diff --git a/src/assets/images/learning-paths/secure-o365-email/api-and-journaling-deployment.png b/src/assets/images/learning-paths/secure-o365-email/api-and-journaling-deployment.png
new file mode 100644
index 000000000000000..dc84e52c4c41074
Binary files /dev/null and b/src/assets/images/learning-paths/secure-o365-email/api-and-journaling-deployment.png differ
diff --git a/src/assets/images/learning-paths/secure-o365-email/ms365-api-deployment.png b/src/assets/images/learning-paths/secure-o365-email/ms365-api-deployment.png
new file mode 100644
index 000000000000000..80cd61fe2684907
Binary files /dev/null and b/src/assets/images/learning-paths/secure-o365-email/ms365-api-deployment.png differ
diff --git a/src/content/docs/cloudflare-one/implementation-guides/secure-o365-email.mdx b/src/content/docs/cloudflare-one/implementation-guides/secure-o365-email.mdx
new file mode 100644
index 000000000000000..a134ff3972ccce6
--- /dev/null
+++ b/src/content/docs/cloudflare-one/implementation-guides/secure-o365-email.mdx
@@ -0,0 +1,7 @@
+---
+pcx_content_type: navigation
+title: Secure Microsoft 365 email with Email Security
+external_link: /learning-paths/secure-o365-email/
+sidebar:
+ order: 4
+---
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/concepts/index.mdx b/src/content/docs/learning-paths/secure-o365-email/concepts/index.mdx
new file mode 100644
index 000000000000000..d1ec10e77fa59f1
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/concepts/index.mdx
@@ -0,0 +1,16 @@
+---
+title: Concepts
+pcx_content_type: overview
+sidebar:
+ order: 1
+---
+
+Review the concepts behind Cloudflare's Email Security.
+
+## Objectives
+
+By the end of this module, you will be able to:
+
+* Explain how Cloudflare works.
+* Describe what Email Security is.
+* Understand how Cloudflare prevents email-based phishing attacks.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/concepts/prevent-phishing-attack.mdx b/src/content/docs/learning-paths/secure-o365-email/concepts/prevent-phishing-attack.mdx
new file mode 100644
index 000000000000000..48eb96a90ad080a
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/concepts/prevent-phishing-attack.mdx
@@ -0,0 +1,20 @@
+---
+title: How Cloudflare prevents email-based phishing attacks
+pcx_content_type: overview
+sidebar:
+ order: 5
+---
+
+Cloudflare Email Security uses a variety of factors to determine whether a given email message attachment, URL, or specific network traffic is part of a phishing campaign.
+
+These small pattern assessments are dynamic in nature. Cloudflare's automated systems use a combination of factors to clearly distinguish between a valid phishing campaign and benign traffic.
+
+Cloudflare's vast global network detects emergent campaign infrastructure and aggregates data for Cloudflare's proprietary analytics engine SPARSE.
+
+SPARSE uses AI and ML models to make effective detections for all types of malicious emails, including Business Email Compromise (BEC).
+
+In a BEC attack, the attacker falsifies an email message to trick the victim into performing some action - most often transferring money to an account or location the attacker controls.
+
+To detect these low volume, malicious emails that do not contain malware, malicious links or email attachments, Cloudflare analyzes the email thread, content, sentiment and context via message lexical analysis, subject analysis and sender analysis. Display names are also compared with known executive names for similarity using several matching models.
+
+Refer to [How we detect phish](/email-security/reference/how-we-detect-phish/#sample-attack-types-and-detections) to learn more about additional attack types and detections.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/concepts/protect-from-phishing-attacks.mdx b/src/content/docs/learning-paths/secure-o365-email/concepts/protect-from-phishing-attacks.mdx
new file mode 100644
index 000000000000000..60677706f8c1f65
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/concepts/protect-from-phishing-attacks.mdx
@@ -0,0 +1,16 @@
+---
+title: Protect your organization from phishing attacks
+pcx_content_type: overview
+sidebar:
+ order: 6
+---
+
+In the early 2000s, Secure Email Gateways (SEGs) were introduced to deal with a growing need around the routing and filtering of email. While SEGs were successful at their mission for many years, their fundamental design has made it impossible for them to keep pace as phishing threats rapidly grow in scope and sophistication.
+
+Continuously updating manual rulesets and policies that were originally built for on-prem servers only inflates the amount of time and effort involved in maintaining a SEG. This has resulted in an increase in cost and complexity while still falling short of catching the most dangerous threats, such as business email compromise (BEC) attacks.
+
+As organizations continue to adopt Microsoft 365 to enhance communication and collaboration for their hybrid workforce, it is crucial to take advantage of Microsoft's native security features while integrating complementary, machine learning-based solutions to automatically block and isolate the most dangerous threats. This strategy not only significantly reduces phishing risk, but also simplifies workflows, minimizing the time and effort needed for ongoing security management.
