Get-PhishFilterPolicy

This cmdlet is available only in the cloud-based service.

Use the Get-PhishFilterPolicy cmdlet to view the spoof intelligence policy and detected spoofed sending activities in your cloud-based organization. Note : We recommend that you use the Exchange Online PowerShell V2 module to connect to Exchange Online PowerShell. For instructions, see Use the Exchange Online PowerShell V2 module (https://docs.microsoft.com/powershell/exchange/exchange-online-powershell-v2).

For information about the parameter sets in the Syntax section below, see Exchange cmdlet syntax (https://docs.microsoft.com/powershell/exchange/exchange-cmdlet-syntax).

Syntax

Get-PhishFilterPolicy
   [[-Identity] <HostedConnectionFilterPolicyIdParameter>]
   [-AllowedToSpoof <String>]
   [-ConfidenceLevel <ConfidenceLevel>]
   [-DecisionSetBy <DecisionSetBy>]
   [-Detailed]
   [-SpoofAllowBlockList]
   [-SpoofType <String>]
   [-WidgetData]
   [<CommonParameters>]

Description

The Get-PhishFilterPolicy cmdlet returns the following information:

  • Sender: The true sending domain that's found in the DNS record of the source email server. If no domain is found, the source email server's IP address is shown.

  • SpoofedUser: The sending email address if the domain is one of your organization's domains, or the sending domain if the domain is external.

  • NumberOfMessages: The number of messages.

  • NumberOfUserComplaints: The number of user complaints.

  • AuthenticationResult: Indicates whether the message has passed any type of email authentication (SPF, DKIM, or DMARC) (explicit or implicit).

  • LastSeen: The date when the sending email address or domain was last seen by Microsoft 365.

  • DecisionSetBy: Specifies whether Microsoft 365 set the spoofing policy as allowed or not allowed to spoof, or if it was set by an admin.

  • AllowedToSpoof: The three possible values are Yes (messages that contain any spoofed sender email addresses in your organization are allowed from the source email server), No (messages that contain any spoofed sender email addresses in your organization are not allowed from the source email server), and Partial (messages that contain some spoofed sender email addresses in your organization are allowed from the source email server).

  • SpoofType: Indicates whether the domain is internal to your organization or external.

For more information about spoof intelligence, see Configure spoof intelligence in EOP.

You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.

Examples

Example 1

Get-PhishFilterPolicy -Detailed -SpoofType Internal

This example returns the list of senders that appear to be sending spoofed email to your organization, with the additional ConfidenceLevel and DomainPairsCountInCategory properties.

Example 2

$file = "C:\My Documents\Summary Spoofed Internal Domains and Senders.csv"; Get-PhishFilterPolicy -Detailed -SpoofType Internal | Export-CSV $file

This example exports the same list of spoofed senders to a CSV file.

Parameters

-AllowedToSpoof

The AllowedToSpoof parameter filters the results by the AllowedToSpoof property value. Valid values are:

  • Yes
  • No
  • Partial
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection
-ConfidenceLevel

The ConfidenceLevel parameter filters the results by the specified confidence level. Valid values are:

-Low -High

You can only see the ConfidenceLevel value in the results when you include the Detailed switch in the command.

Type:ConfidenceLevel
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection
-DecisionSetBy

The DecisionSetBy parameter filters the results by who allowed or blocked the spoofed sender. Valid values are:

-Admin -SpoofProtection

Type:DecisionSetBy
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection
-Detailed

The Detailed switch specifies whether to return detailed information in the results. You don't need to specify a value with this switch.

Specifically, this switch returns the following additional properties:

  • ConfidenceLevel
  • DomainPairsCountInCategory
Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection
-Identity

This parameter is reserved for internal Microsoft use.

Type:HostedConnectionFilterPolicyIdParameter
Position:1
Default value:None
Accept pipeline input:True (ByPropertyName, ByValue)
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection
-SpoofAllowBlockList

This parameter is reserved for internal Microsoft use.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection
-SpoofType

The SpoofType parameter filters the results by the type of spoofing. Valid values are:

  • Internal
  • External
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection
-WidgetData

This parameter is reserved for internal Microsoft use.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
Applies to:Exchange Online, Exchange Online Protection

Inputs

Outputs