This app is not a free app and is for business/enterprise users only who have a valid Microsoft 365 E5 license assigned to them. Microsoft Defender for Endpoint helps enterprise users stay protected from cyber security threats such as malicious apps, dangerous web sites that may try to steal information from them. It is also a platform that allows Security Operations teams to prevent, detect. Collaborate for free with online versions of Microsoft Word, PowerPoint, Excel, and OneNote. Save documents, spreadsheets, and presentations online, in OneDrive. Use Azure Defender, integrated with Azure Security Center, for Azure and hybrid cloud workload protection and security. With extended detection and response (XDR) capabilities, stand up against threats like remote desktop protocol (RDP) brute-force attacks, and SQL injections. Streamline security with AI and automation.
-->Applies to:
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
For more info about Windows 10 Enterprise Edition features and functionality, see Windows 10 Enterprise edition.
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Defender for Endpoint uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics: Leveraging big-data, device-learning, andunique Microsoft optics across the Windows ecosystem,enterprise cloud products (such as Office 365), and online assets, behavioral signalsare translated into insights, detections, and recommended responsesto advanced threats.
Threat intelligence: Generated by Microsoft hunters, security teams,and augmented by threat intelligence provided by partners, threatintelligence enables Defender for Endpoint to identify attackertools, techniques, and procedures, and generate alerts when theyare observed in collected sensor data.
Microsoft Defender for Endpoint
Threat & Vulnerability Management | Attack surface reduction | Next-generation protection | Endpoint detection and response | Automated investigation and remediation | Microsoft Threat Experts | |
Tip
- Learn about the latest enhancements in Defender for Endpoint: What's new in Microsoft Defender for Endpoint.
- Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: Insights from the MITRE ATT&CK-based evaluation.
Threat & Vulnerability Management
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
Attack surface reduction
The attack surface reduction set of capabilities provides the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs.
Next-generation protection
To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
Endpoint detection and response
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. Advanced hunting provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
Automated investigation and remediation
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender for Endpoint offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
Microsoft Secure Score for Devices
Defender for Endpoint includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
Microsoft Threat Experts
Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
Important
Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
If you are not enrolled yet and would like to experience its benefits, go to Settings >General >Advanced features >Microsoft Threat Experts to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
Centralized configuration and administration, APIs
Integrate Microsoft Defender for Endpoint into your existing workflows.
Integration with Microsoft solutions
Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Azure Defender
- Azure Sentinel
- Intune
- Microsoft Cloud App Security
- Microsoft Defender for Identity
- Microsoft Defender for Office
- Skype for Business
Microsoft 365 Defender
With Microsoft 365 Defender, Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
Related topic
-->Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect your organization against unknown malware and viruses by providing robust zero-day protection, and includes features to safeguard your organization from harmful links in real time. Defender for Office 365 has rich reporting and URL trace capabilities that give administrators insight into the kind of attacks happening in your organization.
The following are the primary ways you can use Defender for Office 365 for message protection:
In a Defender for Office 365 filtering-only scenario, Defender for Office 365 provides cloud-based email protection for your on-premises Exchange Server environment or any other on-premises SMTP email solution.
Defender for Office 365 can be enabled to protect Exchange Online cloud-hosted mailboxes. To learn more about Exchange Online, see the Exchange Online service description.
In a hybrid deployment, Defender for Office 365 can be configured to protect your messaging environment and control mail routing when you have a mix of on-premises and cloud mailboxes with Exchange Online Protection for inbound email filtering.
Microsoft Defender for Office 365 availability
Microsoft Defender for Office 365 Plan 2 is included in Office 365 E5, Office 365 A5, Microsoft 365 E5 Security, and Microsoft 365 E5 as specified here: https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp. Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium.
You can add Defender for Office 365 to the following Exchange and Microsoft 365 subscription plans:
Exchange Online Plan 1
Exchange Online Plan 2
Exchange Online Kiosk
Exchange Online Protection
Microsoft 365 Business Basic
Microsoft 365 Business Standard
Office 365 Enterprise E1
Office 365 Enterprise E3
Office 365 Enterprise F3
Office 365 A1
Office 365 A3
To buy Microsoft Defender for Office 365, see Microsoft Defender for Office 365.
For detailed plan information on subscriptions that enable users for Microsoft Defender for Office 365, see the full subscription comparison table.
What's new in Microsoft Defender for Office 365
We are continuing to add new features to Defender for Office 365. To learn more about new features coming to Defender for Office 365 (or Microsoft 365 in general), see the following resources:
Requirements for Microsoft Defender for Office 365
Defender for Office 365 can be used with any SMTP mail transfer agent, such as Microsoft Exchange Server. For information about the operating systems, web browsers, and languages that are supported by Defender for Office 365, see the 'Supported browsers' and 'Supported languages' sections in Exchange admin center in Exchange Online Protection.