+
+Analysts agree that consolidating capabilities to minimize overlapping functionality is helping organizations reduce cost and complexity. However, they also advise organizations to carefully assess native features to ensure they satisfy all use cases. As Microsoft continues to build out its essential email security features, the growing overlap with SEGs has given organizations an opportunity to streamline security operations by leveraging capabilities already included in their E3 or E5 license.
+
+This shift enables organizations to eliminate complex and costly SEG deployments, redirecting a fraction of that budget to integrate lightweight solutions that effectively address the most dangerous phishing threats. Cloudflare Email Security provides an integrated, low-touch solution that augments Microsoft 365 using machine learning threat analysis to automate the detection of BEC and multi-channel attacks.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-cloudflare.mdx b/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-cloudflare.mdx
new file mode 100644
index 000000000000000..47dc124925e08a0
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-cloudflare.mdx
@@ -0,0 +1,10 @@
+---
+title: What is Cloudflare?
+pcx_content_type: overview
+sidebar:
+ order: 2
+---
+
+import { Render } from "~/components"
+
+
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-email-security.mdx b/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-email-security.mdx
new file mode 100644
index 000000000000000..89e52c4905e0b21
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-email-security.mdx
@@ -0,0 +1,10 @@
+---
+title: What is Email Security?
+pcx_content_type: overview
+sidebar:
+ order: 4
+---
+
+Despite email's importance as a communication method, security and privacy were not built into the [The Simple Mail Transfer Protocol (SMTP) protocol](https://www.cloudflare.com/learning/email-security/what-is-smtp/). As a result, email is a major attack vector.
+
+Email security is the process of preventing [email-based](https://www.cloudflare.com/learning/email-security/what-is-email/) cyber attacks and unwanted communications. It spans protecting inboxes from takeover, protecting domains from [spoofing](https://www.cloudflare.com/learning/ssl/what-is-domain-spoofing/), stopping [phishing attacks](https://www.cloudflare.com/learning/access-management/phishing-attack/), preventing fraud, blocking [malware](https://www.cloudflare.com/learning/ddos/glossary/malware/) delivery, and filtering [spam](https://www.cloudflare.com/learning/email-security/how-to-stop-spam-emails/).
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-phishing-attack.mdx b/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-phishing-attack.mdx
new file mode 100644
index 000000000000000..d11afccaa835fb0
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/concepts/what-is-phishing-attack.mdx
@@ -0,0 +1,12 @@
+---
+title: What is a phishing attack?
+pcx_content_type: overview
+sidebar:
+ order: 3
+---
+
+[Phishing](https://www.cloudflare.com/en-gb/learning/access-management/phishing-attack/) is an attempt to steal sensitive data, typically in the form of usernames, passwords, or other important account information. The phisher either uses the stolen information themselves (for instance, to take over the user's accounts with their password), or sells the stolen information.
+
+Phishing attackers disguise themselves as a reputable source. With an enticing or seemingly urgent request, an attacker lures the victim into providing information, just as a person uses bait while fishing.
+
+Phishing often takes place over email. Phishers either try to trick people into emailing information directly, or link to a webpage they control that is designed to look legitimate (for instance, a fake login page where the victim enters their password).
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/configure-email-security/active-directory-sync.mdx b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/active-directory-sync.mdx
new file mode 100644
index 000000000000000..b36746c40f5fdd6
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/active-directory-sync.mdx
@@ -0,0 +1,38 @@
+---
+title: Manage your active directory
+pcx_content_type: how-to
+sidebar:
+ order: 2
+---
+
+Directories are folders to store user data. Email Security allows you to manage directories from the Cloudflare dashboard.
+
+To manage a Microsoft directory:
+
+1. Log in to [Zero Trust ](https://one.dash.cloudflare.com/).
+2. Select **Email security**.
+3. Select **Directories**.
+4. Under **Directory name**, select **MS directory**.
+5. From here, you can manage **Groups** or **Users** directories.
+
+Email Security allows you to view and manage your groups directory and their [impersonation registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/).
+When a group is added to the registry, all members are registered by default.
+
+To manage your group directory, on the **MS directory** page, select **Groups**.
+
+To add a single group to the registry:
+
+1. Select the group name you want to add.
+2. Select the three dots > **Add to registry**.
+
+To add multiple groups to the registry at once:
+
+1. Select the group names you want to add to the registry.
+2. Select the **Action** dropdown list.
+3. Select **Add to registry**.
+
+In addition, Email Security allows you to:
+
+- [Remove groups from the registry](/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory/#remove-groups-from-registry).
