The CIS Microsoft 365 Foundations Benchmark v5.0.0 defines 129 controls across 9 sections. Section 2 — Microsoft Defender for Office 365 — contains 19 of those controls, the second-largest section in the benchmark. It exists because email and collaboration remain the most common entry point for attackers: a single malicious attachment or link, delivered to one inattentive user, is still how most breaches begin.
Where Section 1 governs who controls the tenant, Section 2 governs what reaches your users' inboxes. This guide walks through the four capability areas Section 2 covers, why the benchmark includes each, and how to verify them.
For an overview of all 9 sections, see the CIS Microsoft 365 Foundations Benchmark guide.
How Section 2 is structured
The 19 controls in Section 2 are organised into three subsections:
- 2.1 — 14 controls: the core Defender for Office 365 threat policies
- 2.2 — 1 control
- 2.4 — 4 controls
The benchmark only stores the numeric recommendation IDs and their descriptions — it does not group them under marketing names. The four capability areas below are the practical way to think about what those controls protect, and they map directly to the Defender for Office 365 policy surface in the Microsoft Defender portal.
Safe Attachments
Safe Attachments routes inbound email attachments through a detonation sandbox before delivery. The attachment is opened in an isolated virtual environment and observed for malicious behaviour — the kind of zero-day payload that a signature-based scanner, which only knows about threats it has already seen, will miss.
The benchmark requires Safe Attachments to be enabled because the alternative is implicit trust: without it, an attachment that has not yet been catalogued as malware is delivered to the user and relies on the endpoint to catch it. Safe Attachments also extends to files in SharePoint, OneDrive, and Teams, closing the path where a malicious file is shared internally rather than emailed.
How to check: In the Microsoft Defender portal (security.microsoft.com), go to Email & collaboration → Policies & rules → Threat policies → Safe Attachments and confirm a policy exists that applies to all recipients, with the action set to block detected malware.
Safe Links
Safe Links addresses the gap between delivery and click. A URL that is clean when the email arrives can be weaponised hours later — the attacker points the same link at a malicious destination after it has passed inbound filtering. Safe Links rewrites URLs and re-checks the destination at the moment the user clicks, not just at delivery.
The benchmark includes Safe Links coverage for email and for Office applications and Teams, because the same time-of-click problem applies wherever a user can follow a link. Disabling the "let users click through to the original URL" option matters here: a warning the user can simply dismiss is not protection.
How to check: Under Threat policies → Safe Links, verify a policy applies to all users, that URL rewriting and click-time checking are on, and that click-through to flagged URLs is not permitted.
Anti-phishing and threat policies
This is the largest capability area in the section. Anti-phishing policies in Defender for Office 365 add spoof intelligence (detecting senders that forge your domain), impersonation protection (flagging messages that mimic specific high-value people or your domain), and mailbox intelligence (learning normal sender patterns to spot anomalies).
The benchmark sets thresholds for these policies — the advanced phishing thresholds, the protected users and domains, and the actions taken on detection — because the default configuration is deliberately conservative and leaves real phishing undetected. These controls are also where you tune anti-spam and anti-malware handling so that obvious threats are quarantined rather than delivered to junk.
How to check: Review the anti-phishing, anti-spam, and anti-malware policies under Threat policies, confirming impersonation and spoof protection are enabled and that detection actions quarantine rather than deliver flagged mail.
Priority-account protection
Not every mailbox carries the same risk. A finance approver, an executive, or an administrator is worth far more to an attacker than an average user, and is targeted accordingly. Defender for Office 365 lets you tag these as priority accounts and apply differentiated, stricter protection and monitoring to them.
The benchmark includes this because uniform protection under-defends exactly the accounts most likely to be attacked. Tagging priority accounts also surfaces them in Defender's reporting, so attacks against them are visible rather than buried in tenant-wide noise.
How to check: In the Defender portal under Settings → Email & collaboration → Priority account protection, confirm the feature is on and that your high-risk users are tagged.
How ConfigCobra assesses Section 2
ConfigCobra evaluates all 19 Section 2 controls automatically as part of a full CIS Microsoft 365 Foundations Benchmark assessment.
The scan connects to your Microsoft 365 tenant using read-only Microsoft Graph permissions — no agents, no scripts running in your environment, no admin passwords shared. Within 20–25 minutes, ConfigCobra returns results for all 129 controls across all 9 sections, including every control in Section 2.
For each finding, you get:
- Pass, fail, or partial status
- The actual configuration value that was evaluated
- The CIS remediation procedure
- A generated PowerShell script where applicable
Defender for Office 365 controls are among the most commonly misconfigured, usually because the policies were created once at default settings and never tuned — or because a custom policy overrides the default in a way that quietly weakens coverage.
Book a demo to see Section 2 results for your own tenant, or start a free trial to run all 15 trial controls immediately — no demo required.
What comes next
Section 2 protects what reaches the inbox. The surrounding sections protect the accounts and services behind it:
- Section 1 — Microsoft 365 admin center (14 controls — administrative accounts and tenant policy)
- Section 5 — Microsoft Entra Identity (37 controls — the largest section, covering MFA and Conditional Access). See also Conditional Access exclusions: the quiet gap in your MFA rollout.
- Section 6 — Exchange Online (11 controls — mail flow, anti-phishing, DKIM/DMARC)
For the full benchmark overview including every section's control count, see the CIS Microsoft 365 Foundations Benchmark page.