Anti-Phishing policies processing order askew?

David Kohler 40

I have 3 anti phishing policies, listed in order of priority 0-2

0 - Impersonation Protection - (Has one person as protected sender)

1 - Recipient Domains - (no impersonation protection configured)

2 - Office365 AntiPhish Default (Default) (Same settings as Impersonation Protection policy.)

I sent a test e-mail impersonating the one protected sender. (The from e-mail had the same display name, but different domain)

To: the person protected, and one other

CC: a third person

The result was all three were quarantined, as I had hoped. But the one to the protected person was caught by the Impersonation Protection policy, and the other two were caught by the Office365 AntiPhish Default policy.

Both show Detection technologies as "Impersonation user"

I was wondering why it would do that. I would think it would all be processed by the Impersonation Protection Policy.

Bruce Jing-MSFT 2,070 Reputation points Microsoft Vendor

2024-06-14T01:14:46.25+00:00

Hello, @David Kohler

It's been a long time since I've heard from you, have you solved your problem yet? Did my previous reply help you？ If it was useful, you can mark it as an answer. Thank you for your understanding and support.
Bruce Jing-MSFT 2,070 Reputation points Microsoft Vendor

2024-06-17T09:10:54.6766667+00:00

Hello, @David Kohler

It's been a long time since I've heard from you, have you solved your problem yet? Did my previous reply help you？ If it was useful, you can mark it as an answer. Thank you for your understanding and support.
David Kohler 40 Reputation points

2024-06-17T13:23:19.1633333+00:00

Hi @Bruce Jing-MSFT I am wondering why one e-mail was caught by the first policy and the other ones were caught by the 3rd policy.
Bruce Jing-MSFT 2,070 Reputation points Microsoft Vendor

2024-06-18T02:47:05.48+00:00

Hi，@David Kohler

These protection policies are indeed not easy to understand.

Let's change the way of thinking. The protection policy is a pipeline. Because the simulation protection policy has a higher priority, it runs first. After it ends, the anti-phishing default policy starts running. The simulation protection policy only protects A. It is not responsible for protecting B and C, so B and C will not trigger the simulation protection policy. The anti-phishing default policy protects everyone, so B and C will trigger this policy.If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.
David Kohler 40 Reputation points

2024-06-18T12:51:29.8833333+00:00

Excellent, Thank you for that!

Accepted answer

Bruce Jing-MSFT 2,070 Reputation points Microsoft Vendor

2024-06-07T06:03:30.33+00:00

Hi，@David Kohler

Thanks for posting your question in the Microsoft Q&A forum.

You have three anti-phishing policies in place. You send a test email posing as a protected sender to three people, but they are all quarantined.

As for the other two emails, although they were not sent to protected recipients, since their display names were the same as protected senders, the Office365 AntiPhish Default policy (as the default policy) was also able to identify and quarantine these emails using the "Impersonating User" detection technology. This is probably because the default policy is also configured with the same settings as the Impersonation Protection policy, so it is able to identify this type of impersonation behavior.

Typically, even if the emails are not sent directly to protected recipients, as long as the display name of the protected sender is included in the email, these emails may be identified as impersonation attacks and quarantined.

For details, you can refer to this URL: Anti-phishing policies - Microsoft Defender for Office 365 | Microsoft Learn

If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.
Please sign in to rate this answer.
David Kohler 40 Reputation points

2024-06-07T13:12:27.0033333+00:00

Thank you, @Bruce Jing-MSFT , my question is more, if both policies are identical, why would it bypass the 1st, but be caught by the 2nd.

I guess I just need to know if I need to keep both policies configured the same as I add and remove protected senders, to ensure maximum protection, or if I have something misconfigured.

Bruce Jing-MSFT 2,070 Reputation points Microsoft Vendor

2024-06-11T02:04:18.6533333+00:00

Hi，@David Kohler

I'm glad to hear back from you.

Based on your questions, I will answer them in turn:

1. If both policies are identical, why would it bypass the 1st, but be caught by the 2nd.

In Office 365, when multiple policies exist, the policy with the highest priority (the one with the lowest number) is applied first. If the message is not caught by the highest priority policy, the system continues to check the next priority policy, and so on.

In your case, the protected person's message was caught by the impersonation protection policy, while the other two people's messages were caught by the Office 365 anti-phishing default policy. This probably means that the impersonation protection policy (priority 0) was set specifically for the protected person, while the default policy (priority 2) applied to all recipients.

2. Do you need to keep the configuration of both policies identical to ensure maximum protection?

To ensure maximum protection, you should make sure that all relevant anti-phishing policies have the same configuration, especially when adding or removing protected senders. This way, no matter which policy an email first hits, a consistent level of protection is guaranteed.

If my answer is helpful to you, please mark it as the answer so that other users can refer to it. Thank you for your support and understanding.
Sign in to comment

Share via

Anti-Phishing policies processing order askew?

0 additional answers