+- [Filter the impersonation registry](/cloudflare-one/email-security/directories/manage-ms-directories/manage-groups-directory/#filter-impersonation-registry).
+- [Manage users in your directory](/cloudflare-one/email-security/directories/manage-ms-directories/manage-users-directory/).
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/configure-email-security/audit-logs.mdx b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/audit-logs.mdx
new file mode 100644
index 000000000000000..30b8ad44c32e6bc
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/audit-logs.mdx
@@ -0,0 +1,21 @@
+---
+title: Enable audit logs
+pcx_content_type: how-to
+sidebar:
+ order: 6
+---
+
+With Email Security, you can enable logs to review actions performed on your account.
+
+To enable audit logs:
+
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/).
+2. Select **Analytics & Logs** > **Logpush**.
+3. Select **Audit logs**.
+4. Under **Configure logpush job**:
+ - **Job name**: Enter the job name.
+ - **If logs match**: Select Filtered logs:
+ - **Field**: Choose `ResourceType`.
+ - **Operator**: Choose `starts with`.
+ - **Value**: Enter `email_security`.
+5. Select **Submit**.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/configure-email-security/create-allow-policies.mdx b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/create-allow-policies.mdx
new file mode 100644
index 000000000000000..59f5889ac44918b
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/create-allow-policies.mdx
@@ -0,0 +1,39 @@
+---
+title: Create allow policies
+pcx_content_type: how-to
+sidebar:
+ order: 3
+---
+
+Email Security allows you to configure allow policies. An allow policy exempts messages that match certain patterns from normal detection scanning.
+
+You can choose how Email Security will handle messages that match your criteria:
+
+- **Trusted Sender**: Messages will bypass all [detections](/cloudflare-one/email-security/reference/dispositions-and-attributes/) and link following. Typically, it only applies to phishing simulations from vendors such as KnowBe4. Many emails contain links in them. Some of these could be links to surveys, phishing simulations and other trackable links. By marking a message as a Trusted Sender, Email Security will not scan any attachments from the sender and will not attempt to open the links in the emails.
+- **Exempt Recipient**: Messages will be exempt from all Email Security [detections](/cloudflare-one/email-security/reference/dispositions-and-attributes/) intended for recipients matching this pattern (email address or regular expression only). Typically, this only applies to submission mailboxes for user reporting to security.
+- **Accept Sender**: Messages will exempt messages from the `SPAM`, `SPOOF`, and `BULK` [dispositions](/cloudflare-one/email-security/reference/dispositions-and-attributes/) (but not `MALICIOUS` or `SUSPICIOUS`). Commonly used for external domains and sources that send mail on behalf of your organization, such as marketing emails or internal tools.
+
+## Configure allow policies
+
+To configure allow policies:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Settings**, then go to **Detection settings** > **Allow policies**.
+4. On the **Detection settings** page, select **Add a policy**.
+5. On the **Add an allow policy** page, enter the policy information:
+ - **Input method**: Choose between **Manual input**, and **Uploading an allow policy**:
+ - **Manual input**:
+ - **Action**: Select one of the following to choose how Email Security will handle messages that match your criteria:
+ - **Trust sender**: Messages will bypass all detections and link following.
+ - **Exempt recipient**: Message to this recipient will bypass all detections.
+ - **Accept sender**: Messages from this sender will be exempted from Spam, Spoof, and Bulk dispositions.
+ - **Rule type**: Specify the scope of your policy. Choose one of the following:
+ - **Email addresses**: Must be a valid email.
+ - **IP addresses**: Can only be IPv4. IPv6 and CIDR are invalid entries.
+ - **Domains**: Must be a valid domain.
+ - **Regular expressions**: Must be valid Java expressions. Regular expressions are matched with fields related to the sender email address (envelope from, header from, reply-to), the originating IP address, and the server name for the email.
+ - **(Recommended) Sender verification**: This option enforces DMARC, SPF, or DKIM authentication. If you choose to enable this option, Email Security will only honor policies that pass authentication.
+ - **Notes**: Provide additional information about your allow policy.
+ - **Uploading an allow policy**: Upload a file no larger than 150 KB. The file can only contain `Pattern`, `Notes`, `Verify Email`, `Trusted Sender`, `Exempt Recipient`, and `Acceptable Sender` fields. The first row must be a header row.
+6. Select **Save**.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/configure-email-security/impersonation-registry.mdx b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/impersonation-registry.mdx
new file mode 100644
index 000000000000000..faea9903af79c00
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/impersonation-registry.mdx
@@ -0,0 +1,30 @@
+---
+title: Add user to the impersonation registry
+pcx_content_type: how-to
+sidebar:
+ order: 3
+---
+
+Attackers often try to impersonate executives within an organization when sending malicious emails (with requests about banking information, trade secrets, and more), which is known as a [Business Email Compromise (BEC)](https://www.cloudflare.com/en-gb/learning/email-security/business-email-compromise-bec/) attack.
