Microsoft Defender for Office 365: Anti-phishing policies

Phishing is an email attack that aims to steal sensitive information through messages that appear to be from legitimate or trusted senders. You can enhance the security of your Exchange Online mailboxes by implementing anti-phishing policies.

What you can manage with Anti-phishing policies

Anti-phishing policies provide enhanced control over incoming phishing emails, for instance, in cases where someone may attempt to impersonate your CEO or send messages from a domain that closely resembles yours. By default, a policy named ‘Office365 AntiPhish Default (Default)’ is automatically applied to all users.

In an anti-phishing policy, you can configure

User impersonation protection

With user impersonation protection, you can protect 350 internal and external users with key roles. Internally, these could be your CEO, CFO, and other senior executives. Externally, they could be council members or your board of directors.

NOTE: User impersonation protection is not effective when there is a history of email communication between the sender and recipient. Detection of an impersonation attempt is only possible in cases where there is no prior email interaction between the sender and recipient.

How it works

User impersonation is the combination of the user’s display name and email address. For example, your CEO Shaggy Rogers <shaggy@contoso.com> could be impersonated as Shaggy Rogers, but with a completely different email address, such as Shaggy Rogers <shaggy.rogers@fabrikam.com>. Even though SPF, DKIM and DMARC will pass for the fabrikam.com domain, the email will be flagged as protection policy category UIMP (user impersonation) in the X-Forefront-Antispam-Report message header.

Domain impersonation protection

What you can protect:

With domain impersonation protection, you can protect the domains that you own in Microsoft 365 (accepted domains) as well as external domains, such as the domains of your vendors.

How it works

Domain impersonation prevents the sender’s email domain from appearing in a message that looks like a real email domain. For example, contoso.com could be impersonated as c0ntoso.com or contoso.co. Even though SPF, DKIM and DMARC will pass for the domain c0ntoso.com or contoso.co, the email will be labeled with Protection Policy Category DIMP (domain impersonation) in the X-Forefront-Antispam-Report message header.

Mailbox intelligence

What you can protect:

Mailbox Intelligence uses artificial intelligence (AI) to determine the email patterns of users with their most frequent contacts.

How it works:

Mailbox intelligence operates similarly to user impersonation protection; however, it utilizes the contents of the mailbox to identify phishing attempts. For instance, if you regularly exchange emails with Shaggy Rogers <shaggy@contoso.com>, and one day you receive an email from Shaggy Rogers <shaggy.rogers@fabrikam.com> that successfully passes SPF, DKIM, and DMARC checks, it will still be flagged with the protection policy category GIMP (Mailbox Intelligence Based Impersonation) in the X-Forefront-Antispam-Report message header. This is because the AI within Mailbox Intelligence assesses that you have not previously interacted with Shaggy Rogers <shaggy.rogers@fabrikam.com>, suggesting a potential impersonation.

Mailbox Intelligence has two settings:

1. Enable Mailbox Intelligence: This setting helps the AI distinguish between messages from legitimate and impersonated senders. By default, this setting is turned on.
2. Enable Impersonation Protection: By default, this setting is off. This setting uses the contact history learned from Mailbox Intelligence (both frequent contacts and no contacts).

To activate Mailbox Intelligence, both settings must be turned on.

NOTE: Mailbox intelligence protection is inactive when there is a history of email communication between the sender and recipient. It becomes active and identifies a message as an impersonation attempt if there has been no prior email interaction between the sender and recipient.

Spoof intelligence

What Spoofing is

Spoofing (implicit failures) occurs when the From address (P2 Sender, the sender address that’s shown in email clients) in an email message doesn’t match the domain of the email source (P1 Sender).

P1 vs P2- sender explanation

Postal Letter	Precise Term	Protected by
Sender on envelope	RFC5321.MailFrom (P1 Sender)	SPF
Author on letter	RFC5322.From (P2 Sender)	DKIM + DMARC

What you can protect

With spoof intelligence enabled, you control the response when the P1 Sender doesn’t match the P2 Sender. This check is similar to DMARC, though not all domains have DMARC configured.

