This chapter covers anti-phishing policies in Microsoft 365, a critical component of the Microsoft 365 Defender suite. For the MS-900 exam, approximately 5-10% of questions touch on security policies, with anti-phishing being a key sub-topic. You will learn the mechanisms behind spoof intelligence, impersonation detection, and mailbox intelligence, including default values and configuration options. Understanding these policies is essential for passing the Security domain (Objective 3.1) and for real-world protection against phishing attacks.
Jump to a section
Anti-phishing in Microsoft 365 works like an airport security system with multiple layers. First, travelers (emails) arrive at the airport (Exchange Online). Before entering the terminal, they pass through an initial identity check (SPF verification) that confirms the sender's passport (domain) is valid. Next, they go through a metal detector (DKIM) that checks for tampering—if the email's signature (boarding pass) doesn't match, it's flagged. Then, a behavior detection officer (DMARC) reviews the overall travel pattern: if the email claims to be from a VIP but arrives from an unusual route, it's sent to secondary screening. In the terminal, plainclothes officers (machine learning models) observe passenger behavior—sudden changes in walking speed, loitering near secure doors (suspicious URLs, impersonation language). If an email exhibits multiple suspicious indicators, it's intercepted and either quarantined (held in a secure room) or its contents are sanitized (safe links rewrite URLs). The system continually updates its threat profiles based on global intelligence (Microsoft's threat graph) and local behavior patterns (tenant-specific learning). Just as airports use layered security to catch threats that might bypass any single check, anti-phishing policies combine authentication checks, impersonation detection, and advanced heuristics to protect against sophisticated phishing attacks.
What Are Anti-Phishing Policies and Why Do They Exist?
Anti-phishing policies in Microsoft 365 are a set of protections within Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection or ATP) that defend against sophisticated phishing attacks. These attacks often bypass traditional spam filters by impersonating trusted senders or using social engineering tactics. Anti-phishing policies provide three primary layers of defense: spoof intelligence, impersonation detection, and mailbox intelligence. The policies are applied at the tenant level and can be scoped to specific users, domains, or groups.
How Anti-Phishing Policies Work Internally
When an email arrives at Exchange Online Protection (EOP), it undergoes a series of checks. Anti-phishing policies are evaluated after spam filtering but before delivery. The process is as follows:
Spoof Intelligence: The system checks the email's authentication status using SPF, DKIM, and DMARC. If the email fails these checks and the domain is not an authenticated domain, it is considered spoofed. Spoof intelligence allows legitimate senders who occasionally fail authentication (e.g., bulk mailers) to be whitelisted automatically based on sending history.
Impersonation Detection: The policy scans the email for attempts to impersonate protected users (e.g., the CEO) or domains (e.g., the company's domain). It uses machine learning models to compare the sender's display name, email address, and domain against a list of protected entities. If a similarity score exceeds a threshold (default 70% for users, configurable), the email is flagged.
Mailbox Intelligence: This feature learns from the recipient's email interactions. It builds a model of who the user normally communicates with and flags emails from senders that the user has never contacted before, especially if the email requests sensitive actions (e.g., wire transfers).
Advanced Thresholds: The policy can apply additional heuristics, such as analyzing the email's content for phishing keywords, URL reputation, and attachment analysis.
Once an email is determined to be a phishing attempt, the policy can take one of several actions: move to Junk Email folder, quarantine the message, redirect to another recipient, or allow the message with a warning (e.g., via Safe Links rewriting URLs).
Key Components, Values, Defaults, and Timers
Spoof Intelligence: Default is enabled for all tenants. It automatically allows authenticated senders and blocks unauthenticated ones. The system maintains a sender reputation database that updates every 24 hours.
Impersonation Protection: Must be explicitly configured. You can protect up to 60 users (including the tenant admin) and up to 50 domains (including your own domain). The default similarity threshold for user impersonation is 70% (configurable from 1% to 100%). For domain impersonation, the threshold is fixed but uses internal heuristics.
Mailbox Intelligence: Enabled by default for all users. It learns from the last 30 days of email interactions. The system flags emails from unknown senders that contain phishing indicators.
Actions and Policies: There are three default policies: Built-In (applies to all users), Standard (recommended for most tenants), and Strict (for high-security environments). You can also create custom policies. Default actions: for impersonation, quarantine; for spoof, move to Junk.
Timers: The system processes emails in near real-time. The Safe Links feature rewrites URLs at the time of click, with a 4-hour cache for URL reputation.
Configuration and Verification Commands
Anti-phishing policies are configured via the Microsoft 365 Defender portal (security.microsoft.com) or PowerShell. Key PowerShell cmdlets:
Get-AntiPhishPolicy – Lists all anti-phishing policies.
New-AntiPhishPolicy – Creates a new policy.
Set-AntiPhishPolicy – Modifies an existing policy.
Get-AntiPhishRule – Lists rules that apply policies to users.
