tenant Allow/Block Lists
- Under Domains & email addresses, add the sender to the Allow list
Be specific: add individual email addresses rather than entire domains unless you have a strong trust relationship with that domain. Adding an entire domain bypasses anti-spam and anti-phishing checks for every address at that domain, including any attacker who happens to compromise one of those accounts.
For false negatives, malicious mail that got through, use admin submissions. Go to Email & Collaboration > Submissions, submit the message as phishing or malware, and Microsoft's team will analyze it and update detection models accordingly. This is the correct channel, not just adding a block entry to the Tenant Allow/Block List.
Check the Message Trace tool (under Email & Collaboration > Exchange message trace) when a specific message is missing. It shows you the exact delivery status, which policy acted on the message, and what action was taken, timestamps included. This is far faster than trying to reproduce the issue or searching through quarantine manually.
If you've been building custom threat policies from scratch and keeping them updated, you're doing it the hard way. Microsoft's Standard and Strict preset security policies handle the heavy lifting automatically, they're maintained by Microsoft's security team and updated as the threat landscape changes. For most organizations, especially those without a dedicated security engineer, presets are the right answer.
To apply a preset security policy:
- Go to security.microsoft.com > Email & Collaboration > Policies & Rules > Threat policies > Preset security policies
- Click Manage under either Standard protection or Strict protection
- Toggle the preset to On
- Use the All recipients option or scope it to specific users, groups, or domains
- Click Save
Standard protection is appropriate for most users in most organizations. Strict protection is designed for high-value targets, executives, finance team members, people with access to sensitive systems. You can apply both simultaneously by scoping them to different recipient groups.
One important thing to understand about preset policies: they take priority over your custom policies for the same users. The priority order, from highest to lowest, is: Strict preset > Standard preset > custom policies > default policies. If you have a custom anti-phishing policy that's less restrictive than the Strict preset for users in both scopes, the Strict preset wins. This is usually what you want, but it can cause confusion if you expect your custom settings to apply to executive users covered by Strict.
After enabling presets, run the Configuration Analyzer again. You should see a significant reduction in flagged recommendations, the presets satisfy most of the recommended settings automatically. Any remaining gaps are typically in areas outside the preset scope, like outbound spam policies or connection filtering settings.
Advanced Troubleshooting
Zero-Hour Auto Purge (ZAP) Not Working
ZAP is one of the most powerful capabilities in Microsoft Defender for Office 365 and it's included in the built-in security tier, meaning every cloud mailbox gets it. ZAP retroactively identifies and removes malicious mail that was delivered before detection signatures caught up. But there are scenarios where ZAP won't fire, and they're worth knowing.
ZAP doesn't work on mail older than 48 hours. It also doesn't work if the user has already moved the message out of their inbox, for example, into a folder, or marked as read in a way that changes processing state. And ZAP can't act on messages if the mailbox has a hold applied (litigation hold, in-place hold, or eDiscovery hold) because those holds prevent message deletion.
To verify ZAP is configured, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-spam, open the inbound policy, and confirm that Zero-hour auto purge (ZAP) is toggled on for both spam and phishing. It's on by default, but it's worth confirming nobody turned it off during a previous troubleshooting session.
Real-Time Detections and Threat Explorer
If you have Plan 1, you have access to Real-time detections under Email & Collaboration > Explorer. This is your primary tool for investigating why a specific message was or wasn't flagged. Filter by sender, subject, recipient, detection technology, or delivery action to trace exactly what happened to any message in the past 30 days.
Plan 2 users have Threat Explorer, which extends this with the ability to hunt across broader time ranges, trigger manual investigation workflows, and take bulk remediation actions directly from the search results. If you're on Plan 2 and not using Threat Explorer for weekly threat hunts, you're leaving significant security value on the table.
SIEM Integration Issues
Plan 1 includes the Office 365 Management APIs for detection events. If your SIEM (Splunk, Sentinel, QRadar) isn't receiving Defender for Office 365 alerts, the most common culprits are:
- The audit log isn't enabled. Go to compliance.microsoft.com > Audit and confirm auditing is turned on, it has to be explicitly activated and can take up to 24 hours to start producing data.
- The API connector doesn't have the right permissions. The service principal used for SIEM ingestion needs
ActivityFeed.Readpermission on the Office 365 Management APIs. - You're querying the wrong content type. Defender for Office 365 events are in the
Audit.AzureActiveDirectoryandAudit.Exchangecontent types, not a dedicated Defender-specific feed.
Enterprise and Domain-Joined Scenarios
In hybrid environments with on-premises Exchange, the mail flow path affects which Defender for Office 365 policies apply. Mail routed through an on-premises connector before reaching Exchange Online may bypass some cloud-side filtering. Check your connectors under Exchange admin center > Mail flow > Connectors and verify that the Enhanced Filtering for Connectors (also called skip listing) is enabled on any inbound connector. Without this, Defender sees your on-premises server's IP as the mail source, not the original external sender, and IP reputation checks fail entirely.
Escalate to Microsoft Support when: mail flow has stopped entirely and Message Trace shows no activity; you're seeing license errors in the Defender portal that admin center shows as resolved; ZAP is triggering on mail it shouldn't and the pattern is reproducible; or your DKIM signing keys have rotated but outbound mail is still failing DKIM validation at recipients after 72 hours. These are platform-level issues that require backend access to investigate properly.
