Anti-Phishing
This section describes the design decisions associated with Anti-Phishing Microsoft 365 security features for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 3 minutes
ATP anti-phishing protects users by checking incoming messages for indicators that the message may be spoofed by impersonator or part of a phishing campaign. Most phishing emails involves a malicious actor disguising oneself (spoofing) as an individual who is known to the recipient. The messaged is crafted in a such a way which can trick the user into clicking a link, downloading malware, or stealing user credentials.
Anti-phishing uses mailbox intelligence to build a profile of communication habits between each user and maps out these relationship patterns. In an event of a phishing campaign ATP will analyse the message behaviour against the user profiles to determine if the sender is legitimate or an impersonator.
Anti-spoof specifically analyses the senders address to determine if it is legitimate or forged. Administrators can allow our block specific users from spoofing an internal domain. i.e. An external organisation to send out advertising or products on behalf of the organisation.
Design Decisions
| Decision Point | Design Decision | Justification |
|---|---|---|
| Office 365 ATP Anti-Phishing | Configured | Configured to meet ASD’s - PROTECT - Malicious Email Mitigation Strategies (June 2020) |
| Impersonation Policy | ||
| Add users to protect | Off | Add up to 60 internal and external users to be protected from being impersonated by attackers. |
| Add domains to protect | Automatically include the domains I own: On Include custom domains: Off | Specify domains to be protected from being impersonated by attackers. |
| Actions | If email is sent by an impersonated user: Quarantine the message If email is sent by an impersonated domain: Quarantine the message | Specify an action in an event an attacker impersonates the users or domains specified. |
| Mailbox Intelligence | Enable mailbox intelligence: On Enable mailbox intelligence based on impersonated protection: On If an email is sent by an impersonate user: Quarantine the message | This feature uses machine learning to determine a user’s email patterns with their contacts. With this information, the artificial intelligence can better distinguish between genuine and phishing emails. Impersonated protection enables Office 365 to customise user impersonation detection and better handle false positives. When user impersonation is detected, based on mailbox intelligence, the action to take on this message can be defined. |
| Add trust senders and domains | Not configured | When users interact with domains or users that trigger impersonation but are considered to be safe. i.e. if a partner has the same/similar display name or domain name as a user defined on the list. |
| Spoofing Policy | ||
| Spoofing filter settings | Enable anti-spoofing protection: On | Enables the organisation to filter email from senders who are spoofing domains. |
| Enable Unauthenticated Sender Feature | Enable Unauthenticated Sender: On | Displays a notification to users in Outlook when a sender fails authentication checks. |
| Actions | If email is sent by someone who’s not allowed to spoof the domain: Quarantine the message | Specify an action in an event an unauthorised user spoofs a domain. |
Related information
Security & Governance
- None identified
Design
- None identified
Configuration
- None identified
References
- None identified