Anti-phishing policies in Microsoft 365

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations.

Examples of Microsoft Defender for Office 365 organizations include:

The high-level differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365 are described in the following table:



Feature Anti-phishing policies in EOP Anti-phishing policies in Defender for Office 365
Automatically created default policy Check mark. Check mark.
Create custom policies Check mark. Check mark.
Common policy settings* Check mark. Check mark.
Spoof settings Check mark. Check mark.
First contact safety tip Check mark. Check mark
Impersonation settings Check mark
Advanced phishing thresholds Check mark

* In the default policy, the policy name, and description are read-only (the description is blank), and you can't specify who the policy applies to (the default policy applies to all recipients).

To configure anti-phishing policies, see the following articles:

The rest of this article describes the settings that are available in anti-phishing policies in EOP and Defender for Office 365.

Common policy settings

The following policy settings are available in anti-phishing policies in EOP and Defender for Office 365:

  • Name: You can't rename the default anti-phishing policy. After you create a custom anti-phishing policy, you can't rename the policy in the Microsoft 365 Defender portal.

  • Description You can't add a description to the default anti-phishing policy, but you can add and change the description for custom policies that you create.

  • Users, groups, and domains: Identifies internal recipients that the anti-phishing policy applies to. This value is required in custom policies, and not available in the default policy (the default policy applies to all recipients).

    You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

    • Users: One or more mailboxes, mail users, or mail contacts in your organization.

    • Groups: One or more groups in your organization.

    • Domains: One or more of the configured accepted domains in Microsoft 365.

    • Exclude these users, groups, and domains: Exceptions for the policy. The settings and behavior are exactly like the conditions:

      • Users
      • Groups
      • Domains

    Note

    At least one selection in the Users, groups, and domains settings is required in custom anti-phishing policies to identify the message recipients that the policy applies to. Anti-phishing policies in Defender for Office 365 also have impersonation settings where you can specify individual sender email addresses or sender domains that will receive impersonation protection as described later in this article.

Spoof settings

Spoofing is when the From address in an email message (the sender address that's shown in email clients) doesn't match the domain of the email source. For more information about spoofing, see Anti-spoofing protection in Microsoft 365.

The following spoof settings are available in anti-phishing policies in EOP and Defender for Office 365:

  • Enable spoof intelligence: Turns spoof intelligence on or off. We recommend that you leave it turned on.

    When spoof intelligence is enabled, the spoof intelligence insight shows spoofed senders that were automatically detected and allowed or blocked by spoof intelligence. You can manually override the spoof intelligence verdict to allow or block the detected spoofed senders from within the insight. But when you do, the spoofed sender disappears from the spoof intelligence insight, and is now visible only on the Spoof tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders in the Tenant Allow/Block List. For more information, see the following articles:

    Note

    • Anti-spoofing protection is enabled by default in the default anti-phishing policy and in any new custom anti-phishing policies that you create.
    • You don't need to disable anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see Enhanced Filtering for Connectors in Exchange Online.
    • Disabling anti-spoofing protection only disables implicit spoofing protection from composite authentication checks. If the sender fails explicit DMARC checks where the policy is set to quarantine or reject, the message is still quarantined or rejected.
  • Unauthenticated sender notifications: These notifications are available only when spoof intelligence is turned on. See the information in the next section.

  • Actions: For messages from blocked spoofed senders (automatically blocked by spoof intelligence or manually blocked in the Tenant Allow/Block list), you can also specify the action to take on the messages:

Unauthenticated sender

The unauthenticated sender notifications are part of the Spoof settings that are available in anti-phishing policies in EOP and Defender for Office 365 as described in the previous section. The following settings are available only when spoof intelligence is turned on:

  • Show (?) for unauthenticated senders for spoof: This notification adds a question mark is added to the sender's photo in the From box if the message does not pass SPF or DKIM checks and the message does not pass DMARC or composite authentication. When this setting is turned off, the question mark isn't added to the sender's photo.

  • Show "via" tag?: This notification adds the via tag (chris@contoso.com via fabrikam.com) in the From box if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the MAIL FROM address. For more information about these addresses, see An overview of email message standards.