+
+The impersonation registry protects against these attacks by looking for spoofs of known key users in an organization. Information about key users you either synced with your directory or entered manually in the dashboard is used by Email Security to run enhanced scan techniques and find these spoofed emails.
+
+To add a user to the impersonation registry:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Settings** > **Impersonation registry**.
+4. Select **Add a user**.
+5. Select **Input method**: Choose between **Manual input**, **Upload manual list**, and **Select from existing directories**:
+ - **Manual input**: Enter the following information:
+ - **User info**: enter a valid **Display name**.
+ - **User email**: Enter one of the following:
+ - **Email address**: Enter all known email addresses, separated by a comma.
+ - **Regular expressions**: Must be valid Java expressions.
+ - **Upload manual list**: You can upload a file no larger than 150 KB containing all variables of potential emails. The file must contain `Display_Name` and `Email`, and the first row must be the header row.
+ - **Select from existing directories**:
+ - **Select directory**: Select your directory.
+ - **Add users or groups**: Choose the users or groups you want to register.
+6. Select **Save**.
+
+For more information on how to edit and remove users, refer to [Impersonation Registry](/cloudflare-one/email-security/detection-settings/impersonation-registry/#edit-users).
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/configure-email-security/index.mdx b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/index.mdx
new file mode 100644
index 000000000000000..80656a96ff8ea4d
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/index.mdx
@@ -0,0 +1,10 @@
+---
+title: Configure Email Security
+pcx_content_type: overview
+sidebar:
+ order: 3
+---
+
+With Email Security, there is limited manual configuration and tuning. The Active Directory sync, allow policies, and additional detections are important to consider when you set up Email Security.
+
+In this module, you will configure your email environment.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/configure-email-security/report-phish.mdx b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/report-phish.mdx
new file mode 100644
index 000000000000000..2a5249853d98aea
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/report-phish.mdx
@@ -0,0 +1,21 @@
+---
+title: Report phish
+pcx_content_type: how-to
+sidebar:
+ order: 5
+---
+
+Before deploying Email Security to production, you will have to consider reporting any phishing attacks, evaluating which disposition to assign a specific message, and using different screen criteria to search through your inbox.
+
+PhishNet is an add-in button that helps users to submit phish samples missed by Email Security detection.
+
+To set up PhishNet O365:
+
+1. Log in to the Microsoft admin panel. Go to **Microsoft 365 admin center** > **Settings** > **Integrated Apps**.
+2. Select **Upload custom apps**.
+3. Choose **Provide link to manifest file** and paste the the following URL:
+
+```txt
+https://phishnet-o365.area1cloudflare-webapps.workers.dev?clientId=ODcxNDA0MjMyNDM3NTA4NjQwNDk1Mzc3MDIxNzE0OTcxNTg0Njk5NDEyOTE2NDU5ODQyNjU5NzYzNjYyNDQ3NjEwMzIxODEyMDk1NQ
+```
+4. Verify and complete the wizard.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/configure-email-security/set-additional-detections.mdx b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/set-additional-detections.mdx
new file mode 100644
index 000000000000000..50491782c6a44d8
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/configure-email-security/set-additional-detections.mdx
@@ -0,0 +1,61 @@
+---
+title: Set additional detections
+pcx_content_type: how-to
+sidebar:
+ order: 4
+---
+
+Email Security allows you to configure the following additional detections:
+
+- [Domain age](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-domain-age)
+- [Blank email detection](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-blank-email-detection)
+- [Automated Clearing House (ACH)](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-ach-change-from-free-email-detection) change from free email detection.
+- [HTML attachment email detection](/cloudflare-one/email-security/detection-settings/additional-detections/#configure-html-attachment-email-detection)
+
+To configure additional detections:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Settings**.
+4. On the Settings page, go to **Detection settings** > **Additional detections**, and select **Edit**.
+
+## Configure domain age
+
+The domain age is the time since the domain has been registered.
+
+To configure a domain age:
+
+1. On the **Edit additional detections** page:
+ - Select **Malicious domain age**: Controls the threshold for a malicious disposition. Maximum of 100 days.
+ - Select **Suspicious domain age**: Controls the threshold for a suspicious disposition. Maximum of 100 days.
+2. Select **Save**.
+
+## Configure blank email detection
+
+Blank email detection detects emails with blank bodies and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions.
+
+To enable blank email detection:
+
+1. On the **Edit additional detections** page, enable **Blank email detection**.
+2. Choose between **Malicious** and **Suspicious**.
+3. Select **Save**.
