Example - anti-phishing policy to protect a user and a domain


Threat protection product names in Microsoft are changing. Read more about this and other updates. We'll be updating names in products and in the Learn content in the near future.

This example sets up a policy called "Domain and CEO" that provides both user and domain protection from impersonation and then applies the policy to all email received by users within the domain contoso.com. The security administrator has determined that the policy must meet these business requirements:

  • The policy needs to provide protection for the CEO's email account and the entire domain.
  • Messages that are determined to be impersonation attempts against the CEO's user account need to be redirected to the security administrator's email address.
  • Messages that are determined to be impersonation attempts against the domain are less urgent and should be quarantined for later review.

The security administrator at Contoso might use values like the following in order to create an anti-phishing policy that meets these needs.

Name Domain and CEO
Description Ensure that the CEO and our domain are not being impersonated.
Add users to protect The CEO's email address at a minimum.
Add domains to protect The organizational domain that includes the office of the CEO.
Choose actions If email is sent by an impersonated user:
Choose Redirect message to another email address, and then type the email address of the security administrator. For example, securityadmin@contoso.com.
If email is sent by an impersonated domain: Choose Quarantine message.
Mailbox intelligence By default, mailbox intelligence is selected when you create a new anti-phishing policy. Leave this setting On for best results.
Add trusted senders and domains For this example, don't define any overrides.
Applied to Select The recipient domain is. Under Any of these, select Choose. Select + Add. Select the name of the domain (for example, contoso.com), and then select Add. Select Done.

Learn more