To prevent the question mark or via tag from being added to messages from specific senders, you have the following options:

  • Allow the spoofed sender in the spoof intelligence insight or manually in the Tenant Allow/Block List. Allowing the spoofed sender will prevent the via tag from appearing in messages from the sender when unauthenticated sender identification is disabled.
  • Configure email authentication for the sender domain.
    • For the question mark in the sender's photo, SPF or DKIM are the most important.
    • For the via tag, confirm the domain in the DKIM signature or the MAIL FROM address matches (or is a subdomain of) the domain in the From address.

For more information, see Identify suspicious messages in Outlook.com and Outlook on the web

First contact safety tip

The Show first contact safety tip settings is available in EOP and Defender for Office 365 organizations, and has no dependency on spoof intelligence or impersonation protection settings. The safety tip is shown to recipients in the following scenarios:

  • The first time they get a message from a sender
  • They don't often get messages from the sender.

First contact safety tip for messages with one recipient.

First contact safety tip for messages with with multiple recipients.

This capability adds an extra layer of security protection against potential impersonation attacks, so we recommend that you turn it on.

The first contact safety tip also replaces the need to create mail flow rules (also known as transport rules) that add the header named X-MS-Exchange-EnableFirstContactSafetyTip with the value Enable to messages (although this capability is still available).

Note

If the message has multiple recipients, whether the tip is shown and to whom is based on a majority model. If the majority of recipients have never or don't often receive messages from the sender, then the affected recipients will receive the Some people who received this message... tip. If you're concerned that this behavior exposes the communication habits of one recipient to another, you should not enable the first contact safety tip and continue to use mail flow rules instead.

Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365

This section describes the policy settings that are only available in anti-phishing policies in Defender for Office 365.

Note

The default anti-phishing policy in Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

Impersonation is where the sender or the sender's email domain in a message looks similar to a real sender or domain:

  • An example impersonation of the domain contoso.com is ćóntoso.com.
  • An example impersonation of the user michelle@contoso.com is michele@contoso.com.

Note

Impersonation protection looks for domains that are similar. For example, if your domain is contoso.com, we check for different top-level domains (.com, .biz, etc.) as impersonation attempts, but also domains that are even somewhat similar. For example, contosososo.com or contoabcdef.com might be seen as impersonation attempts of contoso.com.

An impersonated domain might otherwise be considered legitimate (registered domain, configured email authentication records, etc.), except its intent is to deceive recipients.

The following impersonation settings are only available in anti-phishing policies in Defender for Office 365:

  • Enable users to protect: Prevents the specified internal or external email addresses from being impersonated as message senders. For example, you receive an email message from the Vice President of your company asking you to send her some internal company information. Would you do it? Many people would send the reply without thinking.

    You can use protected users to add internal and external sender email addresses to protect from impersonation. This list of senders that are protected from user impersonation is different from the list of recipients that the policy applies to (all recipients for the default policy; specific recipients as configured in the Users, groups, and domains setting in the Common policy settings section).

    Note

    • In each anti-phishing policy, you can specify a maximum of 350 protected users (sender email addresses). You can't specify the same protected user in multiple policies. So, regardless of how many policies apply to a recipient, the maximum number of protected users (sender email addresses) for each individual recipient is 350. For more information about policy priority and how policy processing stops after the first policy is applied, see Order and precedence of email protection.
    • User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt.

    By default, no sender email addresses are configured for impersonation protection in Users to protect. Therefore, by default, no sender email addresses are covered by impersonation protection, either in the default policy or in custom policies.

    When you add internal or external email addresses to the Users to protect list, messages from those senders are subject to impersonation protection checks. The message is checked for impersonation if the message is sent to a recipient that the policy applies to (all recipients for the default policy; Users, groups, and domains recipients in custom policies). If impersonation is detected in the sender's email address, the impersonation protections actions for users are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).

  • Enable domains to protect: Prevents the specified domains from being impersonated in the message sender's domain. For example, all domains that you own (accepted domains) or specific custom domains (domains you own or partner domains). This list of sender domains that are protected from impersonation is different from the list of recipients that the policy applies to (all recipients for the default policy; specific recipients as configured in the Users, groups, and domains setting in the Common policy settings section).

    Note

    The maximum number of protected domains that you can define in all anti-phishing policies is 50.

    By default, no sender domains are configured for impersonation protection in Enable domains to protect. Therefore, by default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.

    When you add domains to the Enable domains to protect list, messages from senders in those domains are subject to impersonation protection checks. The message is checked for impersonation if the message is sent to a recipient that the policy applies to (all recipients for the default policy; Users, groups, and domains recipients in custom policies). If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).

