Related Articles
- Configure Anti-Phishing Policies in Microsoft Defender for Office 365
- Enable and Configure Safe Links Policies
- Enable and Configure Safe Attachments Policies
- Configure Anti-Malware Policies in Microsoft 365
- Configure Spoof Intelligence and Anti-Spoofing Protection in Microsoft 365
- Enable DKIM for Exchange Online
- Disable Legacy Authentication for Exchange Online
- Using Preset Security Policies in Microsoft Defender for Office 365
Configure Anti-Phishing Policies in Microsoft Defender for Office 365
Overview
Anti-phishing policies in Microsoft Defender for Office 365 protect users from:
- Impersonation attacks
- Business Email Compromise (BEC)
- Domain spoofing
- Credential harvesting emails
Proper configuration is critical. Many organizations enable Defender but leave impersonation protection misconfigured or too broadly scoped.
This guide explains how to configure Anti-Phishing policies correctly, what plans support them, and what administrators must verify.
Licensing Requirements
Anti-Phishing protection is available in:
| Feature | Exchange Online Protection (EOP) | Defender Plan 1 | Defender Plan 2 |
|---|---|---|---|
| Basic anti-phishing | ✅ Included | ✅ | ✅ |
| User impersonation protection | ❌ | ✅ | ✅ |
| Domain impersonation protection | ❌ | ✅ | ✅ |
| Spoof intelligence | Limited | ✅ | ✅ |
| Attack simulation integration | ❌ | ❌ | ✅ |
Minimum recommended: Microsoft Defender for Office 365 Plan 1
Where to Configure Anti-Phishing Policies
-
Go to Microsoft 365 Defender Portal
https://security.microsoft.com -
Navigate to: Email & Collaboration → Policies & Rules → Threat Policies → Anti-Phishing
Types of Anti-Phishing Policies
1. Preset Security Policies (Recommended Starting Point)
Microsoft provides:
- Standard protection
- Strict protection
Strict provides stronger protection and is recommended for high-risk users.
2. Custom Anti-Phishing Policies
Custom policies allow granular configuration and are recommended for:
- Executives
- Finance teams
- HR departments
- High-value targets
Step-by-Step: Creating a Custom Anti-Phishing Policy
Step 1: Create New Policy
- Click Create
- Select Anti-phishing policy
- Name the policy clearly (e.g., "Executive Protection Policy")
Step 2: Define Users and Domains to Protect
You can configure:
- Specific users to protect (CEO, CFO, etc.)
- Domains to protect
- Targeted impersonation detection
Important: User impersonation protection is limited (typically 350 protected users per tenant).
Prioritize high-risk accounts.
Step 3: Configure Impersonation Settings
Enable:
- User impersonation protection
- Domain impersonation protection
- Mailbox intelligence
Mailbox intelligence uses AI to detect unusual sender patterns.
Recommended: Enable mailbox intelligence with spoof intelligence turned on.
Step 4: Configure Actions
For detected impersonation:
Options include:
- Move message to Junk
- Quarantine
- Redirect
- Add warning banner
Recommended best practice:
- Quarantine high confidence phishing
- Add safety tips for suspicious messages
Step 5: Enable Safety Tips
Safety tips display warning banners to users.
Enable:
- First contact safety tip
- Impersonation safety tip
- Domain impersonation tip
These improve user awareness without blocking legitimate emails.
Step 6: Review and Enable
- Review policy settings
- Confirm scope
- Enable the policy
Allow 30–60 minutes for propagation.
Spoof Intelligence Configuration
Spoof intelligence detects senders spoofing your domain.
To configure:
-
Navigate to: Threat Policies → Anti-phishing → Spoof Intelligence
-
Review:
- Allowed senders
- Blocked senders
- Spoofed domain attempts
Important: Do not blindly allow spoofed senders. Validate via header analysis first.
