defender for office 365 impersonation

Question

defender for office 365 impersonation

eg1995 1,156

hi team,

I have an inquiry about defender for office 365 p1 impersonation.

we can create policies to protect users and domains against impersonation.

lets take the below scenario:

i have protected my user: ******@contoso.com and my domain contoso.com as well.

an attacker now has a legit smtp server and whitelisted public IP address and hes trying to impersonate user1 by modifying the username to userl and the domain to contos0.com. output: ******@contos0.com.

now after doing this, he is sending an email to an extenal user: ******@fabricam.com.

how the impersonation policy here will protect user 2 who is in a different organization from receiving this email that looks like an email sent from my organization?

i need to understand how impersonation rules will protect external users from receivng emails that look like emails sent from my organization?

Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2023-04-11T02:04:42.0866667+00:00

Hi @ eg1995 ,

Just checking in to see how things are going on with this thread.

If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well.

If you still have further questions or concerns, feel free to post back.

Accepted answer

0 additional answers

Your answer

Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2023-04-11T02:04:42.0866667+00:00

Hi @ eg1995 ,

Just checking in to see how things are going on with this thread.

If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well.

If you still have further questions or concerns, feel free to post back.

Answer 1

Aholic Liang-MSFT 13,886 Microsoft External Staff

Hi @ eg1995 ,

Impersonation policies only protect users within your organization from message attacks from impersonated senders. For external users receiving messages that impersonate addresses in your domain, you cannot protect them from your defender portal. Because this message doesn't flow through your tenant.If possible, we recommend that this external tenant also enable impersonation insights or use spam protection in their mail system.

Here is an article about Impersonation insight in Defender for Office 365 for your reference: Impersonation insight - Office 365 | Microsoft Learn

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

eg1995 1,156 Reputation points

2023-04-04T05:10:37.08+00:00

can you elaborate on that? as when i am adding my domain in the impersonation protected domains list, my understanding would be that i am protecting my domain from being impersonated. else what would be the added value for me? if my domain can me impersonated from external users. i am looking to protect my domain completely
Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff

2023-04-05T10:01:38.2833333+00:00

Hi @ eg1995 , Impersonation insights in Office 365 Defender typically add external sender domains instead of your sending domain.

What you add is a external sending domain that you trust, which can be impersonated by an attacker and send spam similar to that from this trusted domain to your organization.

When you add the trusting domain, all message senders sent to your organization are compared to the domains listed in this list to quickly identify messages from impersonated senders or sender domains that have been configured for impersonation protection.

Share via

defender for office 365 impersonation

Here is an article about Impersonation insight in Defender for Office 365 for your reference: Impersonation insight - Office 365 | Microsoft Learn

0 additional answers

Your answer