Microsoft has begun rolling out Defender for Office 365 Plan 1 into commercial Microsoft 365 E3 and Office 365 E3 subscriptions, with completion expected by August 1, 2026. The change hands advanced email protection—Safe Links, Safe Attachments, and robust anti-phishing features—to millions of organizations that previously relied on basic Exchange Online Protection. But the update isn’t a flip-a-switch upgrade. It arrives alongside a previously announced E3 price increase, and the new tools remain dormant until administrators step in to configure them.
What’s Actually Changing in E3 Tenants
E3 subscriptions have long included Exchange Online Protection (EOP), a solid first line of defense against spam and known malware. Defender for Office 365 Plan 1 represents a significant step up. Once provisioned—tenants should watch for a Message Center notification—the license adds three pillars of protection:
- Safe Links: Real-time URL scanning that checks links at the moment a user clicks, not just at delivery. This covers email, supported Office clients, and Microsoft Teams.
- Safe Attachments: Suspicious email attachments are detonated in a virtual sandbox before reaching the inbox. The same protection extends to files in SharePoint, OneDrive, and Teams.
- Anti-phishing policies: Beyond basic spoof detection, Plan 1 introduces user impersonation protection, domain impersonation protection, mailbox intelligence, and adjustable phishing thresholds. These are the weapons of choice against business email compromise (BEC) and targeted credential theft.
Microsoft’s documentation makes it clear: Plan 1 is the prevention and detection tier. It includes real-time detections, the email entity page, URL trace, and basic reporting. But it stops short of the investigation and automation capabilities found in Plan 2—a distinction we’ll return to.
The rollout began July 1, and Microsoft says eligible tenants will gain access on a rolling basis through August 1. Not every E3 seat gets the upgrade automatically; admins must verify that the Defender for Office 365 Plan 1 service plan is assigned to users. If you manage licenses via group-based assignment or PowerShell, this is the moment to audit your configurations.
What This Means for You (by Role)
For IT administrators: You’ve been given a powerful toolkit that your predecessor probably paid extra for—or simply did without. The immediate priority is not a product purchase; it’s a policy review. Out-of-the-box, the new protections may be too permissive, especially if your organization has accumulated legacy transport rules, third-party gateways, or bypasses over years. You’ll need to decide which preset security policy stance to adopt (Standard or Strict), tune impersonation settings, and set up quarantine workflows that don’t drown users in false positives.
For small and medium businesses: If you’ve been using E3 without an add-on security layer, this is a free boost that can dramatically reduce phishing risks. But don’t assume it’s all hands-off. At a minimum, you should populate the list of protected executives and domains—a step that takes minutes and can block the most devastating impersonation scams.
For end users: The upgrades should mean fewer convincing fakes landing in your inbox. You might see a “placeholder” attachment while Safe Attachments scans a file, and you’ll notice that some links first route through Microsoft’s safelinks service. Be aware that no filter is foolproof—QR codes in images, for example, bypass Safe Links. Continue to report suspicious messages using the built-in Report Message button in Outlook; those reports feed the system’s intelligence.
How We Got Here: E3’s Security Evolution
For years, E3 sat in an awkward middle ground. Business Premium included Defender for Office 365 (in some form), and E5 came fully loaded, but E3 buyers had to choose between adding Plan 1 as a $2/user/month add-on or making do with EOP alone. That changed in early 2026 when Microsoft announced a wave of E3 enhancements—part of a broader effort to justify a price increase that takes effect this July.
The calculus is clear: Microsoft wants E3 to be a competitive enterprise bundle, and email is the most common attack vector. Adding Plan 1 brings E3 closer to the zero-trust promise without forcing an E5 upgrade. Yet the move also serves as an entry point. Once admins see what Plan 1 catches, the upsell to Plan 2’s Threat Explorer, automated investigation, and attack simulation becomes more tangible.
The email threat landscape itself has matured. Commodity spam and mass-malware are largely handled by EOP. What keeps security teams awake are low-volume, targeted phishing attempts—the fake invoice from a “known” vendor, the CFO’s urgent wire transfer. Microsoft’s documentation frames Plan 1 as the answer to zero-day malware, phishing, and BEC. And for many organizations, that is indeed where the greatest risk lies.