+
+## Configure ACH change from free email detection
+
+[Automated Clearing House (ACH)](https://en.wikipedia.org/wiki/Automated_clearing_house) is a banking term related to direct deposits. ACH change from free email detection detects payroll inquiries or change requests from free email domains and assigns a default disposition. You can choose between **Malicious** and **Suspicious** as dispositions.
+
+To enable ACH change from free email detection:
+
+1. On the **Edit additional detections** page, enable **ACH change from free email detection**.
+2. Choose between **Malicious** and **Suspicious**.
+3. Select **Save**.
+
+## Configure HTML Attachment Email Detection
+
+HTML attachment email detection detects HTM and HTML attachments in emails and assigns a default disposition.
+
+To enable HTML attachment email detection:
+
+1. On the **Edit additional detections** page, enable **HTML attachment email detection**.
+2. Choose between **Malicious** and **Suspicious**.
+3. Select **Save**.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/configure-auto-moves.mdx b/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/configure-auto-moves.mdx
new file mode 100644
index 000000000000000..19ff3c47a24a030
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/configure-auto-moves.mdx
@@ -0,0 +1,24 @@
+---
+title: Configure auto-moves
+pcx_content_type: how-to
+sidebar:
+ order: 3
+---
+
+To configure auto-move events:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email security**.
+3. Select **Settings**.
+4. Select **Moves**.
+5. Under **Auto-moves**, select **Configure**.
+6. Assign actions based on malicious, spoof, suspicious, spam, and bulk dispositions. Select among:
+ - **Soft delete - user recoverable**: Moves the message to the user's **Recoverable Items - Deleted** folder. Messages can be recovered by the user.
+ - **Hard delete - admin recoverable**: Completely deletes messages from a user's inbox.
+ - **Move to trash**: Moves messages to the trash or deleted items email folder.
+ - **Move to junk**: Moves the message to the junk or spam folder.
+ - **No action**: Messages stay in the origin folder.
+7. Select **Post-delivery** moves:
+ - **(Recommended) Post-delivery response**: Enabling this option allows Email Security to rescan delivered emails at multiple time intervals for previously unknown phishing sites or campaigns.
+ - **(Recommended) Phish submission response**: Enabling this option allows Email Security to move emails that your users reported as phishing and Email Security determined to be malicious.
+8. Select **Save**.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/email-dispositions.mdx b/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/email-dispositions.mdx
new file mode 100644
index 000000000000000..5d74a3d80a88c4e
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/email-dispositions.mdx
@@ -0,0 +1,12 @@
+---
+title: Email dispositions
+pcx_content_type: overview
+sidebar:
+ order: 2
+---
+
+import { Render } from "~/components"
+
+Email Security returns five potential verdicts for every email it scans. Review the detections and consider how you would treat them once an auto-move is enabled. Below is an overview of the disposition and recommendation actions by Cloudflare:
+
+
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/index.mdx b/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/index.mdx
new file mode 100644
index 000000000000000..ec29a686185823a
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/enable-auto-moves/index.mdx
@@ -0,0 +1,18 @@
+---
+title: Enable auto-moves
+pcx_content_type: overview
+sidebar:
+ order: 4
+---
+
+Now that you have set up your email environment, you can enable auto-move events.
+
+:::caution
+Ensure you have completed the previous modules before enabling auto-moves.
+:::
+
+Auto-move events are events where emails are automatically moved to different inboxes based on the disposition assigned to them by Email Security.
+
+When you set up auto-moves, you can move messages manually or set up automatic moves to send messages matching certain [dispositions](/learning-paths/secure-o365-email/enable-auto-moves/email-dispositions/) to specific folders within a user's mailbox.
+
+You can also enable Post Delivery Response and Phish Submission Response to re-evaluate messages previously delivered against new information gathered by Email Security. Scanned emails that were previously delivered and now match this new phishing information will be moved.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/get-started/create-email-security-account.mdx b/src/content/docs/learning-paths/secure-o365-email/get-started/create-email-security-account.mdx
new file mode 100644
index 000000000000000..fd0b0e2a34adac7
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/get-started/create-email-security-account.mdx
@@ -0,0 +1,19 @@
+---
+title: Create an Email Security account
+pcx_content_type: overview
+sidebar:
+ order: 3
+---
+
+To create your Email Security account, you will need the alphanumeric string on the URL when logged in to the Cloudflare dashboard.
+
+If you do not have a Cloudflare account, you can create one for free by referring to the [Cloudflare sign-up page](https://dash.cloudflare.com/sign-up).
+
+Once you have created your account, your account team will create an Email Security account for you.
