Anti-phishing policies in Microsoft 365

Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Office 365 Advanced Threat Protection (Office 365 ATP) organizations.

ATP anti-phishing policies are only available in organizations that have Office 365 ATP. For example:

All other organizations have anti-phishing policies.

The high-level differences between anti-phishing policies and ATP anti-phishing policies are described in the following table:

Feature Anti-phishing policies ATP anti-phishing policies
Automatically created default policy Check mark Check mark
Create custom policies Check mark Check mark
Policy settings* Check mark Check mark
Impersonation settings Check mark
Spoof settings Check mark Check mark
Advanced phishing thresholds Check mark

* In the default policy, the policy name and description are read-only (the description is blank), and you can't specify who the policy applies to (the default policy applies to all recipients).

To configure anti-phishing policies, see the following topics:

The rest of this topic describes the settings that are available in anti-phishing policies and ATP anti-phishing policies.

Spoof settings

Spoofing is when the From address in an email message (the sender address that's show in email clients) doesn't match the domain of the email source. For more information about spoofing, see Anti-spoofing protection in Microsoft 365.

The following spoof settings are available in anti-phishing policies and ATP anti-phishing policies:

  • Anti-spoofing protection: Enables or disables anti-spoofing protection. We recommend that you leave it enabled. You use the spoof intelligence policy to allow or block specific spoofed internal and external senders. For more information, see Configure spoof intelligence in Microsoft 365.

    Note

    Spoof settings are enabled by default in the default anti-phishing policy in EOP, the default ATP anti-phishing policy, and in new custom anti-phishing policies or ATP anti-phishing policies that you create.

    You don't need to disable anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see Enhanced Filtering for Connectors in Exchange Online.

    For messages from blocked spoofed senders, you can also specify the action to take on the messages:

  • Unauthenticated Sender: Enables or disables unidentified sender identification in Outlook. Specifically:

    • A question mark (?) is added to the sender's photo if the message does not pass SPF or DKIM checks and the message does not pass DMARC or composite authentication.

    • The via tag (chris@contoso.com via michelle@fabrikam.com) is added if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the MAIL FROM address. For more information about these addresses, see An overview of email message standards

    To prevent these identifiers from being added to messages from specific senders, you have the following options:

    • Allow the sender to spoof in the spoof intelligence policy. For instructions, see Configure spoof intelligence in Microsoft 365.

    • Configure email authentication for the sender domain.

      • For the question mark in the sender's photo, SPF or DKIM are the most important.
      • For the via tag, confirm the domain in the DKIM signature or the MAIL FROM address matches (or is a subdomain of) the domain in the From address.

    For more information, see Identify suspicious messages in Outlook.com and Outlook on the web

Exclusive settings in ATP anti-phishing policies

This section describes the policy settings that are only available in ATP anti-phishing policies.

Note

By default, the ATP exclusive settings are not configured or turned on, even in the default policy. To take advantage of these features, you need to enable and configure them in the default ATP anti-phishing policy, or create and configure custom ATP anti-phishing policies.

Policy settings in ATP anti-phishing policies

The following policy settings are only available in ATP anti-phishing policies:

  • Name: You can't rename the default anti-phishing policy, but you can name and rename custom policies that you create.

  • Description You can't add a description to the default anti-phishing policy, but you can add and change the description for custom policies that you create.

  • Applied to: Identifies internal recipients that the ATP anti-phishing policy applies to. This value is required in custom policies, and not available in the default policy (the default policy applies to all recipients).

    You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

    • Recipient is: One or more mailboxes, mail users, or mail contacts in your organization.

    • Recipient is a member of: One or more groups in your organization.

    • The recipient domain is: One or more of the configured accepted domains in Microsoft 365.

    • Except when: Exceptions for the rule. The settings and behavior are exactly like the conditions:

      • Recipient is
      • Recipient is a member of
      • The recipient domain is

Impersonation settings in ATP anti-phishing policies

Impersonation is where the sender or the sender's email domain in a message looks very similar to a real sender or domain:

  • An example impersonation of the domain contoso.com is ćóntoso.com.