Example: To create a policy that protects CEO@contoso.com with a 50% similarity threshold:
New-AntiPhishPolicy -Name "CEO Protection" -EnableTargetedUserProtection $true -TargetedUsersToProtect "CEO@contoso.com" -TargetedUserProtectionAction Quarantine -SimilarityThreshold 50To verify that a policy is applied to a user:
Get-AntiPhishRule | Format-List Name, RecipientDomainIs, SentToInteraction with Related Technologies
Anti-phishing policies work closely with other Microsoft 365 Defender components:
Safe Attachments: Scans attachments before delivery; if a phishing email contains a malicious attachment, Safe Attachments can block it.
Safe Links: Rewrites URLs in emails flagged by anti-phishing policies; when a user clicks a link, it is checked against real-time reputation.
Mail Flow Rules (Transport Rules): Can be used to override anti-phishing actions or add additional conditions.
Attack Simulator: Used to test anti-phishing policies by sending simulated phishing emails.
Anti-phishing policies are also integrated with Microsoft 365 compliance center for eDiscovery and audit logging.
Email Arrives at EOP
When an email is sent to a Microsoft 365 recipient, it first arrives at Exchange Online Protection (EOP). EOP performs initial checks: connection filtering (IP reputation), anti-malware scanning, and spam filtering. If the email passes these, it moves to anti-phishing evaluation. The email's envelope information (sender domain, IP address) is extracted and passed to the anti-phishing engine.
Spoof Intelligence Check
The anti-phishing engine checks the email's authentication status using SPF, DKIM, and DMARC. If the email fails all three, it is considered unauthenticated. Spoof intelligence then evaluates the sender's domain against a tenant-specific allow list built from historical sending patterns. If the domain is unknown or has a poor reputation, the email is flagged as spoofed. The default action for spoofed emails is to move them to the Junk Email folder.
Impersonation Detection
The engine compares the sender's display name and email address to a list of protected users and domains. This list can be configured manually or automatically include the tenant's own domain(s). Machine learning models calculate a similarity score based on character-level differences (e.g., 'ceo@contoso.com' vs 'ceo@contos0.com'). If the score exceeds the threshold (default 70% for users), the email is flagged. Additionally, domain impersonation checks for lookalike domains (e.g., 'contoso.com' vs 'contoso-news.com').
Mailbox Intelligence Evaluation
Mailbox intelligence analyzes the recipient's email history over the past 30 days. It builds a graph of senders the user has interacted with. If the sender is new and the email contains phishing indicators (e.g., urgent language, requests for credentials), the email is flagged. The system also considers the sender's reputation across the tenant. This step is performed even if the email passed spoof and impersonation checks.
Policy Action Applied
Based on the cumulative risk score from the previous steps, the anti-phishing policy applies a configured action: Quarantine, Move to Junk, Redirect, or Allow with warning. If the email is allowed, Safe Links may rewrite URLs to point to Microsoft's link scanning service. The email is then delivered to the user's mailbox with any applicable headers (e.g., X-Forefront-Antispam-Report).
In a typical enterprise deployment, anti-phishing policies are configured to protect the CEO, CFO, and other high-value targets. For example, a multinational company with 10,000 users would enable spoof intelligence by default, but must explicitly add the CEO's email to the impersonation protection list. The security team would set the similarity threshold to 50% to catch more subtle variations. They would also enable mailbox intelligence for all users to detect business email compromise (BEC) attacks.
A common real-world scenario is a BEC attack where an attacker impersonates the CEO via a lookalike domain (e.g., 'contoso-inc.com' instead of 'contoso.com'). The anti-phishing policy's domain impersonation detection would flag the email because the sending domain is similar to a protected domain. The email would be quarantined, and the security team would receive an alert. The team would then investigate using Threat Explorer and possibly add the lookalike domain to the tenant's block list.
Performance considerations: Anti-phishing policies process emails in near real-time, but high email volumes (e.g., 100,000 emails per hour) can cause slight delays. Microsoft's infrastructure scales automatically, but custom policies with many protected users (up to 60) can increase processing time. Misconfiguration often occurs when the similarity threshold is set too low (e.g., 1%), causing excessive false positives, or too high (e.g., 99%), allowing obvious impersonations. Another common mistake is failing to protect the company's own domain, leaving it vulnerable to domain spoofing.
When misconfigured, legitimate emails may be quarantined, leading to user complaints. For example, a vendor using a different domain may be flagged by spoof intelligence if their SPF record is misconfigured. The security team must regularly review spoof intelligence allow lists and user-reported false positives.
The MS-900 exam tests anti-phishing policies under Objective 3.1: 'Describe the capabilities of Microsoft 365 Defender.' Specifically, you need to know: (1) What anti-phishing policies protect against (spoofing, impersonation, BEC). (2) The default actions for spoof (move to Junk) and impersonation (quarantine). (3) The three default policy templates: Built-In, Standard, and Strict. (4) The maximum number of protected users (60) and domains (50) in a custom policy. (5) That mailbox intelligence is enabled by default and learns from 30 days of email history.