Key Settings Security Analysts Must Verify
- Impersonation protection is enabled for high-risk users
- Mailbox intelligence is turned on
- Safety tips are not disabled
- Quarantine is configured correctly
- Preset policies are not overridden by weaker custom rules
- DKIM and DMARC are properly configured (authentication impacts spoof detection)
- External forwarding is restricted
Common Misconfigurations
- Only Standard preset enabled, no custom executive protection
- Too many users added to impersonation list (exceeds limit)
- Spoof intelligence not reviewed regularly
- Safety tips disabled due to user complaints
- Anti-phishing policy not applied to all domains
Monitoring and Investigation
Use:
- Threat Explorer (Plan 2)
- Real-time detections
- Quarantine review
- Alert policies
Search by:
- Sender domain
- Targeted user
- Detection type (Impersonation, Spoof)
Limitations to Understand
- Anti-phishing primarily detects impersonation patterns
- Zero-day malicious links may still pass if not flagged
- User interaction remains on endpoint device
- Detection is based on heuristics and reputation
Layered protection is recommended.
Frequently Asked Questions (FAQ)
Is Microsoft Defender for Office 365 Plan 1 included in Microsoft 365 E3?
No. Microsoft 365 E3 includes Exchange Online Protection (EOP), but Defender for Office 365 Plan 1 is not included by default.
Plan 1 must be purchased separately unless bundled in another license.
Is Defender for Office 365 Plan 2 included in Microsoft 365 E5?
Yes. Microsoft 365 E5 includes Defender for Office 365 Plan 2.
Plan 2 provides advanced features such as:
- Threat Explorer
- Automated investigation and response
- Attack simulation training
- Campaign view
- Advanced hunting capabilities
Is Defender for Office 365 Plan 1 included in Business Premium?
Yes. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1.
This includes:
- Anti-phishing protection
- Safe Links
- Safe Attachments
- Impersonation protection
What is the difference between Plan 1 and Plan 2?
Plan 1 focuses on prevention:
- Safe Links
- Safe Attachments
- Anti-phishing policies
- Impersonation protection
Plan 2 includes everything in Plan 1 plus:
- Threat Explorer
- Automated investigation and response
- Attack simulation training
- Advanced reporting and hunting
Can I upgrade from Plan 1 to Plan 2?
Yes. Organizations can purchase Defender for Office 365 Plan 2 as an add-on if they already have Plan 1 or qualifying licenses.
Is Exchange Online Protection (EOP) the same as Defender for Office 365?
No. EOP provides baseline email filtering (anti-spam and anti-malware).
Defender for Office 365 adds advanced phishing, URL protection, and investigation capabilities.
What is the difference between Anti-Phishing and Anti-Malware policies?
Anti-Phishing focuses on impersonation and social engineering detection.
Anti-Malware scans attachments for malicious code.
How many users can be protected with impersonation protection?
Microsoft limits protected users (commonly up to 350 per tenant).
Prioritize executives and high-risk roles.
Should I use Standard or Strict preset policy?
Strict provides stronger protection and is recommended for high-risk departments.
Test in pilot group before full rollout.
Does Anti-Phishing stop domain spoofing completely?
It reduces spoofing risk, especially when combined with SPF, DKIM, and DMARC.
Authentication configuration is critical.
How do I know if impersonation protection is working?
Check:
- Threat Explorer
- Quarantine detections
- Alert policies
- Spoof intelligence dashboard
Does Defender Plan 1 include impersonation protection?
Yes. User and domain impersonation protection require Defender for Office 365 Plan 1 or Plan 2.
Why are legitimate emails being quarantined?
Possible reasons:
- Overly strict policy
- Similar display names
- Misconfigured spoof intelligence
Review header authentication results before allowing.
Summary
Configuring Anti-Phishing policies correctly is one of the most important steps in securing Microsoft 365 email.
Ensure:
- Impersonation protection is enabled
- High-risk users are prioritized
- Spoof intelligence is reviewed regularly
- Policies are aligned with authentication controls
Proper configuration significantly reduces Business Email Compromise and impersonation attacks.