Sign In
MailGuard · comparison

Microsoft Defender and Conbool — side by side.

Microsoft Defender for Office 365 is deeply integrated with Microsoft 365. Conbool MailGuard is a standalone gateway you can deploy as a complement or replacement. This page compares publicly verifiable points — as of May 2026.

Request a demoMailGuard in detailUpdated: May 2026

In three sentences

What matters.

Microsoft Defender for Office 365 is tightly coupled to Exchange Online and Microsoft 365 and part of the Microsoft license. Conbool MailGuard is a standalone Secure Email Gateway that can sit in front of (or replace) Microsoft Defender. The common question is 'replace or complement?' — the answer depends on defense-in-depth requirements and compliance.

The five most common questions, side by side.

Every statement about Microsoft Defender links to a public source. Every Conbool claim is verifiable in a demo.

Where is my data processed?

Conbool MailGuard

Exclusively in EU data centres on ISO 27001-certified infrastructure. Contract party and data processor is Conbool GmbH in Germany. The concrete data location is named in the DPA.

Microsoft Defender for Office 365Microsoft Defender for Office 365

Microsoft Defender processes mail metadata and attachments in the Microsoft 365 cloud region active for your tenant. Which region is active you can read in the Microsoft 365 Admin Center under 'Data residency'.

Source: Microsoft Learn / Microsoft 365 Trust Center, sections on data residency and geographic locations.

Why it matters: With location requirements (NIS-2, KRITIS, BSI C5) the data location is a contractual matter — with Defender it ties to the Microsoft contract, with Conbool to your DPA.

Do I need Conbool on top of Defender?

Conbool MailGuard

Defense in depth: Conbool inspects before Defender and catches what Defender is constructionally blind to (e.g. attachments in atypical archives, novel phishing patterns without Microsoft telemetry). The second layer catches 5–15 % of threats that Defender lets through.

Microsoft Defender for Office 365Microsoft Defender for Office 365

Defender covers the baseline for Exchange Online: anti-spam, anti-phishing, Safe Links and Safe Attachments. Microsoft positions Defender as an integrated protection layer for M365 workloads.

Source: Microsoft Learn — Microsoft Defender for Office 365 service description.

Why it matters: Relying on Defender alone is a single-vendor approach — defense in depth means adding a second gateway. Auditors in regulated industries often require two independent layers.

Which extra detectors does Conbool add?

Conbool MailGuard

DACH-specific DLP detectors: German IBAN with checksum, VAT IDs (DE, AT, CH-UID), AHV number, German tax ID, social security number. CEO fraud behavioural analysis and QR code phishing filter included by default.

Microsoft Defender for Office 365Microsoft Defender for Office 365

Microsoft Defender offers extensive DLP detectors via Microsoft Purview Information Protection. Which detectors are in which license tier is governed by the current Purview documentation.

Source: Microsoft Learn — Microsoft Purview Data Loss Prevention.

Why it matters: If you need German identifiers in the standard tier, Conbool helps. If you already license Purview, many standard detectors are there.

How is licensing structured?

Conbool MailGuard

Modular per feature, monthly or yearly cancellable. You only pay for the modules you use — no bundling with M365 suite licenses.

Microsoft Defender for Office 365Microsoft Defender for Office 365

Microsoft Defender for Office 365 is licensed via Microsoft 365 (e.g. included with E5 or as an add-on to E3). What is included in which tier is governed by the Microsoft 365 license table.

Source: Microsoft 365 Licensing Guide / service descriptions.

Why it matters: If you already have E5, Defender is included. If not, the Defender add-on may be more expensive than a modular gateway.

How do Defender and Conbool play together?

Conbool MailGuard

Conbool sits as the inbound MX in front of Microsoft 365. Mail is inspected by Conbool first, then delivered to Exchange Online. Defender inspects a second time — the layers complement each other, double-quarantine is prevented via header markers.

Microsoft Defender for Office 365Microsoft Defender for Office 365

Defender inspects mail directly in the Exchange Online mail flow. With an upstream gateway, Microsoft recommends enabling Enhanced Filtering for Connectors so Defender sees the original headers.

Source: Microsoft Learn — Enhanced Filtering for Connectors in Defender for Office 365.

Why it matters: A clean defense-in-depth setup of Conbool + Defender yields higher detection rates than either alone — provided both layers see the original headers.

