Protecting email against phishing attacks

Phishing is "A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person." - Computer Security Resource Center

Blocking phishing attacks is a multi-part defense. Let's dig right into the settings and options to set up a defense.

Finding the Anti-phishing settings

1. Open Microsoft 365 Defender > Policies & rules > Threat policies > Anti-phishing.

2. Click the Office365 AntiPhish Default (Default) policy.

Anti-phishing email settings

3. Click Edit protection settings.

From here you'll see the anti-phishing settings for your environment.

Phishing email threshold

Phishing email threshold

The phishing email threshold controls the sensitivity for applying machine learning to messages to determine what is considered phishing. The standard level is the least restrictive which will block the least amount of phishing emails. Most aggressive will block the most phishing emails but may catch some good emails too.

Enable users to protect

Blocking users from being impersonated

This is where you can enable anti-impersonation. In short, if your CEO's name is Ben Franklin and email is ben.franklin@gitbit.org you can add both of those to the "Enable users to protect" field, and then any emails from Ben.Franklin@gmail.com would be blocked from coming into your organization.

Add trusted senders and domains

Add trusted senders

So now you've set up a few users to stop impersonation attacks but now the CEO (Ben Franklin) is attempting to send emails to himself using his Gmail account (Ben.F*******@gmail.com) but he's getting blocked because Microsoft believes it's an impersonation attempt. Not to worry. We can whitelist the email using the Add trusted senders and domains section.

Mailbox Intelligence

Mailbox intelligence setting

Mailbox intelligence will also help catch acceptable impersonated users. In short, it will scan the user's mailbox to see if the user has sent or received from the user before. If they have then it won't flag the email as impersonation.

Note: The mailbox has to be located in Microsoft 365 for Mailbox Intelligence to work. So if you have on-premises mailboxes and you want to enable mailbox intelligence for those mailboxes they'll need to be migrated to Microsoft 365's Exchange Online.

Intelligence for impersonation protection

Intelligence for impersonation protection

By enabling this setting you're allowing mailbox intelligence to take action on emails it deems are impersonated emails. It's recommended to enable this setting. I'll show you where to set the actions in the section below labeled "Setting actions to take on phishing emails"

Spoof Intelligence

Spoof Intelligence

Spoofing is the creation of an email with an incorrect sender / from address. For example, if you're mailbox is set up in Microsoft 365 and you send an email from Microsoft 365 as yourself that isn't spoofing. But if someone sends an email pretending to be you but isn't from your authorized sending environment then those emails would be considered spoofed. Enable the spoof intelligence to block emails that aren't sent from the authorized email environment.

Allowed spoofing

Sometimes, spoofing is acceptable. For example, you may receive a newsletter that comes from another email environment but isn't authorized as the sender's email server. They are actually from the sender but they aren't from their approved email environment. To allow someone to spoof perform the following:

1. Click Tenant Allow/Block List Spoofing page.

Tenant allow/block list spoofing page

2. Click Add. Add the spoofed user and sending infrastructure to the list. Set the spoof type and click Allow / Block. Click Add.

Allow spoofing

Settings the antiphishing actions

To set what happens when a phishing attempt is found perform the following:

1. Open Microsoft 365 Defender > Policies & rules > Threat policies > Anti-phishing.

2. Click the Office365 AntiPhish Default (Default) policy.

3. Scroll down and click Edit actions.

Edit antiphishing actions

Edit antiphishing actions

If message is detected as an impersonated user: This is where you can set what happens when a message is sent from an impersonated user.

If message is detected as an impersonated domain: This is where you can set what happens when a message is sent from an impersonated domain.

If Mailbox Intelligence detects an impersonated user: This is where you can set what happens when mailbox intelligence detects a phishing attempt. 

If message is detected as spoof: This setting allows you to handle messages that are seen as spoofs.

The Safety tips & indicators section shows a message in Outlook stating there may be something not safe about the emails.

Show first contact safety tip (Recommended) setting will show a message when you receive an email the first time from a user.

First contact antiphishing email warning

Show user impersonation safety tip checkbox will show you a message when the name of the person you received an email from is similar to someone else you've received an email from. The message will read "This sender appears to be similar to someone who previously sent you email, but may not be that person."

appears similar to someone who previously send you email

The Show domain impersonation safety tip will show a message when you receive an email from an external domain that is similar to one of your own domains. The message will read "This sender might be impersonating a domain that's associated with your organization"

The Show user impersonation unusual characters safety tip message will appear when there are unusual characters in the sender's email address. The message will read
The email address John.Gruber@Gitb1t.org includes unexpected letters or numbers. We recommend you don't interact with this message."

The Show (?) for unauthenticated senders for spoof checkbox will add a question mark (?) to the sender's picture if the sender doesn't pass SPF or DKIM and the message fails to pass DMARC checks.

Show (?) for unauthenticated senders for spoof

The Show "via" tag will display a via in the from part of the message. For example, it will show Kendra.Gruber@gruber12.onmicrosoft.com via sendpulse.me

Spoofing Via