Article
AI is reshaping the threat landscape faster than most mid-market companies can track. For Carolina businesses choosing between Microsoft Defender for Office 365 Plan 1 and Plan 2, here is what the decision actually comes down to.
The phishing email that just landed in your CFO’s inbox was not written by a person. It was generated by an AI model trained on hundreds of real financial communications, personalized to your company’s vendor relationships, and sent at the exact time your CFO typically reviews invoices. It passed your existing email filter because there is no malicious attachment and no known-bad URL. The only thing that flagged it was behavioral analysis: the sending pattern did not match the vendor’s established cadence.
That scenario is not a future concern for Carolina businesses. It is what is happening right now, and it is the reason the Microsoft Defender plan decision that seemed like an IT technicality two years ago has become a strategic business question.
For most mid-market companies in North and South Carolina, the practical question is not whether to use Microsoft Defender for Office 365. It is which plan matches your actual risk profile: Plan 1 or Plan 2.
Before comparing plans, it is worth clarifying what this product covers, because Microsoft’s naming conventions are confusing.
Microsoft Defender for Office 365 (formerly Advanced Threat Protection, or ATP) protects email and collaboration tools: Outlook, Teams messages, SharePoint links, and OneDrive attachments. It is not the same product as Microsoft Defender for Endpoint, which protects the devices themselves.
Both products exist, and a complete security posture eventually involves both. This article is specifically about the email and collaboration protection layer, which is where the majority of AI-powered attacks currently enter the organization.
Microsoft Defender for Office 365 Plan 1 covers the preventive layer: stopping threats before they reach users.
Safe Links rewrites URLs in emails and Office documents at the time of delivery. When a user clicks a link, Safe Links checks it again in real time against Microsoft’s threat intelligence. If the destination has been weaponized since the email was delivered, which happens frequently in multi-stage phishing campaigns, the link is blocked at click time rather than delivery time.
Safe Attachments opens email attachments in an isolated sandbox environment before delivering them to the recipient. The detonation process checks whether the attachment executes malicious behavior. The delay for clean attachments is typically seconds, though it can run longer for complex documents.
Anti-phishing policies with spoof intelligence analyze sender behavior, domain alignment, and impersonation signals. These policies detect when an email is pretending to come from your CEO, your bank, or a known vendor using a look-alike domain or display name spoofing.
Real-time detection reports provide visibility into the threats being blocked: what kind of attack, which users were targeted, which messages were detonated, and what the threat indicators were.
Plan 1 is included in Microsoft 365 Business Premium. For organizations on M365 E1 or E3, Plan 1 is available as a standalone add-on.
Plan 2 includes everything in Plan 1 and adds the investigation and response layer: tools for understanding what happened after a threat gets through, automating the cleanup, and proactively hunting for threats that have not yet been detected.
Threat Explorer provides an interactive view of all email traffic, allowing security teams to search across message metadata, delivery actions, and detection signals. When an incident occurs, Explorer lets you trace the blast radius: who received the same malicious campaign, what variants exist, and which users may have interacted with the content before it was quarantined.
Automated Investigation and Response (AIR) is the feature that has become materially more important as AI-powered attacks scale. When a user reports a phishing email or an alert fires, AIR automatically investigates related alerts, identifies scope, and takes remediation actions, all without requiring a human analyst to drive each step. In an environment where a single AI-generated phishing campaign can hit 400 mailboxes in the same organization within minutes, manual triage does not keep pace. AIR does.
Attack Simulator lets you run controlled phishing simulations against your own users to measure susceptibility and deliver targeted security awareness training. The built-in templates include AI-generated phishing scenarios that reflect current attack patterns.
Advanced Hunting allows custom queries against the raw security telemetry using Kusto Query Language (KQL). This is primarily relevant for organizations with a dedicated security analyst or a managed security operations center (SOC).
Threat investigation and response capabilities enable analysts to create custom indicators, track campaigns over time, and feed threat intelligence back into the detection layer.
