Table of Contents
Anti-Phishing, Defender, and Impersonation
Updated June 15, 2021
Microsoft Defender for Office 365 is the new name for what used to be called Advanced Threat Protection (ATP). While Exchange Online Protection includes anti-phishing policies to stop phishing attempts like this recent example, Defender extends the anti-phishing policy with impersonation settings (Figure 1).
Impersonation is where an inbound email appears to come from a sender or domain that is known but is slightly different, such as email from Micriosoft.com. It’s done to lure the recipient into a false sense of security that the email they receive originated from a trusted sender or domain whereas it’s an attempt to hoodwink them into doing something bad, like revealing confidential information.
The impersonation settings in anti-phishing policies allow tenants to define up to 60 protected email addresses (per policy) which are then subject to checks to pick up attempts at impersonation. The checks only work if the sender has never communicated with the recipient before. If an attempt is detected, policy settings determine what happens next, such as moving the message to Junk Email.
Safety Tips Highlight Potential Problems
Exchange Online Protection uses safety tips to highlight potentially problematic messages to users. For example, Figure 2 shows a safety tip for a message where the sender’s address could not be verified because the message failed both DKIM and DMARC tests upon arrival into Office 365.
Figure 3 shows an example of an impersonation safety tips. Microsoft Defender has identified that the email address of an inbound message is similar to an address used by a regular correspondent, so the fact is highlighted.
Enabling the First Contact Safety Tip with a Mail Transport Rule
The initial method to implement the first contact safety tip was through a mail flow (transport) rule which inserts the X-MS-Exchange-EnableFirstContactSafetyTip x-header into external messages. The presence of the header causes Microsoft Defender to generate a safety tip if the sender has never sent email to the recipient before. The mail flow rule is very straightforward. It applies to all inbound email and applies the x-header to those messages (Figure 4).
Note: An earlier version of this post used True as the value for the x-header. Exchange engineering have advised that the x-header should be set to Enable.
The effect of the mail flow rule is shown in Figure 5. The documentation says “Specific safety tips will be displayed notifying recipients that they often don’t get email from the sender or in cases when the recipient gets an email for the first time from the sender.” This implies that different text is used when a message is received from someone for the first time. However, I have only ever seen safety tips saying that “You don’t often get email from…”
Even though the first contact safety tip is connected to impersonation prevention, it’s not covered by the same licensing requirements. The safety tips appear on messages sent to mailboxes which don’t have Microsoft Defender for Office 365 licenses.
Updating the Anti-Phishing Policy
In June 2021, Microsoft announced (MC262087, June 14, Microsoft 365 roadmap item 82052) that an update to the anti-phishing policy rolling out in late June allows administrators to configure a policy setting to force display of the first contact safety tip. When the update is available you can continue using the mail transport rule and do nothing or update the anti-phishing policy through the Security and Compliance center to select the Show first contact safety tip. This is a welcome step because it makes it easier for inexperienced administrators to enable the safety tip for users.
Warning Users is Goodness
If your tenant has Microsoft Defender for Office 365 it’s a good idea to create and use the mail flow rule recommended by Microsoft. There’s no downside and it could stop someone falling victim to an phishing attempt in an email received from someone who seems to be like a person that the recipient is used to receiving messages from. Warning people of potential problems is pure and simple goodness!
Keep up to date with change inside Exchange Online and the other Office 365 apps by subscribing to the Office 365 for IT Pros ebook. We update the book monthly to make sure that our subscribers have the latest news.
Is there any way for the end-user to disable this? Suddenly most of my incoming mail is cluttered with this, and there’s no way to dismiss the message.
Nope. It’s an organization setting which is either on or off. End users can’t choose their setting.
How do I turn this rubbish off?
No one pays attention to it anyway. The people who this is intended for will happily click on strange links anyway. There is simply no cure for stupid and this detracts from the utility of the product.