Invoice fraud is one of the most common email threats targeting Microsoft 365 tenants. These messages usually impersonate executives, finance staff, or vendors and request urgent payment changes. Because they often contain no malware or malicious attachments, they can bypass basic email security unless specific Defender for Office 365 policies are configured.

The steps below explain how to stop invoice fraud with Microsoft Defender for Office 365 by applying Microsoft‑recommended settings directly in the Defender portal.

Step 1: Review Microsoft’s Recommended Baseline

Before making changes, align your tenant with Microsoft’s official guidance.

Go to Microsoft 365 Defender portal → Email & collaboration → Policies & rules → Threat policies.

Microsoft’s recommended settings for Exchange Online Protection and Defender for Office 365 are documented here: Recommended settings

This baseline is important because invoice fraud protection relies on several policies working together, not a single setting.

Step 2: Configure Anti‑Phishing Policy for Impersonation Protection

Invoice fraud is primarily an impersonation attack. Microsoft explicitly recommends using the anti‑phishing policy to detect internal and external impersonation.

In the Defender portal, go to Policies & rules → Threat policies → Anti‑phishing. Edit the default policy or create a dedicated policy for high‑risk users such as finance teams and executives.

• Enable User impersonation protection and add key users such as CFOs, accounting staff, and payment approvers.

• Enable Domain impersonation protection to cover your own domain and trusted vendor domains.

• Set the action for impersonation detections to Quarantine.

Step 3: Enable First Contact Safety Tips

First‑time sender banners are an additional layer of defense commonly enabled in Microsoft’s recommended configuration.

In the same anti‑phishing policy, enable First Contact Safety Tips. This adds a visible banner when a sender has never emailed the organization before, which is common in vendor‑based invoice fraud attempts.

While this does not block messages on its own, it supports user awareness without relying purely on training.

Step 4: Strengthen Anti‑Spam and Anti‑Spoofing Settings

Many invoice fraud campaigns rely on look‑alike domains or spoofed sender addresses.

In the Defender portal, go to Threat policies → Anti‑spam policies and review the inbound policy.

Ensure Spoof intelligence is enabled and that spoofed messages are blocked or quarantined. Microsoft recommends enabling spoof intelligence protection by default.

Confirm that High confidence phishing is set to Quarantine. Invoice fraud messages frequently escalate over multiple emails, and allowing early messages through increases risk.

Step 5: Enable Safe Links

Some invoice fraud emails include links to fake payment portals or hosted “invoice updates”. These links may appear clean during initial scanning.

Go to Threat policies → Safe Links and ensure Safe Links is enabled for email and Microsoft Teams. For the recommended values for Standard and Strict policy settings, see Safe Links policy settings.

Step 6: Validate Quarantine and Alert Visibility

Once policies are in place, confirm that detections are visible and actionable.

In the Defender portal, review Quarantine and Incidents & alerts to ensure impersonation and phishing detections are being logged correctly.This allows security teams to quickly verify blocked invoice fraud attempts and fine‑tune policies if needed.

What This Achieves Against Invoice Fraud Attacks

When configured according to Microsoft’s recommendations, Defender for Office 365 detects invoice fraud through impersonation analysis, spoof intelligence, and link reputation rather than relying on malware signatures. Messages are quarantined before users can act on fraudulent payment requests.

This approach significantly reduces financial risk while using native Microsoft 365 security capabilities already available in Defender for Office 365.

At PlexHosted, we help organizations improve their Microsoft 365 security posture. As a Microsoft cloud–focused MSSP, we support the configuration of email and identity protections, monitor environments for security issues, and assist with detection and response using Microsoft security platforms.