
Microsoft is actively rolling out Defender for Office 365 Plan 1 to all Microsoft 365 E3 tenants. That sounds like good news, but part of the protection turns on automatically. Admins who haven't prepared their mail flow and security configuration will be surprised — by blocks that affect users without the admin having configured anything.
Until recently, Microsoft 365 E3 included only baseline email security: Exchange Online Protection with anti-spam, anti-malware, and standard anti-phishing. Anyone who wanted Safe Links, Safe Attachments, or advanced anti-phishing rules needed a separate licence: Defender for Office 365 Plan 1 or Plan 2. That is changing now. Microsoft is actively rolling out Plan 1 to all M365 E3 tenants, and the rollout started in July 2026.
The rollout is not silent. In the Microsoft 365 Message Centre, tenant administrators receive a notification thirty days before the functionality becomes available in their tenant. But those who miss that notification can be caught off guard: some security layers turn on automatically, even without the administrator having explicitly configured any policies. For organisations with a third-party mail gateway or custom mail flow rules, that can cause disruptions.
Defender for Office 365 Plan 1 adds three main categories on top of Exchange Online Protection. Safe Attachments analyses attachments in a secure environment before delivery. If an attachment shows suspicious behaviour during analysis, the message is blocked or the attachment replaced. Safe Links checks URLs in email messages and documents at the moment the user clicks, not only at receipt. If the destination has become malicious in the meantime, the click is blocked. Advanced anti-phishing checks for impersonation of trusted domains, brand recognition, and spoofing techniques that standard Exchange Online Protection does not detect.
These three features are the core of what email security in 2026 makes practically necessary. Phishing attacks increasingly use legitimate-looking domains, QR codes, and dynamic links that only become malicious after delivery. Safe Links protects users precisely against that type of attack.
As soon as Defender for Office 365 Plan 1 becomes available in a tenant, Microsoft automatically applies built-in protection for licensed users. Concretely this means Safe Links is enabled with a default policy: URLs in email and Teams are checked and malicious destinations are blocked. The user then sees a warning page from Microsoft.
Safe Attachments in built-in mode is less aggressive: suspicious attachments are not automatically blocked in the default configuration but are analysed. For more active blocking, the administrator must create an explicit Safe Attachments policy. The same applies to advanced anti-phishing: built-in protection is active, but the full configuration of impersonation lists, trusted senders, and response actions must be done manually.
The automatic activation of Safe Links is the most impactful element for administrators who take no action. URL rewriting changes the structure of links in email messages. Organisations working with third-party mail gateway products, such as Proofpoint, Mimecast, or Barracuda, or those using custom URL tracking in email campaigns, may see behaviour inconsistent with earlier settings.
Four concrete steps for IT teams managing M365 E3. First: check the Message Centre. Look for the announcement about Defender for Office 365 Plan 1 in your tenant. You will see the planned activation date for your tenant and can determine how much time you have to prepare. Thirty days is the minimum lead time Microsoft communicates.
Second: inventory your current mail flow architecture. Do you have an external mail gateway that filters email before it reaches Microsoft 365? If so, check the safe listing of your gateway in Exchange Online. If the gateway already applies URL rewriting and Defender for Office 365 is also going to rewrite, doubly rewritten links can cause problems. Microsoft has specific documentation for configuring enhanced filtering for connectors, whereby the gateway is marked as a relay and Defender can correctly evaluate the original IP information.
Third: decide whether you want to create custom policies or retain the built-in protection. The recommended approach is to set up an explicit default policy alongside built-in protection via the Microsoft Defender portal, under Email and collaboration, then Policies and rules, and then Threat policies. Here you can configure Safe Attachments, Safe Links, and anti-phishing with settings suited to your organisation: response actions, exclusions for trusted domains, and notifications on blocking.
Fourth: communicate to users. The first time Safe Links blocks a URL, that is a new experience for those who haven't encountered it before. A short explanation via intranet or email, that additional email security has been activated and that a red or yellow warning screen means the link was assessed as dangerous, addresses most questions.
Organisations on Microsoft 365 Business Premium already had Defender for Office 365 Plan 1. For those tenants, nothing changes. For Business Standard licences the situation is different: as part of the price increase on 1 July 2026, Defender for Office 365 Plan 1 is being added there too, but the rollout runs until August 2026. The approach for administrators is identical.
For E5 licences, Defender for Office 365 Plan 2 is already included, which contains everything from Plan 1 plus additional features for threat investigation, attack simulation training, Threat Explorer, and automated response. E5 tenants have nothing to action.
The rollout of Defender for Office 365 Plan 1 to E3 also brings Attack Simulation Training, albeit in a more limited form than with Plan 2. Via the Microsoft Defender portal you can send simulated phishing campaigns to users to measure their resilience. This is a low-threshold way to see what percentage of users still click on suspicious links, even after repeated training.
In organisations that run phishing simulations, it is consistently demonstrable that users who regularly receive a simulated phishing email click significantly less often on real phishing messages. Combine technical protection via Safe Links with behavioural training via simulations for maximum effect.
Three actions every E3 administrator should carry out in the coming weeks. First, save the Message Centre notification and note the activation date for your tenant. Use that date as the work deadline for configuration. Second, create an explicit Safe Attachments policy in the Defender portal with the Dynamic Delivery action, so messages still arrive but attachments are only released after analysis. That is safer than blocking and prevents legitimate attachments from disappearing without notification. Third, discuss with your mail gateway supplier whether adjustments are needed for connector configuration.
Want help configuring Defender for Office 365 in your Microsoft 365 environment, drafting Safe Links and Safe Attachments policies, or setting up phishing simulations? Contact Zarioh for a practical conversation about your email security architecture.
Zarioh Digital Solutions
IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Security

Security

Security