top of page
Search
  • Hanna Korotka

Outsmarting Impersonators: Mastering Anti-Phishing Policies in Microsoft Defender for Office 365


In the dynamic arena of digital threats, impersonation attacks pose a significant risk. Microsoft Defender for Office 365 provides exclusive anti-phishing policies to combat such threats effectively. Here’s an overview of how these policies shield your organization from impersonation attempts.


Understanding Impersonation


Impersonation is where the sender or the sender's email domain in a message looks similar to a real sender or domain:

  • An example impersonation of the domain contoso.com is ćóntoso.com.

  • User impersonation is the combination of the user's display name and email address. For example, Valeria Barrios (vbarrios@contoso.com) might be impersonated as Valeria Barrios, but with a different email address.

Impersonation protection looks for domains that are similar. For example, if your domain is contoso.com, Microsoft Defender check for different top-level domains (.com, .biz, etc.), but also domains that are even somewhat similar. For example, contosososo.com or contoabcdef.com might be seen as impersonation attempts of contoso.com.


Exclusive Anti-Phishing Policy Settings for Impersonation Protection


While the default anti-phishing policy offers basic spoof protection, it’s crucial to enable advanced impersonation protection features either by modifying the default policy or creating new ones.


You can configure Impersonation settings on the Phishing threshold & protection page of your Anti-phishing policy in the Microsoft Defender portal.


1. Enable users to protect: This setting isn't selected by default. To turn on user impersonation protection, select the check box, and then select the Manage (nn) sender(s) link.


You identify the internal and external senders to protect by the combination of their display name and email address. You can specify a maximum of 350 users for user impersonation protection in each anti-phishing policy.


Select Add user. In the Add user flyout that opens, do the following steps:


Internal users: Click in the Add a valid email box or start typing the user's email address. Select the email address in the Suggested contacts dropdown list that appears. The user's display name is added to the Add a name box (which you can change). When you're finished selecting the user, select Add.


External users: Type the external user's full email address in the Add a valid email box, and then select the email address in the Suggested contacts dropdown list that appears. The email address is also added in the Add a name box (which you can change to a display name).

The users you added are listed on the Add user flyout by Name and Email address. To remove a user, select next to the entry.


When you're finished on the Add user flyout, select Add.


When you're finished on the Manage senders for impersonation protection flyout, select Done to return to the Phishing threshold & protection page.


2. Enable domains to protect: This setting isn't selected by default. To turn on domain impersonation protection, select the check box, and then configure one or both of the following settings that appear.


Include the domains I own: To turn on this setting, select the check box. To view the domains that you own, select View my domains.


Include custom domains: To turn on this setting, select the check box, and then select the Manage (nn) custom domain(s) link. In the Manage custom domains for impersonation protection flyout that opens, do the following steps:

  • Select Add domains.

  • In the Add custom domains flyout that appears, click in the Domain box, enter a domain value, and then select the value that's displayed below the box. Repeat this step as many times as necessary.

  • The domains you added are listed on the Add custom domains flyout. To remove the domain, select next to the value.

  • When you're finished on the Add custom domains flyout, select Add domains

  • Back on the Manage custom domains for impersonation protection flyout, the domains you entered are listed.

3. Add trusted senders and domains: Specify impersonation protection exceptions for the policy by selecting Manage (nn) trusted sender(s) and domain(s). On the Manage custom domains for impersonation protection flyout that opens, you enter senders on the Sender tab and domains on the Domain tab.


Note: The maximum number of trusted sender and domain entries is 1024.


Sender tab: Select Add senders.

  • In the Add trusted senders flyout that opens, enter an email address in the Add a valid email box, and then select Add. Repeat this step as many times as necessary. To remove an existing entry, select for the entry.

  • When you're finished on the Add trusted senders flyout, select Add.

  • Back on the Sender tab, the senders you entered are listed.

  • When you're finished on the Sender tab of the Manage custom domains for impersonation protection flyout, select the Domain tab to add domains, or select Done to return to the Phishing threshold & protection page.

Domain tab: Select Add domains.

