Exercise 02: Email-born Attack Defense with MDO (BEC/Phish → Prevent, Detect, Remediate)
Exercise learning objectives
- Configure Safe Links and Safe Attachments for time-of-click and detonation-based blocking.
- Tune anti-phish and impersonation protection, and disable automatic external forwarding.
- Use Threat Explorer and Automated Investigation and Response (AIR) to contain and remediate.
Estimated time: 90 minutes
CISO Overview - Scenario and goals
Zava Oil & Resources is seeing an increase in Business Email Compromise (BEC) and credential-phishing attempts targeting executives and site managers.
The organization must:
- Harden email defenses using time-of-click URL scanning, attachment detonation, and anti-impersonation protections.
- Block risky auto-forwarding.
- Prove it can investigate and purge malicious mail quickly across tenants using the unified Defender XDR portal.
Expected outcome: Executives’ inboxes are protected, detection signals are validated, and remediation workflows are proven end-to-end.
Table of contents
- 01: Measure email protection posture and executive exposure
- 02: Enable Safe Links, Safe Attachments, Anti-Phish, and Block Auto-Forward
- 03: Simulate and seed safe test messages and URLs to validate policies
- 04: Use Threat Explorer and AIR to scope and stop an attack
- 05: Capture before/after metrics and assign owners/SLAs