Anti-phishing policies in Microsoft 365

Important

The improved Microsoft 365 security center is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations.

Anti-phishing policies in Microsoft Defender for Office 365 are only available in organizations that have Defender for Office 365. For example:

The high-level differences between anti-phishing policies in EOP and anti-phishing policies in Microsoft Defender for Office 365 are described in the following table:


Feature Anti-phishing policies in EOP Anti-phishing policies in Microsoft Defender for Office 365
Automatically created default policy Check mark Check mark
Create custom policies Check mark Check mark
Policy settings* Check mark Check mark
Impersonation settings Check mark
Spoof settings Check mark Check mark
Advanced phishing thresholds Check mark

* In the default policy, the policy name and description are read-only (the description is blank), and you can't specify who the policy applies to (the default policy applies to all recipients).

To configure anti-phishing policies, see the following articles:

The rest of this article describes the settings that are available in anti-phishing policies in EOP and Defender for Office 365.

Policy settings

The following policy settings are available in anti-phishing policies in EOP and Microsoft Defender for Office 365:

  • Name: You can't rename the default anti-phishing policy. After you create a custom anti-phishing policy, you can't rename the policy in the Security & Compliance Center.

  • Description You can't add a description to the default anti-phishing policy, but you can add and change the description for custom policies that you create.

  • Applied to: Identifies internal recipients that the anti-phishing policy applies to. This value is required in custom policies, and not available in the default policy (the default policy applies to all recipients).

    You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).

    • Recipient is: One or more mailboxes, mail users, or mail contacts in your organization.

    • Recipient is a member of: One or more groups in your organization.

    • The recipient domain is: One or more of the configured accepted domains in Microsoft 365.

    • Except when: Exceptions for the rule. The settings and behavior are exactly like the conditions:

      • Recipient is
      • Recipient is a member of
      • The recipient domain is

    Note

    The Applied to setting is required in custom anti-phishing policies to identify the message recipients that the policy applies to. Anti-phishing policies in Microsoft Defender for Office 365 also have impersonation settings where you can specify individual sender email addresses or sender domains that will receive impersonation protection as described later in this article.

Spoof settings

Spoofing is when the From address in an email message (the sender address that's shown in email clients) doesn't match the domain of the email source. For more information about spoofing, see Anti-spoofing protection in Microsoft 365.

The following spoof settings are available in anti-phishing policies in EOP and Microsoft Defender for Office 365:

Unauthenticated Sender

Unauthenticated sender identification is part of the Spoof settings that are available in anti-phishing policies in EOP and Microsoft Defender for Office 365 as described in the previous section.

The Unauthenticated Sender setting enables or disables unauthenticated sender identification in Outlook. Specifically:

  • A question mark (?) is added to the sender's photo if the message does not pass SPF or DKIM checks and the message does not pass DMARC or composite authentication. Disabling unauthenticated sender identification prevents the question mark from being added to the sender's photo.

  • The via tag (chris@contoso.com via fabrikam.com) is added if the domain in the From address (the message sender that's displayed in email clients) is different from the domain in the DKIM signature or the MAIL FROM address. For more information about these addresses, see An overview of email message standards.

    Disabling unauthenticated sender identification does not prevent the via tag from being added if the domain in the From address is different from the domain in the DKIM signature or the MAIL FROM address.

To prevent the question mark or via tag from being added to messages from specific senders, you have the following options:

  • Allow the sender to spoof in the spoof intelligence policy. This action will prevent the via tag from appearing in messages from the sender when unauthenticated sender identification is disabled. For instructions, see Configure spoof intelligence in Microsoft 365.

  • Configure email authentication for the sender domain.

    • For the question mark in the sender's photo, SPF or DKIM are the most important.
    • For the via tag, confirm the domain in the DKIM signature or the MAIL FROM address matches (or is a subdomain of) the domain in the From address.

For more information, see Identify suspicious messages in Outlook.com and Outlook on the web

Exclusive settings in anti-phishing policies in Microsoft Defender for Office 365

This section describes the policy settings that are only available in anti-phishing policies in Microsoft Defender for Office 365.

Note

The default anti-phishing policy in Microsoft Defender for Office 365 provides spoof protection and mailbox intelligence for all recipients. However, the other available impersonation protection features and advanced settings are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.

Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365

Impersonation is where the sender or the sender's email domain in a message looks similar to a real sender or domain:

  • An example impersonation of the domain contoso.com is ćóntoso.com.
  • An example impersonation of the user michelle@contoso.com is michele@contoso.com.

An impersonated domain might otherwise be considered legitimate (registered domain, configured email authentication records, etc.), except its intent is to deceive recipients.

The following impersonation settings are only available in anti-phishing policies in Microsoft Defender for Office 365:

  • Users to protect: Prevents the specified internal or external email addresses from being impersonated as message senders. For example, you receive an email message from the Vice President of your company asking you to send her some internal company information. Would you do it? Many people would send the reply without thinking.

    You can use protected users to add internal and external sender email addresses to protect from impersonation. This list of senders that are protected from user impersonation is different from the list of recipients that the policy applies to (all recipients for the default policy; specific recipients as configured in the Applied to setting in the Policy settings section).

    Note

    • In each anti-phishing policy, you can specify a maximum of 60 protected users (sender email addresses). You can't specify the same protected user in multiple policies. So, regardless of how many policies apply to a recipient, the maximum number of protected users (sender email addresses) for each individual recipient is 60. For more information about policy priority and how policy processing stops after the first policy is applied, see Order and precedence of email protection.

