Anti-Phishing Policy¶
Defender portal → Email & collaboration → Policies & rules → Threat policies → Anti-phishing
Anti-phishing policies protect against: - Impersonation attacks (spoofing your executives or trusted domains) - Spoof intelligence (forged From addresses) - Mailbox intelligence (unusual communication patterns)
Recommended Anti-Phishing Policy Settings¶
Apply a custom policy to all users. The Strict preset covers most of this, but the impersonation section requires specific users/domains to be added.
Phishing threshold¶
| Setting | Value |
|---|---|
| Phishing email threshold | 3 – Most aggressive (or 2 – Aggressive) |
Higher thresholds are more aggressive — more mail may be classified as phishing.
Impersonation Protection¶
Protect specific users (executives, finance, IT admins)¶
Add users who are frequently impersonated:
| Name | |
|---|---|
| CEO Name | ceo@domain.com |
| CFO Name | cfo@domain.com |
| IT Admin | itadmin@domain.com |
Action for impersonated users: Quarantine the message
Tip
In Microsoft 365 Defender, navigate to Anti-phishing policy → Edit → Impersonation → Add users to protect.
Protect specific domains¶
Add your own domain(s) and any trusted partner domains:
| Domain |
|---|
| yourdomain.com |
| partnercompany.com |
Action for impersonated domains: Quarantine the message
Spoof intelligence¶
| Setting | Value |
|---|---|
| Enable spoof intelligence | On |
| Action if message detected as spoof | Quarantine the message |
| Show first contact safety tip | On |
| Show (?) for unauthenticated senders | On |
| Show "via" tag | On |
Mailbox intelligence¶
| Setting | Value |
|---|---|
| Enable mailbox intelligence | On |
| Enable intelligence for impersonation protection | On |
| Action — if message detected as impersonation by mailbox intelligence | Move to Junk |
Advanced phishing thresholds¶
| Setting | Value |
|---|---|
| If message detected as impersonation of protected user | Quarantine |
| If message detected as impersonation of protected domain | Quarantine |
| If message detected as impersonation by mailbox intelligence | Move to Junk (or Quarantine) |
| If message detected as spoof | Quarantine |
Safety tips¶
| Setting | Value |
|---|---|
| Show first contact safety tip | On |
| Show user impersonation safety tip | On |
| Show domain impersonation safety tip | On |
| Show unusual characters safety tip | On |
Safe Links¶
Defender portal → Threat policies → Safe Links
Safe Links rewrites URLs in email and Office documents and checks them at click-time.
| Setting | Recommended value |
|---|---|
| On: Safe Links checks a list of known, malicious links when users click links in email | On |
| Apply Safe Links to email messages sent within the organisation | On |
| Apply real-time URL scanning for suspicious links and links that point to files | On |
| Wait for URL scanning to complete before delivering the message | On |
| Do not rewrite URLs, do checks via Safe Links API only | Off |
| Do not track user clicks | Off (track clicks for security investigations) |
| Do not let users click through to the original URL | On (prevent click-through) |
| Display the organisation branding on notification and warning pages | Optional |
Useful PowerShell¶
Connect-ExchangeOnline -UserPrincipalName admin@domain.com
# View anti-phishing policies
Get-AntiPhishPolicy | Select-Object Name, Enabled, PhishThresholdLevel
# View spoof intelligence allow/block list
Get-TenantAllowBlockListSpoofItems | Select-Object SpoofedUser, SendingInfrastructure, SpoofType, Action
# View impersonated users protected in a policy
$policy = Get-AntiPhishPolicy -Identity "Custom Anti-Phishing Policy"
$policy.TargetedUsersToProtect
# Add user to impersonation protection
Set-AntiPhishPolicy -Identity "Custom Anti-Phishing Policy" `
-EnableTargetedUserProtection $true `
-TargetedUsersToProtect @("CEO Name;ceo@domain.com", "CFO Name;cfo@domain.com")