  • An example impersonation of the user michelle@contoso.com is michele@contoso.com.

An impersonated domain might otherwise be considered legitimate (registered domain, configured email authentication records, etc.), except its intent is to deceive recipients.

The following impersonation settings are only available in ATP anti-phishing policies:

  • Users to protect: Prevents the specified internal or external users from being impersonated. For example, executives (internal) and board members (external). You can add up to 60 internal and external addresses. This list of protected users is different from the list of recipients that the policy applies to in the Applied to setting.

    For example, you specify Felipe Apodaca (felipea@contoso.com) as a protected user in a policy that applies to the group named Executives. Inbound messages sent to members of the Executives group where the where Felipe Apodaca is impersonated will be acted on by the policy (the action you configure for impersonated users).

  • Domains to protect: Prevent the specified domains from being impersonated. For example, all domains that you own (accepted domains) or specific domains (domains you own or partner domains). This list of protected domains is different from the list of domains that the policy applies to in the Applied to setting.

    For example, you specify tailspintoys.com as a protected domain in a policy that applies to members of the group named Executives. Inbound messages sent to members of the Executives group where the where tailspintoys.com is impersonated will be acted on by the policy (the action you configure for impersonated domains).

  • Actions for protected users or domains: Choose the action to take on inbound messages that contain impersonation attempts against the protected users and protected domains in the policy. You can specify different actions for impersonation of protected users vs. impersonation of protected domains:

  • Safety tips: Enables or disables the following impersonation safety tips that will appear messages that fail impersonation checks:

    • Impersonated users: The From address contains a protected user.
    • Impersonated domains: The From address contains a protected domain.
    • Unusual characters: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a protected sender or domain.
  • Mailbox intelligence: Enables or disables artificial intelligence (AI) that determines user email patterns with their frequent contacts. This setting helps the AI distinguish between legitimate and spoofed email from those contacts. Mailbox intelligence is only available for Exchange Online mailboxes.

  • Mailbox intelligence based impersonation protection: Enables or disables enhanced impersonation results based on each user's individual sender map. This intelligence allows Microsoft 365 to customize user impersonation detection and better handle false positives. When user impersonation is detected, you can define a specific action to take on the message:

    • Don't apply any action
    • Redirect message to other email addresses
    • Move message to Junk Email folder
    • Quarantine the message
    • Deliver the message and add other addresses to the Bcc line
    • Delete the message before it's delivered
  • Trusted senders and domains: Exceptions to the impersonation protection settings. Messages from the specified senders and sender domains are never classified as impersonation-based attacks by the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence protection aren't applied to these trusted senders or sender domains. The maximum limit for these lists is approximately 1000 entries.

Advanced phishing thresholds in ATP anti-phishing policies

The following advanced phishing thresholds are only available in ATP anti-phishing policies to control the sensitivity for applying machine learning models to messages for determining a phishing verdict:

  • 1 - Standard: This is the default value. The severity of the action that's taken on the message depends on the degree of confidence that the message is phishing (low, medium, high, or very high confidence). For example, messages that are identified as phishing with a very high degree of confidence have the most severe actions applied, while messages that are identified as phishing with a low degree of confidence have less severe actions applied.

  • 2 - Aggressive: Messages that are identified as phishing with a high degree of confidence are treated as if they were identified with a very high degree of confidence.

  • 3 - More aggressive: Messages that are identified as phishing with a medium or high degree of confidence are treated as if they were identified with a very high degree of confidence.

  • 4 - Most aggressive: Messages that are identified as phishing with a low, medium, or high degree of confidence are treated as if they were identified with a very high degree of confidence.

The chance of false positives (good messages marked as bad) increases as you increase this setting. For information about the recommended settings, see Office ATP anti-phishing policy settings.