---
title: "Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal | DuoCircle"
description: "Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/email-security/enable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal/"
---

Quick Answer

Microsoft Exchange Online Protection (EOP) ships with a default anti-phishing policy applied to all recipients, but custom policies give better control. To configure them in the Microsoft Defender portal: 1) Open security.microsoft.com and go to Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing. 2) Click + to start the wizard and name the policy. 3) On the Users, groups, and domains page, scope the policy to specific mailboxes, mail-enabled groups, or accepted domains; multiple values within one condition use OR logic, different conditions use AND logic, and exceptions use OR logic. 4) On the Phishing threshold & protection page, leave Enable spoof intelligence on (default). 5) On the Actions page, choose how to honor DMARC: when sender DMARC policy is p=quarantine, default action is quarantine but you can move to Junk; when p=reject, default action is reject but you can quarantine. For spoof-intelligence detections, choose quarantine (with policy) or move to Junk. Configure first-contact safety tips, unauthenticated-sender indicators (the question mark on the sender photo when SPF, DKIM, or DMARC fails), and the via tag for mismatched DKIM or MAIL FROM domains. Review and submit.

Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/08/Enabling-Microsofts-Exchange-Online-Protection-EOP-phishing-policies-using-the-Microsoft-Defender-portal.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fenable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Enabling%20Microsoft%E2%80%99s%20Exchange%20Online%20Protection%20%28EOP%29%20phishing%20policies%20using%20the%20Microsoft%20Defender%20portal&url=undefined%2Fblog%2Femail-security%2Fenable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fenable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fenable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal%2F&title=Enabling%20Microsoft%E2%80%99s%20Exchange%20Online%20Protection%20%28EOP%29%20phishing%20policies%20using%20the%20Microsoft%20Defender%20portal "Share on Reddit") [ ](mailto:?subject=Enabling%20Microsoft%E2%80%99s%20Exchange%20Online%20Protection%20%28EOP%29%20phishing%20policies%20using%20the%20Microsoft%20Defender%20portal&body=Check out this article: undefined%2Fblog%2Femail-security%2Fenable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal%2F "Share via Email") 

![Exchange Online Protection](https://media.mailhop.org/duocircle/images/2024/08/sender-policy-framework-4.jpg) 

There is a default [anti-phishing policy](/content/office-365-phishing-protection/office-365-anti-phishing-policy) that is applied to all recipients, but it’s better to create custom policies for better protection. To configure the anti-phishing policies, you need to be assigned permissions in the **Microsoft Defender portal**. If you have the required permissions, you are good to go ahead and make modifications. 

## Steps to configure the anti-phishing policies using the Microsoft Defender portal

1. Open the [Microsoft Defender portal](https://security.microsoft.com/).
2. Go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing in the Policies section**. You can directly go to the anti-phishing page [here](https://security.microsoft.com/antiphishing).
3. There will be a ‘+’ sign, which you have to click to open the new anti-phishing policy wizard.
4. The **Policy name** page will appear, where you have to enter a unique, descriptive name and an optional description for the policy in designated boxes.
5. Click **Next**.
6. On the **Users, groups, and domains** page, see the internal recipients that the policy applies to-
- - **Users**, This includes the specified mailboxes, mail users, and mail contacts.  
   - **Groups**: This includes the members of the specified distribution groups or **mail-enabled security groups**. Microsoft 365 groups are also counted under it.  
   - **Domains**: This includes all recipients in the organization whose main email address should be specified in the ‘accepted domain.’

_Click the checkboxes that are appropriate for your domain and start typing a value to pick the one you want from the results_. Repeat this process as often as needed. To remove an existing value, click **X** next to the value.

[![email addresses](https://media.mailhop.org/duocircle/images/2024/08/SMTP-server-mail-8625.jpg)](https://media.mailhop.org/duocircle/images/2024/08/SMTP-server-mail-8625.jpg)

Name, display names, aliases, [email addresses](/email-hosting/finding-email-addresses-for-business-professionals/), account names, and other identifiers can be used for users or groups. However, the corresponding display name will be shown in the results. For **users or groups**, enter an asterisk (\*) by itself to see all available values.

Please remember that you can use a condition only one time. However, the condition is not restricted to having a single value- it can have multiple values. 

- Multiple values within the same condition use OR logic (e.g., \`\` or \`\`). If the recipient matches any of the specified values, the policy is applied.
- Different types of conditions use AND logic, meaning the recipient must meet all specified conditions for the policy to apply. For example, if you **configure a condition** with the following values:
- - Users: [brad@contoso.com](mailto:brad@contoso.com)  
   - Groups: Executives

The policy will apply to [brad@contoso.com](mailto:brad@contoso.com) only if he is also a member of the Executives group. Otherwise, the policy will not apply to him.

- You can exclude certain users, groups, and domains for the internal recipients to which the policy applies. Please note that you can use an exception just once. However, the exception can **include multiple values**:
- Multiple values within the same exception use OR logic (e.g., \`\` or \`\`). If the recipient matches any of the specified values, the policy is not applied to them.
- _Different types of exceptions use OR logic (for example,  or  or ). If the recipient matches any of the specified exceptions, the policy does not apply to them_.

Once done, click **Next**.

