Impersonation Protection in Defender for Office 365

Background

Microsoft Defender for Office 365 significantly bolsters anti-phishing capabilities beyond what’s offered by Exchange Online Protection. It employs advanced AI and machine learning algorithms to analyze mailbox behavior, providing a more nuanced and effective defense against phishing attacks. Its robust impersonation protection features and advanced phishing thresholds offer superior protection against sophisticated attacks. This makes it a more powerful, all-encompassing solution for safeguarding against emerging phishing threats.

How do threat actors trick users with impersonation?

Impersonation is when the sender of an email message looks similar to a real or expected sender’s email address. Attackers often use impersonated sender email addresses in phishing or other attacks to gain the recipient’s trust. There are two basic types of impersonation:

Domain impersonation: Contains subtle differences in the domain. For example, lila@ćóntoso.com impersonates lila@contoso.com.

User impersonation: Contains subtle differences in the email alias. For example, rnichell@contoso.com impersonates michelle@contoso.com.

Domain impersonation differs from domain spoofing because the impersonated domain is often a real, registered domain, but with the intent to deceive. Messages from senders in the impersonated domain can pass regular email authentication checks that would otherwise identify the messages as spoofing attempts (SPF, DKIM, and DMARC).

How do you prepare for Impersonation Protection?

There are 3 steps to enabling Impersonation Protection.

1. Select the internal or external email addresses of top-level executives, board members, and others in key roles whom attackers might impersonate.
2. Add custom domains owned by your organization or domains that belong to your key suppliers and partners to be detected when impersonated by attackers.
3. List the individual senders and all senders in entire domains that you wish to exclude from impersonation protection and never flag them as impersonation attacks. These senders will still be subject to scanning by filters other than impersonation. An example of this would be services like DocuSign and Adobe Sign, which send mail on behalf of your users.

Is there a cost to enabling this capability?

It is included at no charge in M365 Security and Compliance Plan 1 and Plan 2.

When will this change be rolled out to your Microsoft Tenant?

The feature is available immediately. Log a call with support@globalmicro.co.za and provide them with the information listed in the three steps above.