Plan 2 is included in Microsoft 365 E5. For organizations on E3, Plan 2 is available as an add-on at a per-user monthly cost.
Two years ago, a mid-market company in Greenville or Charlotte could reasonably rely on Plan 1 prevention plus user training and catch most attacks before they caused damage. The threat model was relatively stable: known malware variants, bulk phishing templates, obvious sender spoofs.
That model has shifted. The attacks targeting Carolina businesses in 2026 are different in three ways.
Volume and personalization at scale. Generative AI lets attackers personalize phishing campaigns without the labor cost that used to be the limiting factor. Every executive in a target company can receive a uniquely crafted message referencing their actual role, recent public statements, or vendor relationships visible in LinkedIn. The volume of these campaigns has increased by roughly an order of magnitude in two years. Plan 1’s prevention layer catches a high percentage, but the scale of what it needs to catch has grown.
Multi-stage and delayed-payload attacks. AI-assisted attack campaigns increasingly use clean delivery followed by weaponization. The initial email contains a legitimate-looking link to a cloud storage service. The malicious redirect is only inserted after the message has passed filters. Safe Links’ time-of-click protection in Plan 1 handles many of these cases, but the investigation capabilities in Plan 2 are necessary to understand the full scope of a campaign that has already partially landed.
Business email compromise at the executive layer. Deepfake audio and AI-generated video are now used in executive impersonation fraud. A CFO receives a voicemail that sounds like the CEO. A finance coordinator joins a Teams call where a convincing video of a vendor relationship manager requests an urgent wire transfer. These attacks do not come through email filtering at all. They come through the collaboration layer. Plan 2’s broader investigation capabilities provide better coverage across the Microsoft 365 surface area when these incidents occur.
The right Defender plan depends significantly on industry, size, and the specific threat profile of your organization. Here is how the calculation typically breaks down for the major sectors in North and South Carolina.
Healthcare. ECU Health, Novant Health, Atrium Health, WakeMed, and the regional health systems depend on M365 for clinical administration, billing, and inter-provider communication. Healthcare is the most targeted industry for ransomware in the Carolinas, and the regulatory overlay of HIPAA adds a breach notification requirement on top of the operational damage. Organizations in this sector generally need P2 capabilities: the automated investigation and response to contain incidents quickly, and the post-incident documentation required for HIPAA breach analysis.
Manufacturing. The manufacturing corridor from Greenville and Spartanburg through Charlotte and out to the Research Triangle includes a significant number of companies that are both M365 users and vendors to larger primes with their own security requirements. Many of these relationships now include security attestation requirements from the customer side. A Tier 2 supplier to a major automotive or aerospace manufacturer may need to demonstrate specific security capabilities to maintain vendor qualification. P2’s investigation and hunting capabilities are often part of what those attestations require.
Financial services. Charlotte’s financial services ecosystem is the obvious example, but eastern NC has a dense community of credit unions, community banks, insurance agencies, and wealth management firms. Financial services organizations face both the highest volume of targeted phishing and the most direct regulatory scrutiny of their security programs. Most firms in this sector operating M365 should be on P2 or have an equivalent detection and response capability through a managed SOC partner.
Professional services and government adjacent. Law firms, accounting firms, and government contractors in the Carolinas handle sensitive client data and often have contractual or regulatory requirements that push toward the more comprehensive coverage of P2. Defense contractors pursuing or maintaining CMMC certification have specific requirements that align with P2 capabilities.
SMBs on Business Premium. For a 20- to 80-person company in Greenville or the Triad that is not in healthcare, finance, or defense, M365 Business Premium with P1 included is often the right answer. The preventive controls are meaningful, the cost structure is appropriate, and the incremental investment in P2 only makes sense if there is a person or service that will actually use the investigation and hunting capabilities.
Plan 1 is included in M365 Business Premium at no additional per-user cost. If you are on Business Premium, you already have it.
