defender for office 365 impersonation

eg1995 1,156 Reputation points
2023-04-03T13:49:45.1733333+00:00

hi team,

I have an inquiry about defender for office 365 p1 impersonation.

we can create policies to protect users and domains against impersonation.

lets take the below scenario:

i have protected my user: ******@contoso.com and my domain contoso.com as well.

an attacker now has a legit smtp server and whitelisted public IP address and hes trying to impersonate user1 by modifying the username to userl and the domain to contos0.com. output: ******@contos0.com.

now after doing this, he is sending an email to an extenal user: ******@fabricam.com.

how the impersonation policy here will protect user 2 who is in a different organization from receiving this email that looks like an email sent from my organization?

i need to understand how impersonation rules will protect external users from receivng emails that look like emails sent from my organization?

Exchange Online
Exchange Online
A Microsoft email and calendaring hosted service.
6,198 questions
{count} votes

Accepted answer
  1. Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff
    2023-04-04T04:00:20.75+00:00

    Hi @ eg1995 ,

    Impersonation policies only protect users within your organization from message attacks from impersonated senders. For external users receiving messages that impersonate addresses in your domain, you cannot protect them from your defender portal. Because this message doesn't flow through your tenant.If possible, we recommend that this external tenant also enable impersonation insights or use spam protection in their mail system.

    Here is an article about Impersonation insight in Defender for Office 365 for your reference: Impersonation insight - Office 365 | Microsoft Learn

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.