Migration checklist

Put Conbool in front of Microsoft Defender — five steps.

With Microsoft Defender it's usually not about replacement but defense in depth: Conbool sits in front of Defender. This checklist covers the typical pre-filter setup.

  1. 1. Check the Defender license tier and current configuration

    Note which Defender tier is active (Plan 1 vs. Plan 2 or E5), which add-ons you have and which policies (Safe Attachments, Safe Links) are configured. This baseline stays in place — Conbool sits in front.

  2. 2. Switch MX records to Conbool

    The inbound MX points to Conbool. Conbool inspects the mail and forwards it via an inbound connector to Microsoft 365. Defender then acts as the second layer without losing Microsoft telemetry.

  3. 3. Enable Enhanced Filtering for Connectors in Defender

    So Defender can correctly evaluate the original sender IP headers, enable 'Enhanced Filtering for Connectors' in the Microsoft 365 Defender settings and register the Conbool connector as a known hop. Otherwise Defender hallucinates on SPF.

  4. 4. Disentangle DLP double-runs

    If you have Microsoft Purview DLP rules active, check overlaps with the Conbool DLP rules. Recommendation: Conbool blocks before send (outbound DLP), Purview catches in-tenant moves. This avoids double quarantine.

  5. 5. Consolidate reporting

    The Conbool audit log and the Defender Threat Explorer run in parallel. We recommend consolidating both into a SIEM (e.g. Microsoft Sentinel or Splunk) so you have one view across all events.

These steps cover the pre-filter setup. Replacing Defender entirely requires migrating the Defender policies and disabling Safe Attachments / Safe Links.

Decision aid

When Conbool, when (only) Defender.

Conbool alongside Defender fits when …

  • You need two independent protection layers for audit requirements.
  • DACH DLP detectors without a Purview license matter to you.
  • You need to document EU hosting and a German contract party explicitly.
  • You want BEC and CEO fraud protection with behavioural analysis additionally.

Microsoft Defender alone fits when …

  • You have a pure Microsoft 365 environment with E5 and defense in depth is not mandatory.
  • Existing Defender configuration and Microsoft Sentinel integrations are already in place.
  • You don't want an external contract party for data processing.
  • You want all mail security functions covered by the Microsoft license.

Matched to your setup

Conbool as a second layer for regulated industries.

Microsoft 365 absichern

Defense-in-Depth-Pattern für Microsoft 365 mit vorgeschaltetem Gateway.

Learn more

NIS-2 E-Mail-Sicherheit

Zwei unabhängige Schutzschichten als NIS-2-Audit-Argument.

Learn more

E-Mail-Sicherheit für die öffentliche Verwaltung

EU-Hosting + zweite Schutzschicht für BSI-/KRITIS-konforme Setups.

Learn more

Hornetsecurity-Alternative

Deutsche MailGuard-Alternative nach der Proofpoint-Übernahme.

Learn more

Phishing-Schutz

BEC, Spear-Phishing und QR-Code-Phishing erkennen und entfernen.

Learn more

Ransomware-Schutz E-Mail

Mehrstufige Anhang-Filter und URL-Reputation gegen Ransomware-Kampagnen.

Learn more

Spam-Filter Unternehmen

Spam und unerwünschte Massenmail mit DACH-Heuristiken filtern.

Learn more

CEO-Fraud-Schutz

BEC und CEO-Fraud-Attacken über Authentifizierungs-Layer abwehren.

Learn more

Also compared

Further mail security alternatives.

Microsoft Defender is often weighed up against Mimecast, Hornetsecurity and Proofpoint. Here are the direct comparison pages.

Frequently asked

Test Conbool MailGuard in front of Microsoft Defender.

30-minute demo. Defense in depth without Defender conflicts.

Request a demoMailGuard in detail

Sources and fairness note

Statements about Microsoft Defender rely exclusively on publicly accessible sources: Microsoft Learn, Microsoft 365 service descriptions, Microsoft Trust Center and the Defender for Office 365 product page. Non-publicly substantiated claims are avoided.

As of May 2026. For your final decision we recommend you ask both vendors directly about the points relevant to you and get statements confirmed in writing.

Microsoft, Microsoft 365 and Microsoft Defender are trademarks of Microsoft Corporation. Conbool is a trademark of Conbool GmbH. This page is an editorial comparison — not official Microsoft material.