Impersonation insight in Defender for Office 365

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Note

The features described in this article are in Preview, are subject to change, and are not available in all organizations.

Impersonation is where the sender of an email message looks very similar to a real or expected sender email address. Attackers often user impersonated sender email addresses in phishing or other types of attacks in an effort to gain the trust of the recipient. There are basically two types of impersonation:

  • Domain impersonation: Instead of lila@contoso.com, the impersonated sender's email address is lila@ćóntoso.com.
  • User impersonation: Instead of michelle@contoso.com, the impersonated sender's email address is rnichell@contoso.com.

Domain impersonation is different from domain spoofing, because the impersonated domain is typically a real, registered domain. Messages from senders in the impersonated domain can and often do pass regular email authentication checks that would otherwise identify spoofing attempts (SPF, DKIM, and DMARC).

Impersonation protection is part of the anti-phishing policy settings that are exclusive to Microsoft Defender for Office 365. For more information about these settings, see Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365.

You can use the impersonation insight in the Microsoft 365 Defender portal to quickly identify messages from impersonated senders or sender domains that you've configured for impersonation protection.

What do you need to know before you begin?

Open the impersonation insight in the Microsoft 365 Defender portal

  1. In the Microsoft 365 Defender portal, go to Email & Collaboration > Policies & Rules > Threat policies > Policies section > Anti-phishing.

  2. On the Anti-phishing page, the impersonation insight looks like this:

    Impersonation insight and spoof intelligence on the Anti-phishing policy page

    The insight has two modes:

    • Insight mode: If impersonation protection is enabled and configured in any anti-phishing policies, the insight shows the number of detected messages from impersonated domains and impersonated users (senders) over the past seven days. This is the total of all detected impersonated senders from all anti-phishing policies.
    • What if mode: If impersonation protection is not enabled and configured in any active anti-phishing policies, the insight shows you how many messages would have been detected by our impersonation protection capabilities over the past seven days.

To view information about the impersonation detections, click View impersonations in the impersonation insight.

Note

For information about the spoof intelligence insight, see Spoof intelligence insight in EOP.

View information about messages from senders in impersonated domains

On the Impersonation insight page that appears after you click View impersonations in the impersonation insight, verify that the Domains tab is selected. The Domains tab contains the following information:

  • Sender Domain: The impersonating domain, which is the domain that was used to send the email message.
  • Message count: The number of messages from impersonating sender domain over the last 7 days.
  • Impersonation type: This value shows the detected location of the impersonation (for example, Domain in address).
  • Impersonated domain(s): The impersonated domain, which should closely resemble the domain that's configured for impersonation protection in the anti-phishing policy.
  • Domain type: This value is Company domain for internal domains or Custom domain for custom domains.
  • Policy: The anti-phishing policy that detected the impersonated domain.
  • Allowed to impersonate: One of the following values:
    • Yes: The domain was configured as trusted domain (an exception for impersonation protection) in the anti-phishing policy. Messages from senders in the impersonated domain were detected, but allowed.
    • No: The domain was configured for impersonation protection in the anti-phishing policy. Messages from senders in the impersonated domain were detected and acted upon based on the action for impersonated domains in the anti-phishing policy.

You can click selected column headings to sort the results.

To filter the results, you can use the Search icon Search box to enter a comma-separated list of values to filter the results.

View details about messages from senders in impersonated domains

On the Domains tab on the Impersonation insight page, select one of the available impersonation detections. The details flyout that appears contains the following information and features:

  • Selection impersonation policy to modify: Select the affected anti-phishing policy that you want to modify. Only polices where the impersonated domain is defined in the policy are available. Refer to the previous page to see which policy was actually responsible for detecting the impersonated domain (likely based on the recipient and the priority of the policy).
  • Add to the allowed to impersonation list: Use this toggle to add or remove the sender from the Trusted senders and domains (impersonation exceptions) for the anti-phishing policy that you selected:
    • If the Allowed to impersonate value for this entry was No, the toggle is off. To exempt all senders in this domain from evaluation by impersonation protection, slide the toggle to on: Toggle on. The domain is added to the Trusted domains list in the impersonation protection settings of the anti-phishing policy.
    • If the Allowed to impersonate value for this entry was Yes, the toggle is on. To return all senders in this domain to evaluation by impersonation protection, slide the toggle to off: Toggle off. The domain is removed from the Trusted domains list in the impersonation protection settings of the anti-phishing policy.
  • Why we caught this.
  • What you need to do.
  • A domain summary that list the impersonated domain.
  • WhoIs data about the sender.
  • A link to open Threat Explorer to see additional details about the sender.
  • Similar messages from the same sender that were delivered to your organization.

View information about messages from impersonated senders

On the Impersonation insight page that appears after you click View impersonations in the impersonation insight, click the Users tab. The Users tab contains the following information:

  • Sender: The email address of the impersonating sender that sent the email message.
  • Message count: The number of messages from the impersonating sender over the last 7 days.
  • Impersonation type: This value is User in display name.
  • Impersonated user(s): The email address of the impersonated sender, which should closely resemble the user that's configured for impersonation protection in the anti-phishing policy.
  • User type: This value shows the type of protection applied (for example, Protected user or Mailbox Intelligence).
  • Policy: The anti-phishing policy that detected the impersonated sender.
  • Allowed to impersonate: One of the following values:
    • Yes: The sender was configured as trusted user (an exception for impersonation protection) in the anti-phishing policy. Messages from the impersonated sender were detected, but allowed.
    • No: The sender was configured for impersonation protection in the anti-phishing policy. Messages from the impersonated sender were detected and acted upon based on the action for impersonated users in the anti-phishing policy.

You can click selected column headings to sort the results.

To filter the results, you can use the Filter sender box to enter a comma-separated list of values to filter the results.

View details about messages from impersonated senders

On the Users tab on the Impersonation insight page, select one of the available impersonation detections. The details flyout that appears contains the following information and features:

  • Selection impersonation policy to modify: Select the affected anti-phishing policy that you want to modify. Only polices where the impersonated sender is defined in the policy are available. Refer to the previous page to see which policy was actually responsible for detecting the impersonated sender (likely based on the recipient and the priority of the policy).
  • Add to the allowed to impersonation list: Use this toggle to add or remove the sender from the Trusted senders and domains (impersonation exceptions) for the anti-phishing policy that you selected:
    • If the Allowed to impersonate value for this entry was No, the toggle is off. To exempt the sender from evaluation by impersonation protection, slide the toggle to on: Toggle on. The sender is added to the Trusted users list in the impersonation protection settings of the anti-phishing policy.
    • If the Allowed to impersonate value for this entry was Yes, the toggle is on. To return the sender to evaluation by impersonation protection, slide the toggle to off: Toggle off. The sender is removed from the Trusted users list in the impersonation protection settings of the anti-phishing policy.
  • Why we caught this.
  • What you need to do.
  • A sender summary that list the impersonated sender.
  • WhoIs data about the sender.
  • A link to open Threat Explorer to see additional details about the sender.
  • Similar messages from the same sender that were delivered to your organization.