Anti-Phishing
Configure anti-phishing policies in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 to protect users from impersonation, spoofing, and credential harvesting attacks. Anti-phishing uses machine learning, sender intelligence, and impersonation detection.
Note: Basic anti-phishing (spoof protection) is included with EOP. Advanced anti-phishing (impersonation protection) requires Microsoft Defender for Office 365 Plan 1 or Plan 2.
Anti-Phishing Policies
| Policy | Scope | Features |
|---|---|---|
| Default Policy | All users (fallback) | Spoof intelligence |
| Standard Preset | Microsoft recommended | Spoof + impersonation |
| Strict Preset | Maximum protection | All features enabled |
| Custom Policies | Specific users/groups | Configurable |
Spoof Protection
Spoof Intelligence
Automatically detects senders who are spoofing your domains or other domains:
- Allow spoofing — Legitimate services that send on behalf of your domain (marketing platforms, CRM systems)
- Block spoofing — Unauthorized senders impersonating your domain
- Spoof intelligence insight — Review detected spoofed senders and allow or block
Authentication Checks
EOP evaluates email authentication results:
- SPF — Sender Policy Framework validation
- DKIM — DomainKeys Identified Mail signature check
- DMARC — Domain-based Message Authentication alignment
- Composite authentication — Combined result of all checks
Impersonation Protection
Note: Requires Microsoft Defender for Office 365.
User Impersonation
Protect specific high-value users from display name impersonation:
- Add executives, finance team, and other targets
- Detects similar display names from external senders
- Actions: Quarantine, move to Junk, or deliver with tip
Domain Impersonation
Protect against domains similar to yours or partner domains:
- Add your domains and key partner domains
- Detects lookalike domains (e.g., contoso.com vs c0ntoso.com)
- Actions: Quarantine, move to Junk, or deliver with tip
Mailbox Intelligence
Uses machine learning on each user’s email patterns:
- Learns who each user regularly communicates with
- Flags messages from senders who look like known contacts but aren’t
- Reduces false positives by understanding communication history
Safety Tips
Visual indicators shown to users in Outlook:
- First contact safety tip — Warning when receiving from a sender for the first time
- User impersonation tip — Warning when sender name matches a protected user
- Domain impersonation tip — Warning when sender domain is similar to a protected domain
- Unusual characters tip — Warning when display name contains unusual Unicode characters
Best Practices
- Protect all executives — Add C-level and VP users to impersonation protection.
- Enable mailbox intelligence — Improves detection accuracy with per-user learning.
- Use preset policies — Standard or Strict presets provide Microsoft-recommended settings.
- Review spoof intelligence — Regularly review and update allowed spoofed senders.
API Reference
GET /api/exchange/anti-phishing-policies
List anti-phishing policies
POST /api/exchange/anti-phishing-policies
Create custom policy
GET /api/exchange/spoof-intelligence
List detected spoofed senders
PUT /api/exchange/spoof-intelligence/:id
Allow or block spoofed sender