How to Prevent and Monitor Impersonation Based Phishing Attacks

How to Prevent Phishing Attacks Using Microsoft 365 Defender

Impersonation is where the sender or the sender’s email domain in a message looks similar to a real sender or domain. Microsoft Defender for Office 365 (previously known as Office 365 Advanced Threat Protection) helps protect against impersonation based phishing attacks. The videos below show you how to create the protection policy to prevent such attacks, create an alert policy to monitor such attacks and a couple of examples.

Create the Protection Policy

Creating a custom anti-phishing policy in the Security & Compliance Center creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.

1. In the Security & Compliance Center, go to Threat management > Policy > ATP anti-phishing.
2. On the Anti-phishing page, click Create.
3. The Create a new anti-phishing policy wizard opens. On the Name your policy page, configure the following settings:
   • Name: Enter a unique, descriptive name for the policy.
   • Description: Enter an optional description for the policy.

   When you’re finished, click Next.

4. On the Applied to page that appears, identify the internal recipients that the policy applies to.You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, <recipient1> or <recipient2>). Different conditions or exceptions use AND logic (for example, <recipient1> and <member of group 1>).Click Add a condition. In the dropdown that appears, select a condition under Applied if:
   • The recipient is: Specifies one or more mailboxes, mail users, or mail contacts in your organization.
   • The recipient is a member of: Specifies one or more groups in your organization.
   • The recipient domain is: Specifies recipients in one or more of the configured accepted domains in the organization.

   After you select the condition, a corresponding dropdown appears with an Any of these box.

   • Click in the box and scroll through the list of values to select.
   • Click in the box and start typing to filter the list and select a value.
   • To add additional values, click in an empty area in the box.
   • To remove individual entries, click Remove  on the value.
   • To remove the whole condition, click Remove  on the condition.

   To add an additional condition, click Add a condition and select a remaining value under Applied if.

   To add exceptions, click Add a condition and select an exception under Except if. The settings and behavior are exactly like the conditions.

   When you’re finished, click Next.

5. On the Review your settings page that appears, review your settings. You can click Edit on each setting to modify it.When you’re finished, click Create this policy.
6. Click OK in the confirmation dialog that appears.

After you create the anti-phishing policy with these general settings, use the instructions in the next section to configure the protection settings in the policy.

Create an Alert Policy

Impersonation Based Phishing Attack Email Examples

Microsoft 365 Business

Microsoft 365 Business is an integrated solution, bringing together the best-in-class productivity of Office 365 with advanced security and device management capabilities to help safeguard your business. If your IT Security Team is not using Microsoft 365 Business, Advanced Threat Protection or just not sure how to use it to its full potential, give us a call. We’ll show you how to use Microsoft 365 Business, Office 365, Azure or Windows Defender Advanced Threat Protection in a smart way to ensure that you are protected against advanced attacks, malware threats and data breaches while taking advantage of the secure productivity suite in Office 365.