+
+To establish your tenant, you will need the following information:
+
+- Average monthly inbound message volume
+- Number of active email users
+- At least one domain
+- Admin email address
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/get-started/deployment-models.mdx b/src/content/docs/learning-paths/secure-o365-email/get-started/deployment-models.mdx
new file mode 100644
index 000000000000000..b45cea2d378922c
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/get-started/deployment-models.mdx
@@ -0,0 +1,12 @@
+---
+title: Deployment models
+pcx_content_type: overview
+sidebar:
+ order: 4
+---
+
+While there are multiple deployment methods, the easiest way to get started with Email Security is via the API deployment method.
+
+When you choose the [API deployment](/cloudflare-one/email-security/setup/post-delivery-deployment/api/), Email Security can both scan and take actions on emails after they have reached a user's inbox.
+
+With a [Journaling setup](/cloudflare-one/email-security/setup/post-delivery-deployment/bcc-journaling/journaling-setup/office365-journaling/) alone without API integration, Email Security can only scan emails after it has reached a user's inbox.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/get-started/index.mdx b/src/content/docs/learning-paths/secure-o365-email/get-started/index.mdx
new file mode 100644
index 000000000000000..366d3d0de6066a5
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/get-started/index.mdx
@@ -0,0 +1,14 @@
+---
+title: Get started with Email Security
+pcx_content_type: overview
+sidebar:
+ order: 1
+---
+
+In this learning path, you will learn how to protect your organization from phishing attacks with Email Security.
+
+Your users will experience a reduction in spam and phishing emails, and have simple ways to report any suspicious activity.
+
+Administrators will be able to review detections and phishing trends that target their organization without having to tune Email Security.
+
+This module will kickstart your email flow.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/get-started/initial-login.mdx b/src/content/docs/learning-paths/secure-o365-email/get-started/initial-login.mdx
new file mode 100644
index 000000000000000..2741332182635e7
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/get-started/initial-login.mdx
@@ -0,0 +1,10 @@
+---
+title: Initial login
+pcx_content_type: overview
+sidebar:
+ order: 3
+---
+
+Once your tenant is created by your account team, you will receive an email that grants you access to the Email Security platform.
+
+Multi-factor authentication is required, so you will need an authenticator tool to set up your second factor prior to gaining access. Scan the QR code, set up your second factor, create a new password, and enter the Email Security portal.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/get-started/prerequisites.mdx b/src/content/docs/learning-paths/secure-o365-email/get-started/prerequisites.mdx
new file mode 100644
index 000000000000000..66f515a72ffd3db
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/get-started/prerequisites.mdx
@@ -0,0 +1,8 @@
+---
+title: Prerequisites
+pcx_content_type: overview
+sidebar:
+ order: 2
+---
+
+To make the most of this learning path, make sure you have access to Microsoft 365.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/get-started/recommended-deployment-model.mdx b/src/content/docs/learning-paths/secure-o365-email/get-started/recommended-deployment-model.mdx
new file mode 100644
index 000000000000000..870987815def623
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/get-started/recommended-deployment-model.mdx
@@ -0,0 +1,16 @@
+---
+title: Recommended deployment model
+pcx_content_type: overview
+sidebar:
+ order: 5
+---
+
+An API deployment model with Email Security has multiple benefits for Microsoft 365 Customers.
+
+The API deployment with Email Security offers:
+
+- Easy protection for complex email architectures, without requiring any change to mail flow operations.
+- Agentless deployment for Microsoft 365.
+- Office 365 directory integration to retrieve user and group information and prevent user impersonation.
+
+
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/get-started/setup-ms-graph-api.mdx b/src/content/docs/learning-paths/secure-o365-email/get-started/setup-ms-graph-api.mdx
new file mode 100644
index 000000000000000..0568401a29c5895
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/get-started/setup-ms-graph-api.mdx
@@ -0,0 +1,19 @@
+---
+title: Set up Microsoft Graph API
+pcx_content_type: overview
+sidebar:
+ order: 6
+---
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Monitoring**.
+4. Enable **Microsoft Integration**:
+ 1. **Name integration**: Add your integration name, then select **Continue**.
+ 2. **Authorize integration**:
+ - Select **Authorize**. Selecting **Authorize** will take you to the Microsoft Sign in page where you will have to enter your email address.
+ - Once you enter your email address, select **Next**.
+ - After selecting **Next**, the system will show a dialog box with a list of requested permissions. Select **Accept** to authorize Email Security. Upon authorization, you will be redirected to a page where you can review details and enroll integration.
+ 3. **Review details**: Review your integration details, then:
+ - Select **Complete Email Security set up** where you will be able to connect your domains and configure auto-moves.
+ - Select **Continue to Email Security**.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/index.mdx b/src/content/docs/learning-paths/secure-o365-email/index.mdx
new file mode 100644
index 000000000000000..a12f0213928aefc
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/index.mdx
@@ -0,0 +1,15 @@
+---
+title: Secure Microsoft 365 email with Email Security
+type: developers-site
+new_learning_path: true
+pcx_content_type: learning-path
+head:
+ - tag: title
+ content: Secure Microsoft 365 email with Email Security.