7\. You will be directed to the **Phishing threshold & protection** page, where you have to use the **Enable spoof intelligence** check box to enable or disable the [spoof intelligence](https://learn.microsoft.com/en-us/defender-office-365/anti-spoofing-spoof-intelligence) feature. The setting is selected by default, and it’s a good practice to leave it selected. But you can choose to clear the check box to disable spoof intelligence.

On the next page, you get to mention the action to be taken on messages from [blocked spoofed senders](https://www.bleepingcomputer.com/news/google/google-now-blocks-spoofed-emails-for-better-phishing-protection/). 

8\. On the **Actions** page, modify these settings-

- **Honor DMARC record policy when the message is detected as spoof:** This setting lets you control the action when a sender fails DMARC checks, and the DMARC policy is set to either ‘**p=quarantine’ or ‘p=reject**.’  
   - If a message is identified as spoofed and the DMARC policy is set to p=quarantine, you can choose to either quarantine the message (this is the default action) or move the message to the recipients’ [Junk Email folders](https://www.usatoday.com/story/tech/2023/06/23/emails-in-spam-folder/70350606007/).  
   - If a message is detected as spoofed and the [DMARC policy](/resources/dmarc-policy) is set to p=reject, you can choose to either quarantine the message or reject the message (this is the default action).
- **If the message is detected as a spoof by spoof intelligence:** If spoof intelligence is enabled (on the previous page), you can choose how to handle messages from blocked spoofed senders.  
   - Quarantine the message: If selected, you’ll need to specify a **quarantine policy**. If no policy is chosen, the default quarantine policy for spoof intelligence detections (DefaultFullAccessPolicy) will be used. _The quarantine policy name is displayed when you later review or edit anti-phishing policy settings_.

[![junk email folder](https://media.mailhop.org/duocircle/images/2024/08/dmarc-report-service-5.jpg)](https://media.mailhop.org/duocircle/images/2024/08/dmarc-report-service-5.jpg)

## Safety tips and indicators

### First contact safety tips

Configure whether you want to show a safety tip if a sender is **emailing the recipient** for the first time. 

### Unauthenticated senders indicators

If spoof intelligence is enabled, this setting adds a question mark (?) to the sender’s photo in the From **box in Outlook** when the message fails [SPF](/resources/what-is-spf), [DKIM](/resources/what-is-dkim), or [DMARC](/resources/what-is-dmarc) checks. This setting is enabled by default.

### Via tag

This is also available when you have enabled spoof intelligence. This setting adds a “via” tag to the From address if the domain in the [DKIM signature](https://medium.com/@rawatnimisha/dkim-signature-what-is-it-and-how-does-it-work-f4b8e4f18a4f) or **MAIL FROM address** is different from the domain in the From address. It’s a default setting. To enable it, select the check box. To disable it, clear the check box.

## Final steps

1. After configuring the settings on the **Actions** page, click **Next**.
2. On the **Review** page, review your settings. You can modify any section by clicking **Edit** or navigate back to a specific page in the **wizard**.
3. After carefully reviewing the settings, click **Submit**.

You are done. The new policy will now be listed on the Anti-phishing page. To view the policy details, check the **New Anti-Phishing Policy Created** page.

Exploring [DuoCircle](/) as an additional layer while enabling [Microsoft’s Exchange Online Protection (EOP)](https://www.techtarget.com/searchwindowsserver/definition/Microsoft-Exchange-Online-Protection-EOP) phishing policies through the Microsoft Defender portal can enhance your [email security](/content/email-security-services) strategy.

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  Email Security 8m  BIMI in 2026: What the Certificate Authority Does, and What Your DMARC Tool Does  May 5, 2026 ](/blog/bimi-2026-what-the-ca-does-what-your-dmarc-tool-does/)[  Email Security 8m  Designing A Custom Dkim Architecture For High-Volume Email Senders  Apr 28, 2026 ](/blog/designing-custom-dkim-architecture-for-high-volume-email-senders/)[  Email Security 12m  DMARC, SPF, and DKIM in 2026: Why Email Authentication Is Now a Regulatory Requirement, Not Just a Best Practice  Apr 29, 2026 ](/blog/dmarc-spf-dkim-2026-email-authentication-regulatory-requirement-best-practice/)[  Email Security 5m  Email Monitoring Tools: A Complete Guide to Protecting Your Email Ecosystem  May 7, 2026 ](/blog/email-monitoring-tools-guide-protecting-your-email-ecosystem-security/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal","description":"Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal.","url":"https://www.duocircle.com/blog/email-security/enable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal/","datePublished":"2024-08-20T14:24:18.000Z","dateModified":"2025-04-23T16:42:10.000Z","dateCreated":"2024-08-20T14:24:18.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/enable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal/"},"articleSection":"email-security","keywords":"","wordCount":1014,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/08/sender-policy-framework-4.jpg","caption":"Exchange Online Protection","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal","item":"https://www.duocircle.com/blog/email-security/enable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal","item":"https://www.duocircle.com/blog/email-security/enable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal","description":"Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal.","url":"https://www.duocircle.com/blog/email-security/enable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal/","datePublished":"2024-08-20T14:24:18.000Z","dateModified":"2025-04-23T16:42:10.000Z","dateCreated":"2024-08-20T14:24:18.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/enable-exchange-online-protection-eop-phishing-policies-microsoft-defender-portal/"},"articleSection":"email-security","keywords":"","wordCount":1014,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/08/sender-policy-framework-4.jpg","caption":"Exchange Online Protection","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```