O365 security suggestions and best practice.

Analyze files for what? If you mean anti-malware scanning, this is already performed when the file was received/created. There's no way to trigger it on demand.

Alerts for what? There are tons of those in O365, you have to be more specific.

review the Microsoft 365 secure score
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-secure-score

it will lead you to things you need to secure
as said, there are tons of security logs available in different portal, you need to be specific.

I basically wanted to verify is an attachment is malware, but don't know where begin this process or the process at all.  We also constantly receive phishing email and would like to very this as well.

Your question is not entirely clear. Please have a look at these white papers
https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spam-and-anti-malware-protection
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-malware-and-ransomware-protection

Jack:
Office 365 is a cloud system, so you don't need to do the heavy lifting to analyse whether it is malware or not. If it is malware, it will be be found the EOP
if it slip through (because there is no match of the signature), then Office 365 offers ATP (advance threat protection) that will open the file in a sandbox and do additional scan. This will make sure it is work accordingly.

This is not saying it is a bullet proof solution. the last defense is human; Educate your user not open any attachment that sound fishy, even coming from user they deal with. thats need education.

Phishing email is the same. Microsoft have Office 365 anti-spoofing policy.
If you just want the solution work, look up the ATP and anti-spoofing policy then you should be fine.
IF you have a specific technical issue, we definitely can help.

https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spoofing-protection


Again, this is how long a piece of string you need this for.

Thank you all for your very valuable input!

What would the next step be if a particular user clicks on a specific URL or opens/downloads a file or even sends an email back to the user (phishing email)?  Lately, I've been running Malwarebytes as well as running Windows Malicious removal tool.

You can try uploading the attachment and the url to virustotal for scanning.

https://www.virustotal.com/#/home/upload
https://www.virustotal.com/#/home/url

Malwarebytes has endpoint security suite that has anti malware, anti exploit and anti ransomware. In any case, you should be AV scanning the machine for any findings. Include any portable storage media used.

Also make sure that your logon account has a strong password I.e. passphrase of minimum length of 12 alphanumeric. Don't reuse the same password for all various accounts and consider changing them to err on safe side if suspected anomaly is observed in the use of the online services logon. Consider use of 2FA for those account.

i will basically use Office 365 ATP for attachment sandboxing and URL rewrite.
It will scan the URL at the time you click and attachment sandbox
IF it is make your way, you can also report phishing back to Microsoft to improve their service.

My windows defender hasn't pick up anything for long while as there are so many protection


Ref:
https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp
https://docs.microsoft.com/en-us/office365/securitycompliance/atp-safe-links
https://docs.microsoft.com/en-us/office365/securitycompliance/atp-safe-attachments

https://docs.microsoft.com/en-us/office365/securitycompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis
https://docs.microsoft.com/en-us/office365/securitycompliance/enable-the-report-message-add-in?redirectSourcePath=%252farticle%252f4250c4bc-6102-420b-9e0a-a95064837676