+description: Protect Microsoft 365 email from phishing and malware attacks.
+
+---
+
+import { LearningPath } from "~/components"
+
+
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/index.mdx b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/index.mdx
new file mode 100644
index 000000000000000..a24125458fb285d
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/index.mdx
@@ -0,0 +1,27 @@
+---
+title: Monitor your email activity
+pcx_content_type: overview
+sidebar:
+ order: 5
+---
+
+To access an overview of your account, the total number of emails processed, a breakdown of types of threads detected, and other useful information:
+
+1. Log in to [Zero Trust.](https://one.dash.cloudflare.com/)
+2. Select **Email Security**.
+
+Under **Email Security**, select **Monitoring**.
+
+The dashboard will display the following metrics:
+
+- Email activity
+- [Disposition evaluation](/cloudflare-one/email-security/reference/dispositions-and-attributes/)
+- Detection details
+- [Impersonations](/cloudflare-one/email-security/detection-settings/impersonation-registry/)
+- [Phish submissions](/cloudflare-one/insights/email-monitoring/phish-submissions/)
+- [Auto-move events](/cloudflare-one/email-security/auto-moves/)
+- [Detection settings metrics](/cloudflare-one/email-security/detection-settings/)
+
+Email activity aggregates statistics about emails scanned and dispositions assigned (the number of email flagged due to a detection) within a given timeframe.
+
+To view the live number of email scanned and dispositions scanned, enable **Live mode**.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/monitor-detections.mdx b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/monitor-detections.mdx
new file mode 100644
index 000000000000000..181c354cf751d0f
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/monitor-detections.mdx
@@ -0,0 +1,35 @@
+---
+title: Monitor detections
+pcx_content_type: how-to
+sidebar:
+ order: 2
+---
+
+Spam and Malicious emails are blocked outright by Email Security, but Suspicious and Spoof dispositions should be monitored. Suspicious messages should be investigated by a security analyst to determine the legitimacy of the message.
+
+[PhishGuard](/cloudflare-one/email-security/phish-guard/) (Cloudflare's managed email security service) can review these messages for you and move them from the end user inbox if they are deemed malicious.
+
+Messages that receive a Spoof disposition should be investigated because it signals that the traffic is either non-compliant with your email authentication process [SPF](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/), or has a mismatching Envelope From and Header From value.
+
+In most cases, a Spoof disposition is triggered by a legitimate third-party mail service. If you determine that the Spoofed email is a legitimate business use case, you can either:
+
+- Update your email authentication records.
+- Add an acceptable sender [allow policy](/cloudflare-one/email-security/detection-settings/allow-policies/) to exempt messages from the Spam, Spoof, or Bulk disposition, but not Malicious or Suspicious, so the content of the message can still be monitored.
+
+## Search email messages
+
+Email Security offers a variety of ways for you to better examine and understand your message traffic:
+
+You can search for emails that have been processed by Email Security, whether they are marked with a [detection disposition](/email-security/reference/dispositions-and-attributes/) or not.
+
+There are three ways for searching emails:
+
+- Popular screen: A popular screen allows you to view messages based on common pre-defined criteria.
+- Regular screen: A regular screen allows you to investigate your inbox by inserting a term to screen across all criteria.
+- Advanced screen: The advanced screen criteria gives you the option to narrow message results based on specific criteria. The advanced screen has several options (such as keywords, subject keywords, sender domain, and more) to scan your inbox.
+
+Additional information on search can be found on the [Screen criteria](/email-security/reporting/search/) documentation.
+
+### Export messages
+
+With Email Security, you can export messages to a CSV file. Via the dashboard, you can export up to 1,000 rows. If you want to export all messages, you can use the [API](https://developers.cloudflare.com/api/operations/email_security_get_message).
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/phish-submissions.mdx b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/phish-submissions.mdx
new file mode 100644
index 000000000000000..071b52ef6c57646
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/phish-submissions.mdx
@@ -0,0 +1,17 @@
+---
+title: Phish submissions
+pcx_content_type: how-to
+sidebar:
+ order: 3
+---
+
+While Email Security offers industry leading detection efficacy due to Cloudflare's Threat Intelligence, Preemptive Threat Hunting (actor and campaign infrastructure hunting with 8B, plus campaign threat signals assessed every day) and ML-Based Detection Models (Trust Graphs Computer Vision, Sentiment/Thread/Structural Analysis, Industry/Natural Language Understanding Modeling) false negatives and false positive can occur.
