Impersonation attacks are one of the fastest-growing cyber threats targeting businesses today. With just one convincing email, attackers can trick employees into exposing sensitive data, paying fake invoices, or downloading malware — and the consequences can be costly.

Whether you're an employee trying to verify a suspicious message or an IT admin defending your users, understanding how to recognize and report a Microsoft 365 impersonation attack is critical to stopping threats before they spread.

What Is a Impersonation Attack?

An impersonation attack is a type of phishing where the attacker pretends to be someone familiar or high-ranking — like a manager, HR, or vendor — to trick you into taking an action. These emails often:

• Spoof the display name to appear legitimate

• Avoid external warning banners

• Use urgency or authority to bypass critical thinking

• Contain subtle misspellings or slightly altered domains

How to Recognize and Report a Microsoft 365 Impersonation Attack

Step 1: Spot the Red Flags

For end-users:

• The sender name doesn’t match the email address

• The tone is urgent, pressuring quick action

• The request involves financial transactions or sensitive info

• The email looks “almost right,” but something feels off

For admins:

• Use Microsoft Defender for Office 365’s Impersonation Insight to detect and investigate threats using AI and behavior analytics:

  In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing in the Policies section > select View impersonations in the impersonation insight to go to the Impersonation insight page. Or, to go directly, use https://security.microsoft.com/impersonationinsight

  📌 Learn more

Step 2: Report Suspicious Emails Immediately

For end-users:

• In Outlook or Outlook on the web: click Report > Phishing

• This sends the message to Microsoft and your internal security team

See Microsoft’s step-by-step guide: Report suspicious messages

For admins:

• Investigate user reports in Microsoft 365 Defender

• Use the Threat Explorer and follow the incident response playbook

Step 3: Set Up Impersonation Protection in Microsoft Defender

Admins should:

• Go to Microsoft 365 Defender > Threat Policies > Anti-Phishing

• Configure impersonation protection policies

• Add executives, finance, and IT users to protected user lists

More details: Microsoft Anti-Phishing Policy Settings

How PlexHosted Can Help

At PlexHosted, we specialize in securing Microsoft 365 environments. As a trusted Microsoft Cloud MSSP, we help organizations configure effective anti-phishing policies, monitor threats in real time, and streamline incident response using Microsoft Defender. Whether you're just getting started or looking to tighten existing protections — we’re here to help.