Enabling Microsoft’s Exchange Online Protection (EOP) phishing policies using the Microsoft Defender portal

by Duocircle

 

There is a default anti-phishing policy that is applied to all recipients, but it’s better to create custom policies for better protection. To configure the anti-phishing policies, you need to be assigned permissions in the Microsoft Defender portal. If you have the required permissions, you are good to go ahead and make modifications. 

Steps to configure the anti-phishing policies using the Microsoft Defender portal

  1. Open the Microsoft Defender portal.
  2. Go to Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing in the Policies section. You can directly go to the anti-phishing page here.
  3. There will be a ‘+’ sign, which you have to click to open the new anti-phishing policy wizard.
  4. The Policy name page will appear, where you have to enter a unique, descriptive name and an optional description for the policy in designated boxes. 
  5. Click Next.
  6. On the Users, groups, and domains page, see the internal recipients that the policy applies to-
    • Users– This includes the specified mailboxes, mail users, and mail contacts.
    • Groups: This includes the members of the specified distribution groups or mail-enabled security groups. Microsoft 365 groups are also counted under it.
    • Domains: This includes all recipients in the organization whose main email address should be specified in the ‘accepted domain.’

 

security groups

 

Click the checkboxes that are appropriate for your domain and start typing a value to pick the one you want from the results. Repeat this process as often as needed. To remove an existing value, click  X  next to the value.

Name, display names, aliases, email addresses, account names, and other identifiers can be used for users or groups. However, the corresponding display name will be shown in the results. For users or groups, enter an asterisk (*) by itself to see all available values.

Please remember that you can use a condition only one time. However, the condition is not restricted to having a single value- it can have multiple values. 

  • Multiple values within the same condition use OR logic (e.g., `<recipient1>` or `<recipient2>`). If the recipient matches any of the specified values, the policy is applied.
  • Different types of conditions use AND logic, meaning the recipient must meet all specified conditions for the policy to apply. For example, if you configure a condition with the following values:
    • Users: brad@contoso.com
    • Groups: Executives

The policy will apply to brad@contoso.com only if he is also a member of the Executives group. Otherwise, the policy will not apply to him.

  • You can exclude certain users, groups, and domains for the internal recipients to which the policy applies. Please note that you can use an exception just once. However, the exception can include multiple values
  • Multiple values within the same exception use OR logic (e.g., `<recipient1>` or `<recipient2>`). If the recipient matches any of the specified values, the policy is not applied to them.
  • Different types of exceptions use OR logic (for example, <recipient1> or <member of group1> or <member of domain1>). If the recipient matches any of the specified exceptions, the policy does not apply to them.

Once done, click Next.

7. You will be directed to the Phishing threshold & protection page, where you have to use the Enable spoof intelligence check box to enable or disable the spoof intelligence feature. The setting is selected by default, and it’s a good practice to leave it selected. But you can choose to clear the check box to disable spoof intelligence.

On the next page, you get to mention the action to be taken on messages from blocked spoofed senders

 

blocked spoofed senders

 

8. On the Actions page, modify these settings-

  • Honor DMARC record policy when the message is detected as spoof: This setting lets you control the action when a sender fails DMARC checks, and the DMARC policy is set to either ‘p=quarantine’ or ‘p=reject.’
    • If a message is identified as spoofed and the DMARC policy is set to p=quarantine, you can choose to either quarantine the message (this is the default action) or move the message to the recipients’ Junk Email folders.
    • If a message is detected as spoofed and the DMARC policy is set to p=reject, you can choose to either quarantine the message or reject the message (this is the default action).
  • If the message is detected as a spoof by spoof intelligence: If spoof intelligence is enabled (on the previous page), you can choose how to handle messages from blocked spoofed senders.
    • Quarantine the message: If selected, you’ll need to specify a quarantine policy. If no policy is chosen, the default quarantine policy for spoof intelligence detections (DefaultFullAccessPolicy) will be used. The quarantine policy name is displayed when you later review or edit anti-phishing policy settings.

 

junk email folder

 

Safety tips and indicators

 

First contact safety tips

Configure whether you want to show a safety tip if a sender is emailing the recipient for the first time. 

 

Unauthenticated senders indicators

If spoof intelligence is enabled, this setting adds a question mark (?) to the sender’s photo in the From box in Outlook when the message fails SPF, DKIM, or DMARC checks. This setting is enabled by default.

 

Via tag

This is also available when you have enabled spoof intelligence. This setting adds a “via” tag to the From address if the domain in the DKIM signature or MAIL FROM address is different from the domain in the From address. It’s a default setting. To enable it, select the check box. To disable it, clear the check box.

 

 

Final steps

  1. After configuring the settings on the Actions page, click Next.
  2. On the Review page, review your settings. You can modify any section by clicking Edit or navigate back to a specific page in the wizard.
  3. After carefully reviewing the settings, click Submit.

You are done. The new policy will now be listed on the Anti-phishing page. To view the policy details, check the New Anti-Phishing Policy Created page.

Exploring DuoCircle as an additional layer while enabling Microsoft’s Exchange Online Protection (EOP) phishing policies through the Microsoft Defender portal can enhance your email security strategy.

Pin It on Pinterest

Share This