how the phishing policy handles internal domains? Could someone explain in detail
We could refer to the introduction of anti-phishing policy in the official document.
By default, no sender domains are configured for impersonation protection in Enable domains to protect. Therefore, by default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.
When you add domains(domains you own or partner domains) to the Enable domains to protect list, messages from senders in those domains are subject to impersonation protection checks. The message is checked for impersonation if the message is sent to a recipient that the policy applies to (all recipients for the default policy; Users, groups, and domains recipients in custom policies). If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).
And if you want to know more about how EOP backend handles internal domain, I would suggest you open a service request to get more information.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
8 people are following this question.