Impersonation and 'allowed to impersonate list'

DaNmAN 201 Reputation points
2021-02-05T14:45:48.417+00:00

Hi

Our phishing policy ensures that the following Categorisations of email impersonation will ensure an email of this type is passed to Quarantine for the user to review - GIM, DIMP, UIMP.

We have been advised by Microsoft that for genuine emails we should release this message, report it to Microsoft and have the user reply back and forth should be enough for the system to machine learn and eventually these emails will no longer hit quarantine.

I have tested this.

I create a hotmail account with a similar name to my corp account. I sent the email from hotmail to my corp account and the email was passed to quarantine for impersonation. I released the email, reported it to Microsoft and then was able to reply from my hotmail account to my corp account.

I still however cannot simply send a fresh email from my hotmail account to my corp account as this will hit quarantine.

In the report section of protection.office.com I can see my hotmail account and it gives me the option to add this to the 'allowed to impersonate list'

So whats the play here so we wait for machine learning to kick in or do we need to add this account to the 'allowed to impersonate list'?

Outlook Management
Outlook Management
Outlook: A family of Microsoft email and calendar products.Management: The act or process of organizing, handling, directing or controlling something.
5,345 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,634 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andy David - MVP 150.6K Reputation points MVP
    2021-02-05T15:08:47.193+00:00

    No, you dont want to add that there. That list is for external domains or users that can spoof internal ones.
    Whats going on here is the machine learning / mailbox intelligence stuff, yes.

    They way you get around that is to add the sender to your personal Safe Sender list in Outlook/OWA. That should be the way you and your users allow these.
    That way , it only applies to that sender for that recipient mailbox.

    If you wanted to allow a domain or user at a tenant level to spoof your domain or specific user, then I would set a transport rule to allow that for that scenario

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.