For E3 users, adding Plan 1 is approximately $2 per user per month. Adding Plan 2 is approximately $5 per user per month. These are the rough figures for add-on pricing; actual prices vary by agreement type and volume.
The step from E3 to E5 includes Plan 2 alongside a broader security and compliance bundle: Microsoft Defender for Endpoint P2, Microsoft Purview compliance tools, and Entra ID P2 among others. For organizations that need the full security stack, the per-user economics of E5 often compare favorably to assembling the same capabilities through individual add-ons.
Licensing P2 without the people to use it. Threat Explorer and Advanced Hunting require someone who knows how to interpret what they see. Paying for P2 and using it only as a license check-box does not improve your security posture. If your internal IT team does not have threat hunting skills, a co-managed security arrangement with a partner who actively uses the capabilities delivers better protection than an internally-unused license.
Assuming Business Premium’s P1 is sufficient for all industries. Business Premium is an excellent product for the right organization. It is not universally sufficient. Healthcare and financial services organizations frequently need the investigation capabilities in P2 regardless of their license tier.
Conflating Defender for Office 365 with Defender for Endpoint. Email and collaboration protection and endpoint protection are separate products with different license paths. Buying one does not buy the other. A comprehensive security posture requires both, and many organizations discover gaps between them after an incident.
Skipping the Attack Simulator in P2. Organizations that license P2 and do not run regular phishing simulations are leaving one of the clearest risk-reduction tools unused. Simulated phishing plus targeted training is the most reliable way to reduce the click rate on real attacks over time. P2 includes the simulation capability: use it.
Treating Defender configuration as a one-time task. Microsoft updates threat definitions, policy options, and AI detection models continuously. A configuration set up in 2023 has likely not kept pace with current threat patterns. An annual review of your Defender policies against current best-practice baselines is the minimum; quarterly for regulated industries.
For most Carolina mid-market companies, the decision breaks down to a few questions.
First, which license do you already have? Business Premium gives you P1. If you are on E3, the incremental cost of P2 is worth evaluating.
Second, does someone in your organization have the time and skills to use the investigation and hunting tools in P2? If the answer is no, a co-managed security model where a partner handles that layer may be a better path than a standalone P2 license that goes unused.
Third, are you in healthcare, financial services, manufacturing with compliance requirements, or defense-adjacent work? If yes, Plan 2 capabilities are likely a requirement rather than a preference.
Fourth, what does your cyber insurance policy require? Many insurers now specify Defender Plan 2 capabilities or their equivalents as a condition of coverage or a factor in premium calculations. Check your policy before assuming P1 is sufficient.
The AI transformation in the threat landscape is not a future event to plan for. It is the current condition. For Carolina businesses running Microsoft 365, the Defender plan decision is one of the highest-return security investments available because it operates at the highest-volume attack entry point: email and collaboration.
Devsoft Solutions helps businesses across North and South Carolina assess and configure Microsoft 365 security, including Defender deployment and managed detection. If you want to understand which Defender plan is right for your organization, get in touch.
— Continue reading
AI-powered attacks now target privileged accounts first. Here is how North and South Carolina mid-market businesses are using Microsoft Entra Privileged Identity Management to shrink the blast radius before the breach happens.
Microsoft Copilot is reshaping the productivity platform calculus for Carolinas businesses. If your organization runs on Google Workspace and AI adoption is on the agenda, here is what the migration to Microsoft 365 actually involves and whether the AI payoff justifies the disruption.
For North and South Carolina businesses with a small internal IT team, co-managed IT is emerging as the right structure for serious AI adoption. Here is what the model looks like in practice and when it makes sense.
— Related services
Tailored Microsoft 365 plans, deployment, and ongoing support — designed for businesses that need reliable productivity infrastructure without the in-house overhead.
Greenville-area IT support from a Microsoft Partner. Support agreements, project work, and the team you call when something breaks.
Microsoft Copilot rollout, custom copilots with Copilot Studio, and Azure OpenAI integrations for the parts of your business where AI actually pays back.