Prevention & Best Practices
The biggest preventable problem I see with Microsoft Defender for Office 365 is treating the initial configuration as a one-time task. It isn't. The threat landscape changes. Your organization changes. Staff leave and are replaced. Domains get added and forgotten. A security posture that was solid twelve months ago can quietly degrade into something much more porous without any dramatic event to signal the change.
Build a quarterly security review into your operations calendar. During that review, re-run the Configuration Analyzer, check the Tenant Allow/Block List for stale entries that were added to unblock something urgent and never revisited, and review quarantine release patterns. If specific senders are repeatedly released from quarantine by the same users, that's a signal to either add them to the Allow list formally or to investigate whether those users are bypassing filtering they shouldn't.
User tags, specifically the Priority Account tag, are underused by most organizations. In the Defender portal, mark your executive team, finance personnel, and anyone with privileged system access as Priority Accounts. This tag unlocks additional telemetry, dedicated monitoring reports, and stricter filtering thresholds for those accounts specifically, without applying Strict preset settings org-wide. The impersonation insight also filters by Priority Account, making weekly reviews much faster.
Make sure every domain your organization owns, including domains used for marketing, subdomains, and domains you've acquired but don't actively use, has SPF, DKIM, and DMARC records. Unused domains with no authentication records are prime targets for spoofing because they have no enforcement baseline. A DMARC policy of p=reject on an unused domain is a five-minute fix that permanently closes that attack surface.
Finally, if you're on Plan 2, run phishing simulations using Attack Simulator at least twice a year. Simulations in Attack Simulator are excluded from filtering automatically, you don't need to create allow rules that could weaken real-world protection. The simulation data tells you which users need additional security awareness training before an attacker finds them first.
- Enable Priority Account tags for executives and finance staff, unlocks dedicated monitoring with no policy changes required
- Set DMARC to
p=rejecton all unused domains you own to eliminate spoofing surface area - Turn on end-user quarantine notifications (daily frequency) to cut false-positive help desk tickets by up to 70%
- Enable Enhanced Filtering for Connectors on any on-premises mail relay connector so Defender sees original sender IPs
Frequently Asked Questions
Does Microsoft 365 Business Premium include Defender for Office 365 Plan 1 or Plan 2?
Business Premium includes Plan 1. You get Safe Attachments, Safe Links, advanced anti-phishing with impersonation protection, real-time detections, and the impersonation insight. What you don't get is Plan 2's Attack Simulator, Threat Explorer (full version), Automated Investigation and Response (AIR), and advanced hunting. If your organization needs those capabilities, you'll need to upgrade to a Microsoft 365 E3 or E5 plan, or add a standalone Defender for Office 365 Plan 2 license on top of your existing subscription.
Why are emails from my own domain going to spam or getting blocked?
This almost always points to a broken or missing SPF record. When Microsoft 365 can't verify that the sending server is authorized to send on behalf of your domain, it flags the message as potentially spoofed. Check that your SPF record includes include:spf.protection.outlook.com and ends with -all. Also confirm you don't have duplicate SPF TXT records for the same domain, having two SPF records causes an immediate authentication failure regardless of what the records say. If you use a third-party email sender, add their include statement to the same SPF record.
Safe Attachments is enabled but I'm still receiving files without scanning delays, is it working?
Most likely the Safe Attachments policy isn't scoped to your mailbox. Open the policy in the Defender portal and check the Applied to section, if it shows no recipients, domains, or groups, it's not doing anything. Add your domain or specific recipient addresses. Also check that the action is set to Block or Dynamic Delivery, not Monitor, Monitor mode logs detections but doesn't delay or block delivery, so you won't see any observable change in mail behavior. Dynamic Delivery is the best option for most organizations because it delivers the message immediately with a placeholder attachment while the real file is scanned.
A phishing email got through, how do I report it and make sure it doesn't happen again?
Use the Submissions page in the Defender portal: go to Email & Collaboration > Submissions, click Submit to Microsoft for analysis, and select Email. Choose the message from quarantine or paste the network message ID, categorize it as phishing, and submit. Microsoft's team reviews submissions and uses them to update detection models across all tenants. You can also add the sender domain to the Tenant Allow/Block List under Domains & email addresses as a Block entry to prevent future mail from that address or domain. If this is part of a broader targeted campaign, open a support case so Microsoft's threat intelligence team can investigate.
What's the difference between the Standard and Strict preset security policies, which one should I use?
Standard is the right baseline for most employees in most organizations. It applies recommended settings for anti-spam, anti-phishing, anti-malware, Safe Attachments, and Safe Links without being so aggressive that it causes significant false positive rates. Strict is designed for high-value targets, executives, finance teams, people with admin access to critical systems. Strict applies more aggressive phishing thresholds, stricter quarantine actions, and tighter Safe Links behavior. The practical approach is to apply Standard to all users and then layer Strict on top for your priority accounts. Since Strict takes higher precedence, those users automatically get tighter protection without requiring you to maintain two separate sets of custom policies.
Zero-Hour Auto Purge removed an email that wasn't malicious, how do I recover it?
ZAP-removed messages go to quarantine, not to permanent deletion, so recovery is straightforward. Go to Email & Collaboration > Review > Quarantine in the Defender portal, search by recipient, sender, or subject, find the message, and select Release. You can release it to the original recipient's inbox immediately. If you're seeing a pattern of ZAP incorrectly flagging a legitimate sender, add that sender to the Tenant Allow/Block List under Domains & email addresses as an Allow entry. This prevents future ZAP actions on mail from that address. You should also submit the incorrectly flagged message to Microsoft as a false positive via the Submissions page so the detection model is improved.