How it works

Phishers may use P1 spoofing, allowing SPF to pass on their domain (P1 Sender) while sending emails on behalf of another domain (P2 Sender). Spoof intelligence identifies this and labels the email with Protection Policy Category SPOOF (Spoofing) in the X-Forefront-Antispam-Report message header.

Configure anti-phishing policies and best practices

1. Sign in to the Microsoft Defender portal and navigate to the Anti-phishing section.

2. Navigate to ‘Phishing Threshold & Protection’ and select ‘Edit Protection Settings’.

3. Set the Phishing email threshold to at least on ‘3 - More Aggressive’.

4. Check ‘Enable Users to Protect’ (User impersonation protection), you can include up to 350 key users.

• For bulk user additions, create a CSV file in the following format:

Policy,Users
Office365 AntiPhish Default,Firstname Lastname;user1@domain.com
Office365 AntiPhish Default,Firstname Lastname;user2@domain.com

• To import this CSV into the policy using the Exchange PowerShell Module, execute the following command:

$Users = Import-CSV -Path 'C:\temp\users.csv'

ForEach ($User in $Users){
  
        Set-AntiPhishPolicy -Identity $User.Policy -TargetedUsersToProtect @{add=$User.Users}
        Write-Host -ForegroundColor Green $User.Users "is added!"
}

5. Check ‘Enable domains to protect’ (Domain impersonation protection).

6. In ‘Add Trusted Senders and Domains’, you can specify senders or domains that will not be flagged for impersonation.

   • Not recommended for use, especially domains. Messages from the specified senders and sender domains will never be classified by the policy as impersonation-based attacks. Require that your key users use no other address to communicate within your environment. However, depending on your organization, only add senders or domains that are incorrectly identified as impersonation attempts. Once you have added entries, monitor the list frequently.

7. Both ‘Enable Mailbox Intelligence’ and ‘Enable Intelligence for Impersonation Protection’ should be checked, as explained earlier.

8. Check ‘Spoof Intelligence’ and click on Save.

9. After saving, navigate to ‘Action’ and select ‘Edit Actions’.

10. I recommend setting all actions to ‘Quarantine the message’ except for ‘If the message is detected as spoof by spoof intelligence’. This action can be set to ‘Move message to Junk Email folder’. This is because emails detected as spoof by Spoof Intelligence can be ligitmate emails (implicit failures) if the sender hasn’t set up their outbound authentication correctly from the sending email source.

11. Turn on ‘Honor DMARC record policy when the message is detected as spoof’, this setting will honor the sender’s DMARC policy for email authentication failures (explicit failures).

• Setting: If the message is detected as spoof and DMARC Policy is set as p=quarantine
  • Action: Quarantine the message
• Setting: If the message is detected as spoof and DMARC Policy is set as p=reject
  • Action: Reject the message (NDR)

12. Check all safety tips, to help recipients be more aware of red flags in an email.

Self-to-self spoofing attack with DMARC reject policy

From the field I have seen that when a user is attacked by self-to-self spoofing. They receive an NDR from Exchange Online with the original email attached in .eml format, expected but unwanted. I have contacted Microsoft and they recently fixed this issue and this NDR backscatter should get a high confidence spam (HSPM) or spam (SPM) verdict and the email will end up in the JUNK folder. Backscatter is treated differently than regular email and the HSPM and SPM actions in the anti-spam policies do not apply.

In summary

User Impersonation:

User impersonation involves combining the user’s display name and email address, and it can be set up for a maximum of 350 users.

Domain Impersonation:

Domain impersonation occurs when the domain is manipulated to resemble the legitimate domain.

Mailbox Intelligence:

Operates similarly to user impersonation protection; however, it utilizes the contents of the mailbox to identify phishing attempts.

Spoof Intelligence:

Spoofing takes place when the From address (P2 Sender) in an email message does not match the domain of the email source (P1 Sender).

Reference

• Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
• User impersonation protection
• Domain impersonation protection
• Mailbox intelligence impersonation protection
• Spoof settings
• Spoof protection and sender DMARC policies
• X-Forefront-Antispam-Report message header fields
• Impersonation safety tips
• Recommended anti-phishing policy settings
• First contact safety tip