Common wrong answers: (A) 'Anti-phishing policies are part of Exchange Online Protection (EOP)' – This is partially true, but the advanced anti-phishing features (impersonation, mailbox intelligence) require Microsoft Defender for Office 365 (Plan 1 or 2), not EOP alone. (B) 'Spoof intelligence blocks all unauthenticated email' – False; it allows legitimate senders based on history. (C) 'Impersonation protection is enabled by default' – False; it must be explicitly configured. (D) 'Safe Links is part of anti-phishing policies' – Safe Links is a separate feature, though it can be triggered by anti-phishing actions.
Numbers to memorize: 60 users, 50 domains, 70% default similarity threshold, 30 days mailbox intelligence history, 4-hour URL cache for Safe Links. Edge cases: The exam may ask what happens when an email passes all checks – it is delivered normally. Or, if an email is both spoofed and impersonates a protected user, the impersonation action takes precedence (usually quarantine). Another edge: mailbox intelligence only applies to users who have been in the tenant for at least 30 days.
To eliminate wrong answers, focus on the underlying mechanism: anti-phishing policies are about detecting and blocking phishing attempts that use deception, not about malware or spam. If an answer mentions 'malware' or 'spam keywords,' it's likely wrong for this specific topic.
Anti-phishing policies in Microsoft 365 protect against spoofing, impersonation, and business email compromise (BEC).
Spoof intelligence is enabled by default; impersonation protection must be configured manually.
You can protect up to 60 users and 50 domains per custom anti-phishing policy.
The default similarity threshold for user impersonation is 70%.
Mailbox intelligence is enabled by default and learns from the last 30 days of email interactions.
Three default policy templates: Built-In, Standard, and Strict.
Advanced anti-phishing features require Microsoft Defender for Office 365 (Plan 1 or 2).
These come up on the exam all the time. Here's how to tell them apart.
Spoof Intelligence
Checks email authentication (SPF, DKIM, DMARC).
Default enabled for all tenants.
Allows legitimate unauthenticated senders based on history.
Action typically moves email to Junk folder.
Protects against domain spoofing from external senders.
Impersonation Detection
Compares sender name/address to protected users/domains.
Must be explicitly configured.
Uses similarity threshold (default 70%).
Action typically quarantines the email.
Protects against display name and lookalike domain impersonation.
Mistake
Anti-phishing policies are automatically enabled for all Microsoft 365 tenants.
Correct
Only spoof intelligence is enabled by default. Impersonation protection and mailbox intelligence require configuration, and advanced features require Microsoft Defender for Office 365 licenses.
Mistake
Spoof intelligence blocks all unauthenticated email.
Correct
Spoof intelligence allows unauthenticated email from senders with a good sending history. It only blocks unauthenticated email from unknown or poor-reputation sources.
Mistake
Mailbox intelligence protects against all phishing attacks.
Correct
Mailbox intelligence only flags emails from senders the user has never interacted with. It does not detect phishing from known contacts whose accounts have been compromised.
Mistake
You can protect an unlimited number of users with impersonation protection.
Correct
The maximum is 60 users per policy. For broader protection, use domain impersonation or enable mailbox intelligence for all users.
Mistake
Anti-phishing policies replace the need for user training.
Correct
Anti-phishing policies are a technical control, but user awareness is still critical. Policies can miss zero-day attacks or sophisticated social engineering.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Anti-phishing policies detect and block phishing emails before delivery, while Safe Links is a protective measure that rewrites URLs in emails to check them at click time. Safe Links can be triggered by anti-phishing policies but is a separate feature. Anti-phishing policies focus on the email itself; Safe Links focuses on the URLs within the email.
Basic spoof intelligence is available in Exchange Online Protection (EOP), which is included with all Exchange Online licenses. However, advanced anti-phishing features like impersonation protection and mailbox intelligence require Microsoft Defender for Office 365, which is available in Plan 1, Plan 2, or as part of Microsoft 365 E5.
Yes, you can add your own domain(s) to the impersonation protection list. This will flag any email that attempts to impersonate your domain (e.g., using a similar domain name). You can protect up to 50 domains per policy.
Use the `New-AntiPhishPolicy` cmdlet to create a policy and `New-AntiPhishRule` to apply it to users. For example: `New-AntiPhishPolicy -Name "Custom" -EnableTargetedUserProtection $true -TargetedUsersToProtect "user@contoso.com"`. Then: `New-AntiPhishRule -Name "Custom Rule" -Policy "Custom" -RecipientDomainIs contoso.com`.
Quarantined emails are stored in the quarantine portal (security.microsoft.com/quarantine). End users can view their own quarantined messages if they have permissions; admins can view all. The default retention period for quarantined phishing messages is 30 days. Users can release messages if they are false positives.
Mailbox intelligence analyzes the recipient's sent items and email interactions over the past 30 days. It builds a model of whom the user communicates with regularly. When an email arrives from a sender not in that model, it is flagged if other phishing indicators are present. The model updates continuously as new interactions occur.
Yes, if the internal email exhibits impersonation or spoofing characteristics. For example, if an internal user's account is compromised and they send an email impersonating the CEO, the policy can detect the impersonation based on display name or email address similarity. However, mailbox intelligence may not flag it if the compromised account is a known sender.
You've just covered Anti-Phishing Policies in Microsoft 365 — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?