    • User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt.

    By default, no sender email addresses are configured for impersonation protection in Users to protect. Therefore, by default, no sender email addresses are covered by impersonation protection, either in the default policy or in custom policies.

    When you add internal or external email addresses to the Users to protect list, messages from those senders are subject to impersonation protection checks. The message is checked for impersonation if the message is sent to a recipient that the policy applies to (all recipients for the default policy; Applied to recipients in custom policies). If impersonation is detected in the sender's email address, the impersonation protections actions for users are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).

  • Domains to protect: Prevents the specified domains from being impersonated in the message sender's domain. For example, all domains that you own (accepted domains) or specific domains (domains you own or partner domains). This list of sender domains that are protected from impersonation is different from the list of recipients that the policy applies to (all recipients for the default policy; specific recipients as configured in the Applied to setting in the Policy settings section).

    Note

    The maximum number of protected domains that you can define in all anti-phishing policies is 50.

    By default, no sender domains are configured for impersonation protection in Domains to protect. Therefore, by default, no sender domains are covered by impersonation protection, either in the default policy or in custom policies.

    When you add domains to the Domains to protect list, messages from senders in those domains are subject to impersonation protection checks. The message is checked for impersonation if the message is sent to a recipient that the policy applies to (all recipients for the default policy; Applied to recipients in custom policies). If impersonation is detected in the sender's domain, the impersonation protection actions for domains are applied to the message (what to do with the message, whether to show impersonated users safety tips, etc.).

  • Actions for protected users or domains: Choose the action to take on inbound messages that contain impersonation attempts against the protected users and protected domains in the policy. You can specify different actions for impersonation of protected users vs. impersonation of protected domains:

  • Safety tips: Enables or disables the following impersonation safety tips that will appear messages that fail impersonation checks:

    • Impersonated users: The From address contains a protected user.
    • Impersonated domains: The From address contains a protected domain.
    • Unusual characters: The From address contains unusual character sets (for example, mathematical symbols and text or a mix of uppercase and lowercase letters) in a protected sender or domain.

    Important

    Even when the impersonation safety tips are turned off, we recommend that you use a mail flow rule (also known as a transport rule) to add a message header named X-MS-Exchange-EnableFirstContactSafetyTip with value enable to messages. A safety tip will notify recipients the first time they get a message from the sender or if they don't often get messages from the sender. This capability adds an extra layer of security protection against potential impersonation attacks.

    The text of the safety tip for impersonation protection with multiple recipients.

  • Mailbox intelligence: Enables or disables artificial intelligence (AI) that determines user email patterns with their frequent contacts. This setting helps the AI distinguish between messages from legitimate and impersonated senders.

    For example, Gabriela Laureano (glaureano@contoso.com) is the CEO of your company, so you add her as a protected sender in the Users to protect settings of the policy. But, some of the recipients that the policy applies to communicate regularly with a vendor who is also named Gabriela Laureano (glaureano@fabrikam.com). Because those recipients have a communication history with glaureano@fabrikam.com, mailbox intelligence will not identify messages from glaureano@fabrikam.com as an impersonation attempt of glaureano@contoso.com for those recipients.

    To use frequent contacts that were learned by mailbox intelligence (and lack thereof) to help protect users from impersonation attacks, you can turn on Mailbox intelligence based impersonation protection and specify the action to take if you also turn on Mailbox intelligence.

  • Mailbox intelligence based impersonation protection: Turn on this setting to specify the action to take on messages for impersonation detections from mailbox intelligence results:

    • Don't apply any action: Note that this value has the same result as turning on Mailbox intelligence but turning off Mailbox intelligence based impersonation protection.
    • Redirect message to other email addresses
    • Move message to Junk Email folder
    • Quarantine the message
    • Deliver the message and add other addresses to the Bcc line
    • Delete the message before it's delivered
  • Trusted senders and domains: Exceptions to the impersonation protection settings. Messages from the specified senders and sender domains are never classified as impersonation-based attacks by the policy. In other words, the action for protected senders, protected domains, or mailbox intelligence protection aren't applied to these trusted senders or sender domains. The maximum limit for these lists is approximately 1000 entries.

Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365

The following advanced phishing thresholds are only available in anti-phishing policies in Microsoft Defender for Office 365. These thresholds control the sensitivity for applying machine learning models to messages for determining a phishing verdict:

  • 1 - Standard: This is the default value. The severity of the action that's taken on the message depends on the degree of confidence that the message is phishing (low, medium, high, or very high confidence). For example, messages that are identified as phishing with a very high degree of confidence have the most severe actions applied, while messages that are identified as phishing with a low degree of confidence have less severe actions applied.

  • 2 - Aggressive: Messages that are identified as phishing with a high degree of confidence are treated as if they were identified with a very high degree of confidence.

  • 3 - More aggressive: Messages that are identified as phishing with a medium or high degree of confidence are treated as if they were identified with a very high degree of confidence.

  • 4 - Most aggressive: Messages that are identified as phishing with a low, medium, or high degree of confidence are treated as if they were identified with a very high degree of confidence.

The chance of false positives (good messages marked as bad) increases as you increase this setting. For information about the recommended settings, see anti-phishing policy in Microsoft Defender for Office 365 settings.