  • Actions: Choose the action to take on inbound messages that contain impersonation attempts against the protected users and protected domains in the policy. You can specify different actions for impersonation of protected users vs. impersonation of protected domains:

    • Don't apply any action

    • Redirect message to other email addresses: Sends the message to the specified recipients instead of the intended recipients.

    • Move messages to the recipients' Junk Email folders: The message is delivered to the mailbox and moved to the Junk Email folder. In Exchange Online, the message is moved to the Junk Email folder if the junk email rule is enabled on the mailbox (it's enabled by default). For more information, see Configure junk email settings on Exchange Online mailboxes in Microsoft 365.

    • Quarantine the message: Sends the message to quarantine instead of the intended recipients. For information about quarantine, see the following articles:

      If you select Quarantine the message, you can also select the quarantine policy that applies to messages that are quarantined by user impersonation or domain impersonation protection. Quarantine policies define what users are able to do to quarantined messages. For more information, see Quarantine policies.

    • Deliver the message and add other addresses to the Bcc line: Deliver the message to the intended recipients and silently deliver the message to the specified recipients.

    • Delete the message before it's delivered: Silently deletes the entire message, including all attachments.

  • Impersonation safety tips: Turn on or turn off the following impersonation safety tips that will appear messages that fail impersonation checks:

    • Show tip for impersonated users: The From address contains an Enable users to protect user. Available only if Enable users to protect is turned on and configured.
    • Show tip for impersonated domains: The From address contains an Enable domains to protect domain. Available only if Enable domains to protect is turned on and configured.
    • Show tip for unusual characters: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in an Enable users to protect sender or an Enable domains to protect sender domain. Available only if Enable users to protect or Enable domains to protect is turned on and configured.
  • Enable mailbox intelligence: Enables or disables artificial intelligence (AI) that determines user email patterns with their frequent contacts. This setting helps the AI distinguish between messages from legitimate and impersonated senders.

    For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your company, so you add her as a protected sender in the Enable users to protect settings of the policy. But, some of the recipients that the policy applies to communicate regularly with a vendor who is also named Gabriela Laureano (glaureano@fabrikam.com). Because those recipients have a communication history with glaureano@fabrikam.com, mailbox intelligence will not identify messages from glaureano@fabrikam.com as an impersonation attempt of glaureano@contoso.com for those recipients.

    To use frequent contacts that were learned by mailbox intelligence (and lack thereof) to help protect users from impersonation attacks, you can turn on Enable intelligence impersonation protection after you turn on Enable mailbox intelligence.

  • Enable intelligence impersonation protection: Turn on this setting to specify the action to take on messages for impersonation detections from mailbox intelligence results:

    • Don't apply any action: Note that this value has the same result as turning on Mailbox intelligence but turning off Enable intelligence impersonation protection.
    • Redirect message to other email addresses
    • Move message to the recipients' Junk Email folders
    • Quarantine the message: If you select this action, you can also select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. Quarantine policies define what users are able to do to quarantined messages. For more information, see Quarantine policies.
    • Deliver the message and add other addresses to the Bcc line
    • Delete the message before it's delivered
  • Add trusted senders and domains: Exceptions to the impersonation protection settings. Messages from the specified senders and sender domains are never classified as impersonation-based attacks by the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence protection aren't applied to these trusted senders or sender domains. The maximum limit for these lists is 1024 entries.

Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365

The following advanced phishing thresholds are only available in anti-phishing policies in Defender for Office 365. These thresholds control the sensitivity for applying machine learning models to messages to determine a phishing verdict:

  • 1 - Standard: This is the default value. The severity of the action that's taken on the message depends on the degree of confidence that the message is phishing (low, medium, high, or very high confidence). For example, messages that are identified as phishing with a very high degree of confidence have the most severe actions applied, while messages that are identified as phishing with a low degree of confidence have less severe actions applied.
  • 2 - Aggressive: Messages that are identified as phishing with a high degree of confidence are treated as if they were identified with a very high degree of confidence.
  • 3 - More aggressive: Messages that are identified as phishing with a medium or high degree of confidence are treated as if they were identified with a very high degree of confidence.
  • 4 - Most aggressive: Messages that are identified as phishing with a low, medium, or high degree of confidence are treated as if they were identified with a very high degree of confidence.

The chance of false positives (good messages marked as bad) increases as you increase this setting. For information about the recommended settings, see anti-phishing policy in Microsoft Defender for Office 365 settings.