General

This check verifies whether the anti-impersonation controls in Exchange Online are enabled.

Rationale

Cyber incidents, particularly in the realm of Business Email Compromise (BEC) and spear phishing, often start with malicious emails sent in the name of a— usually high-ranking—colleague.

In Microsoft365, the Anti-Impersonation feature adds an extra layer of protection against this. It detects emails that appear to come from specific employees, while they actually originate from a different email address. This feature is not enabled by default and requires a list of employees whose names should be protected against impersonation.

This feature is available for organizations with a license for Microsoft Defender for Office 365 Plan 1 or Plan 2.

Attic Fix

A fix is available for this check! It will be offered via a ticket in Attic, after which you can accept it.

Manual Instructions

Follow these steps to adjust the setting:

1. Go to the Security portal of M365: https://security.microsoft.com
2. Under Email & Collaboration, click on Policies & Rules
3. Click on Anti-phishing
4. Select the default policy (or create a new policy)
5. Under Phishing Threshold & Protection, you'll find the Impersonation settings
6. Select the employees for whom this feature should be enabled
7. Click Save

Impact

Employees who are used to emailing themselves from outside the organization, for example from a private address, may experience that these emails no longer arrive. The emails are recognized as spoofing and are placed in quarantine. Specific exceptions for allowed senders can be configured in Exchange Online.

More Information

1. https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure#use-the-microsoft-defender-portal-to-create-anti-phishing-policies