Feature availability across Defender for Office 365 plans
Each feature is listed below. When Exchange Online is mentioned, it typically refers to the Office 365 Enterprise service family.
| Feature | Defender for Office 365 Plan 1 | Defender for Office 365 Plan 2 | Microsoft 365 E5 / A5 Security |
|---|---|---|---|
| Configuration, protection, and detection | |||
| Safe Attachments | Yes | Yes | Yes |
| Safe Attachments in Teams | Yes | Yes | Yes |
| Safe Links | Yes | Yes | Yes |
| Safe Documents | No | No | Yes |
| Safe Links in Teams | Yes | Yes | Yes |
| ATP for SharePoint, OneDrive, and Microsoft Teams | Yes | Yes | Yes |
| Anti-phishing policies | Yes | Yes | Yes |
| Real-time reports | Yes | Yes | Yes |
| Automation, investigation, remediation, and education | |||
| Threat Trackers | No | Yes | Yes |
| Threat investigation (advanced threat investigation) | Real-time detections | Explorer | Explorer |
| Automated incident response | No | Yes | Yes |
| Attack Simulator | No | Yes | Yes |
| Integration with Microsoft 365 Defender | No | Yes | Yes |
Note
If your tenant only has Microsoft Defender for Office Plan P2 trial license or Office 365 E5 trial license, with no other eligible license for Microsoft 365 Defender, you will not be able to access Microsoft 365 Defender. To learn more about MTP license, see Microsoft 365 Defender requirements.
Defender for Office 365 capabilities
Safe Attachments
Safe Attachments protects against unknown malware and viruses, and provides zero-day protection to safeguard your messaging system. All messages and attachments that don't have a known virus/malware signature are routed to a special environment where Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent. If no suspicious activity is detected, the message is released for delivery to the mailbox.
Note
Safe Attachments scanning takes place in the same region where your Office 365 data resides. For more information about data center geography, see Where is your data located?
Safe Links
The Safe Links feature proactively protects your users from malicious URLs in a message or in an Office document. The protection remains every time they select the link, as malicious links are dynamically blocked while good links can be accessed.
Safe Links is available for URLs in the following apps:
Microsoft Defender For Office Plan 2
Microsoft 365 Apps for enterprise on Windows or Mac
Office for the web (Word for the web, Excel for the web, PowerPoint for the web, and OneNote for the web)
Word, Excel, and PowerPoint on Windows
Microsoft Teams channels and chats
Note
Users must be licensed for Defender for Office 365*, must be included in Safe Links policies, and must be signed in on their devices for protection to be in place.
* For organization-wide Defender for Office 365 licenses (for example, ATP_ENTERPRISE_FACULTY), you don't need to assign Defender for Office 365 licenses to individual users.
For more information about Safe Links protection, see Safe Links in Microsoft Defender for Office 365.
Safe Documents
The Safe Documents feature uses Microsoft Defender for Endpoint to scan documents and files that are opened in Protected View.
What do you need to know before you begin?
Safe Documents is now generally available to users with Office Version 2004 (12730.x) or greater! This feature is off by default and will need to be enabled by the Security Administrator.
This feature is only available to users with the Microsoft 365 E5 or Microsoft 365 E5 Security license (not included in Defender for Office 365 plans).
Word, Excel, and PowerPoint on Windows
Microsoft Teams channels and chats
Note
Users must be licensed for Microsoft 365 E5 or Microsoft 365 E5 Security*, must be included in Safe Documents policies, and must be signed in on their devices for protection to be in place.
For more information about Safe Documents protection, see Safe Documents in Microsoft 365 E5.
ATP for SharePoint, OneDrive, and Microsoft Teams
ATP for SharePoint, OneDrive, and Microsoft Teams helps detect and block files that are identified as malicious in team sites and document libraries. In addition, Safe Links protection is now available in Microsoft Teams channels and chats.
Anti-phishing policies
Anti-phishing checks incoming messages for indicators that a message might be a phishing attempt. When users are covered by Defender for Office 365 policies (Safe Attachments, Safe Links, or anti-phishing), incoming messages are evaluated by multiple machine learning models that analyze messages and the appropriate action is taken, based on the configured policies.
Real-time reports
Monitoring capabilities available in the Security & Compliance Center (https://protection.office.com) include real-time reports and insights that let your security and compliance administrators focus on high-priority issues, such as security attacks or increased suspicious activity. In addition to highlighting problem areas, smart reports and insights include recommendations and links to view and explore data and also take quick actions.
Explorer
Explorer (also referred to as Threat Explorer) is a real-time report that lets authorized users identify and analyze recent threats. By default, this report shows data for the past seven days; however, views can be modified to show data for the past 30 days.
Explorer contains views, such as Malware (for email and content), Submissions, Phish, and All Email. To see how Explorer compares with real-time detections, download this PDF.
Microsoft 365 Defender Atp
For more information about Explorer (in Microsoft Defender for Office 365 Plan 2) and real-time detections (in Microsoft Defender for Office 365 Plan 1), see Threat Explorer and real-time detections.
Real-time detections
Real-time detections is a real-time report that lets authorized users identify and analyze recent threats. Similar to Explorer, by default, this report shows data for the past seven days.
Real-time detections contain views, such as Malware (for email and content), Submissions, and Phish. To see how real-time detections compare with Explorer, download this PDF.
For more information about Explorer (in Microsoft Defender for Office 365 Plan 2) and real-time detections (in Microsoft Defender for Office 365 Plan 1), see Threat Explorer (and real-time detections).
Threat Trackers
Threat Trackers are informative widgets and views that provide authorized users with intelligence on cybersecurity issues that might impact your organization.
Automated incident response
Microsoft 365 Defender 2020
Automated incident response (AIR) capabilities available in Defender for Office 365 Plan 2 let you run automated investigation processes in response to well-known threats that exist today. By automated certain investigation tasks, your security operations team can operate more efficiently and effectively. Remediation actions, such as deleting malicious email messages, are taken upon approval by your security operations team. To learn more, see How AIR works in Office 365.
Attack Simulator
Microsoft 365 Login Portal
Attack Simulator lets authorized users run realistic attack scenarios in your organization. Several different kinds of attacks are available, including a display name spear-phishing attack, a password-spray attack, and a brute-force password attack.