  • In the Add trusted domains flyout that opens, enter domain in the Domain box, and then select the domain in dropdown list that appears. Repeat this step as many times as necessary. To remove an existing entry, select for the entry.

  • When you're finished on the Add trusted domains flyout, select Add domains.

  • Back on the Domain tab, the domains you added are now listed.

  • When you're finished on the Domain tab of the Manage custom domains for impersonation protection flyout, select the Sender tab to add senders, or select Done to return to the Phishing threshold & protection page.

Note: Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.


4. Enable mailbox intelligence: This setting helps the AI distinguish between messages from legitimate and impersonated senders. By default, this setting is turned on and Microsoft recommends that you leave it selected. To turn off mailbox intelligence, clear the check box.


5. Enable intelligence for impersonation protection:By default, this setting is turned off. Use the contact history learned from mailbox intelligence (both frequent contacts and no contact) to help protect users from impersonation attacks. For mailbox intelligence to take action on detected messages, this setting and the Enable mailbox intelligence setting both need to be turned on.


Important to note that Mailbox intelligence protection doesn't work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt by mailbox intelligence.


On the Actions page you specify the action for Impersonation detections.


Message actions section: Configure the following actions:


1. If a message is detected as user impersonation: This setting is available only if you selected Enable users to protect on the previous page. Select one of the following actions in the dropdown list:

  • Don't apply any action (default)

  • Redirect the message to other email addresses

  • Move the message to the recipients' Junk Email folders

  • Quarantine the message: If you select this action, an Apply quarantine policy box appears where you select the quarantine policy that applies to messages that are quarantined by user impersonation protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. If you don't select a quarantine policy, the default quarantine policy for user impersonation detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.

  • Deliver the message and add other addresses to the Bcc line

  • Delete the message before it's delivered


2. If the message is detected as an impersonated domain: This setting is available only if you selected Enable domains to protect on the previous page. Select one of the following actions in the dropdown list:

  • Don't apply any action (default)

  • Redirect the message to other email addresses

  • Move the message to the recipients' Junk Email folders

  • Quarantine the message: If you select this action, an Apply quarantine policy box appears where you select the quarantine policy that applies to messages that are quarantined by domain impersonation protection. If you don't select a quarantine policy, the default quarantine policy for domain impersonation detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.

  • Deliver the message and add other addresses to the Bcc line

  • Delete the message before it's delivered


3. If mailbox intelligence detects an impersonated user: This setting is available only if you selected Enable intelligence for impersonation protection on the previous page. Select one of the following actions in the dropdown list:

  • Don't apply any action (default)

  • Redirect the message to other email addresses

  • Move the message to the recipients' Junk Email folders

  • Quarantine the message: If you select this action, an Apply quarantine policy box appears where you select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. If you don't select a quarantine policy, the default quarantine policy for mailbox intelligence detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown.

  • Deliver the message and add other addresses to the Bcc line

  • Delete the message before it's delivered

4. Safety tips & indicators section.


Impersonation safety tips appear to users when messages are identified as impersonation attempts. The following safety tips are available:

  • Show user impersonation safety tip: The From address contains a user specified in user impersonation protection. Available only if Enable users to protect is turned on and configured. This safety tip is controlled by the value 9.20 of the SFTY field in the X-Forefront-Antispam-Report header of the message. The text says: This sender appears similar to someone who previously sent you email, but may not be that person.

  • Show domain impersonation safety tip: The From address contains a domain specified in domain impersonation protection. Available only if Enable domains to protect is turned on and configured. This safety tip is controlled by the value 9.19 of the SFTY field in the X-Forefront-Antispam-Report header of the message. The text says: This sender might be impersonating a domain that's associated with your organization.

  • Show user impersonation unusual characters safety tip: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a sender specified in user impersonation protection. Available only if Enable users to protect is turned on and configured.

Implementing these robust features in Microsoft Defender for Office 365 significantly enhances your security and compliance for Microsoft 365 posture against impersonation, one of the most insidious forms of cyberattacks. Stay vigilant, stay protected.


To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.

40 views0 comments

Get the Latest News to Your Inbox

bottom of page