+
+There are two different ways to [submit a phish](/cloudflare-one/insights/email-monitoring/phish-submissions/) sample:
+
+- User submission:
+ - Submitted directly by the end user, and used with phish submission buttons. To learn more about user-submitted phish, refer to [PhishNet for Microsoft O365](/cloudflare-one/insights/email-monitoring/phish-submissions/#phishnet-o365).
+ - User submissions can create another challenge for your organization. While it is important for end users to be vigilant and report what they believe may be a phishing email, they are often wrong. About 90% of the time, when an end user reports a missed phishing email, they are mistaken. This puts an extra burden on busy security teams as they sift through end user reports. The PhishGuard team at Cloudflare can solve this problem for your organization by reviewing end user submissions for you.
+- Admin submission:
+ - To be used when IT administrators or security teams submit to Email Security. Submit original phish samples as an attachment in EML format to the appropriate team submission address.
+ - Within the Email Security dashboard, Phish submissions will allow you to have a full understanding of what reclassification has been made and what the outcomes of those submissions are.
\ No newline at end of file
diff --git a/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/phishguard.mdx b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/phishguard.mdx
new file mode 100644
index 000000000000000..dc1a24a2441cca3
--- /dev/null
+++ b/src/content/docs/learning-paths/secure-o365-email/monitor-your-inbox/phishguard.mdx
@@ -0,0 +1,22 @@
+---
+title: PhishGuard
+pcx_content_type: how-to
+sidebar:
+ order: 5
+---
+
+[PhishGuard](/cloudflare-one/email-security/phish-guard/) serves as an extension of your Security Operations team with dedicated Email Security technical resources providing real-time monitoring of your email environment. The Active Defense Service provides:
+
+- Customized notification and responses for fraud and insider threats.
+- Reclassification of messages if the disposition is incorrect.
+- PhishGuard monitors and reviews Suspicious email traffic.
+- Quarantine and auto-move of identified threats.
+- Tailored threat hunting for your email environment.
+- Custom detections.
+
+As a PhishGuard customer, the following service offerings should be enabled:
+
+- Escalation contacts must be configured in the Email Security dashboard: This allows for email reports to be delivered regarding high risk items identified and responded to by the team.
+- Auto-moves should be enabled and configured for quarantine of identified items: Malicious should be prioritized, but configuring Spam for a move to junk/trash or even soft delete may also be highly useful to the client.
+
+Refer to the [PhishGuard](/cloudflare-one/email-security/phish-guard/) documentation to learn more about this add-on service.
\ No newline at end of file
diff --git a/src/content/learning-paths/secure-o365-email.json b/src/content/learning-paths/secure-o365-email.json
new file mode 100644
index 000000000000000..9cffc5564cb7b6c
--- /dev/null
+++ b/src/content/learning-paths/secure-o365-email.json
@@ -0,0 +1,8 @@
+{
+ "title": "Secure Microsoft 365 email with Email Security",
+ "path": "/learning-paths/secure-o365-email/",
+ "priority": 2,
+ "description": "Use Cloudflare's Email Security to protect your Microsoft 365 email inbox from phishing and malware attacks.",
+ "products": ["Email Security"],
+ "product_group": "Cloudflare One"
+}
\ No newline at end of file
diff --git a/src/content/partials/learning-paths/zero-trust/email-dispositions.mdx b/src/content/partials/learning-paths/zero-trust/email-dispositions.mdx
new file mode 100644
index 000000000000000..d7a5d2a680983d6
--- /dev/null
+++ b/src/content/partials/learning-paths/zero-trust/email-dispositions.mdx
@@ -0,0 +1,12 @@
+---
+{}
+
+---
+
+| Disposition | Description | Recommendation | |
+|-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|---|
+| MALICIOUS | Traffic invoked multiple phishing verdict triggers, met thresholds for bad behavior, and is associated with active campaigns. | Block | |
+| SUSPICIOUS | Traffic associated with phishing campaigns (and is under further analysis by our automated systems). | Research these messages internally to evaluate legitimacy. | |
+| SPOOF | Traffic associated with phishing campaigns that is either non-compliant with your email authentication policies ([SPF](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-spf-record/), [DKIM](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dkim-record/), [DMARC](https://www.cloudflare.com/en-gb/learning/dns/dns-records/dns-dmarc-record/)), or have mismatching Envelope From and Header From values. | Block after investigating (can be triggered by third-party mail services). | |
+| SPAM | Traffic associated with non-malicious, commercial campaigns. | Route to existing Spam quarantine folder. | |
+| BULK | Traffic associated with [Graymail](https://en.wikipedia.org/wiki/Graymail), that falls in between the definitions of SPAM and SUSPICIOUS. For example, a marketing email that intentionally obscures its unsubscribe link. | Monitor or tag | |
\ No newline at end of file