Your Pre-August 1 Setup Playbook
Here’s what administrators should tackle before the rollout window closes. These steps assume you’re not already running a third-party secure email gateway that handles some of these functions. If you are, you’ll need to deconflict policies.
1. Confirm License Assignment
Go to the Microsoft 365 admin center and verify that the “Defender for Office 365 Plan 1” service plan is active on your tenant. Check a few test users to ensure it’s applied. If you automate user licensing, update your scripts to include the new plan.
2. Choose a Security Policy Baseline
The Defender portal’s preset security policies offer Standard and Strict profiles. Standard is a balanced starting point. Strict is more aggressive and will result in more messages landing in quarantine—plan accordingly. Custom policies give granular control but require more maintenance. Stick with presets unless you have a dedicated email security team.
3. Harden Anti-Phishing Policies
This is where Plan 1’s value really shines. Under the anti-phishing policy, populate the “Users to protect” list with executives, finance staff, HR, and anyone authorized to move money or sensitive data. Enable domain impersonation protection for your own domains and for external brands you frequently do business with. Turn on mailbox intelligence to catch impostor detection using relationship graphs. For example, if your CFO’s name appears in a display-name attack, mailbox intelligence can flag it even if the sending address passes SPF.
4. Configure Safe Attachments
Decide whether to use Dynamic Delivery, which sends the email body immediately while the attachment is scanned. Most organizations find this strikes the right balance, but if your workflows rely on instant attachment access (e.g., encrypted PDFs, time-sensitive reports), test thoroughly. Set the appropriate action for malware—usually “Block” with a replacement text.
5. Tune Safe Links
Enable Safe Links for email, Office apps, and Teams. Consider whether you want to let users click through to the original URL—generally not recommended. Pay attention to the “Track user clicks” setting; it’s useful for incident response, but communicate its implications to users.
6. Design a Quarantine Policy That Won’t Backfire
Nothing kills security adoption faster than a quarantine that traps critical mail with no recourse. Decide:
- Who gets quarantine notifications.
- What users can preview and release themselves.
- Which categories always require admin review.
- How users report false positives.
Promote the Outlook Report Message add-in. User-reported phishing is a valuable sensor, but it only works if people trust that reporting leads to action, not extra hassle.
7. Validate Your Authentication Records
Now is also the right time to tighten SPF, DKIM, and DMARC. Plan 1’s detectors use these signals, so broken authentication can undermine your protection. If your DMARC is stuck at “p=none” with widespread failures, fixing it should be a parallel project.
8. Monitor and Tweak
After policies go live, watch the Defender reports for 2–3 weeks. Look for spikes in phishing detections, quarantine volumes, and user-reported messages. Adjust impersonation lists and policy thresholds based on real data, not guesswork.
Plan 1 vs. Plan 2: Know Your Gaps
It’s tempting to think E3 now has “full” Defender, but that’s misleading. Plan 2—included in E5 or available as an add-on—adds the capabilities that matter when a threat gets through or when you need to do forensics at scale:
- Threat Explorer (versus Plan 1’s limited real-time detections view)
- Automated Investigation and Response (AIR)
- Attack simulation training
- Threat Trackers and advanced hunting
If your security team is one person or you face persistent targeted attacks, Plan 2 might still be on your roadmap. The rollout simply gives you a much better foundation to evaluate that decision. Run Plan 1 in a known-good configuration for a few months, measure the gaps, and then decide.
Outlook: More Security in E3’s Future
Microsoft has signalled that E3 will continue to absorb features once exclusive to higher tiers, blurring the line between mid-range and premium subscriptions. The August 1 deadline isn’t an end; it’s a new baseline. As more E3 tenants enable these defenses, the overall Microsoft 365 ecosystem becomes less hospitable to phishers—but only if the configurations are done right. The organizations that treat this rollout as a checkbox exercise will still get value; those that invest the effort to tune impersonation, attachment, and link policies will get a shield that pays for itself the first time a well-crafted CEO fraud email hits the quarantine instead of the CFO’s inbox.