Manage anti-phishing policies

  • 9 minutes

The prior unit examined malicious spoofing (as opposed to legitimate spoofing), whose purpose is to deliver a malicious email. Phishing is similar to malicious spoofing in that the sender of an email masquerades as a trustworthy entity. However, phishing differs from spoofing in that phishing tries to acquire sensitive information such as usernames, passwords, credit card information, social security numbers, and so on.

Phishing attacks come in various forms, from commodity-based attacks to targeted spear phishing or whaling. With the growing complexity of phishing attacks, it's difficult for even a trained eye to identify some of these sophisticated attacks.

By default, Microsoft 365 includes built-in features that help organizations protect its users from phishing attacks. Anti-phishing policies increase this protection; for example, by refining settings to better detect and prevent impersonation and spoofing attacks.

Anti-phishing protection is available in Exchange Online Protection (EOP) for Microsoft 365 organizations without Microsoft Defender for Office 365. Microsoft Defender for Office 365 contains more advanced anti-phishing features.

Anti-phishing protection in EOP

Exchange Online Protection contains the following features that can help protect your organization from phishing threats:

  • Spoof intelligence. Review spoofed messages from senders in internal and external domains, and allow or block those senders. For more information, see Configure spoof intelligence in EOP.
  • Anti-phishing policies in EOP. Turn spoof intelligence on or off, turn unauthenticated sender identification in Outlook on or off, and specify the action for blocked spoofed senders (move to Junk Email folder or quarantine). For more information, see Configure anti-phishing policies in EOP.
  • Allow or block spoofed senders in the Tenant Allow/Block List. When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoof senders before they're detected by spoof intelligence. For more information, see Manage the Tenant Allow/Block List in EOP.
  • Implicit email authentication. EOP enhances standard email authentication checks for inbound email (SPF, DKIM, and DMARC) with sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques to help identify forged senders. For more information, see Email authentication in Microsoft 365.

Anti-phishing protection in Microsoft Defender for Office 365

Microsoft Defender for Office 365 contains the following advanced anti-phishing features:

Managing Anti-phishing policies in Microsoft Defender for Office 365

Creating a custom anti-phishing policy in the Microsoft Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.

  1. In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing in the Policies section. To go directly to the Anti-phishing page, use https://security.microsoft.com/antiphishing.

  2. On the Anti-phishing page, select Create.

  3. The policy wizard opens. On the Policy name page, configure these settings:

    • Name: Enter a unique, descriptive name for the policy.
    • Description: Enter an optional description for the policy.

    When you're finished, select Next.

  4. On the Users, groups, and domains page that appears, identify the internal recipients that the policy applies to (recipient conditions):

    • Users: The specified mailboxes, mail users, or mail contacts.
    • Groups:
      • Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
      • The specified Microsoft 365 Groups.
    • Domains: All recipients in the specified accepted domains in your organization.
    • Exclude these users, groups, and domains: To add exceptions for the internal recipients that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions.

  5. On the Phishing threshold & protection page that appears, use the Enable spoof intelligence check box to turn spoof intelligence on or off. The default value is on (selected), and we recommend that you leave it on. You configure the action to take on blocked spoofed messages on the next page.

    To turn off spoof intelligence, clear the check box.

    Note

    You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see Enhanced Filtering for Connectors in Exchange Online.

    When you're finished, select Next.

  6. On the Actions page that appears, configure the following settings:

    • If message is detected as spoof: This setting is available only if you selected Enable spoof intelligence on the previous page. Select one of the following actions in the drop-down list for messages from blocked spoofed senders:

      • Move message to the recipients' Junk Email folders

      • Quarantine the message: If you select this action, an Apply quarantine policy box appears where you select the quarantine policy that applies to messages that are quarantined by spoof intelligence protection. Quarantine policies define what users can do to quarantined messages, and whether users receive quarantine notifications.

        A blank Apply quarantine policy value means the default quarantine policy is used (DefaultFullAccessPolicy for spoof intelligence detections). When you later edit the anti-phishing policy or view the settings, the default quarantine policy name is shown.

    • Safety tips & indicators:

      • Show first contact safety tip
      • Show (?) for unauthenticated senders for spoof*: Adds a question mark (?) to the sender's photo in the From box in Outlook if the message doesn't pass SPF or DKIM checks and the message doesn't pass DMARC or composite authentication
      • Show "via" tag*: Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the MAIL FROM address.

      To turn on a setting, select the check box. To turn it off, clear the check box.

      * This setting is available only if you selected Enable spoof intelligence on the previous page.

    When you're finished, select Next.

  7. On the Review page that appears, review your settings. You can select Edit in each section to modify the settings within the section. Or you can select Back or select the specific page in the wizard.

    When you're finished, select Submit.

  8. On the confirmation page that appears, select Done.

Further reading. For more information, see Anti-phishing policies in Microsoft 365

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

Which anti-phishing feature in Exchange Online Protection turns spoof intelligence on or off, turns unauthenticated sender identification in Outlook on or off, and specifies the action for blocked spoofed senders?