Tune anti-phishing protection

Although Microsoft 365 comes with a variety of anti-phishing features that are enabled by default, it's possible that some phishing messages could still get through to mailboxes in your organization. This article describes what you can do to discover why a phishing message got through, and what you can do to adjust the anti-phishing settings in your Microsoft 365 organization without accidentally making things worse.

First things first: deal with any compromised accounts and make sure you block any more phishing messages from getting through

If a recipient's account was compromised as a result of the phishing message, follow the steps in Responding to a compromised email account in Microsoft 365.

If your subscription includes Microsoft Defender for Office 365, you can use Office 365 Threat Intelligence to identify other users who also received the phishing message. You have additional options to block phishing messages:

Verify these policies are working. Safe Links and Safe Attachments protection is turned on by default, thanks to Built-in protection in preset security policies. Anti-phishing has a default policy that applies to all recipients where anti-spoofing protection is turned on by default. Impersonation protection isn't turned on in the policy, and therefore needs to be configured. For instructions, see Configure anti-phishing policies in Microsoft Defender for Office 365.

Report the phishing message to Microsoft

Reporting phishing messages is helpful in tuning the filters that are used to protect all customers in Microsoft 365. For instructions, see Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft.

Inspect the message headers

You can examine the headers of the phishing message to see if there's anything that you can do yourself to prevent more phishing messages from coming through. In other words, examining the messages headers can help you identify any settings in your organization that were responsible for allowing the phishing messages in.

Specifically, you should check the X-Forefront-Antispam-Report header field in the message headers for indications of skipped filtering for spam or phishing in the Spam Filtering Verdict (SFV) value. Messages that skip filtering have an entry of SCL:-1, which means one of your settings allowed this message through by overriding the spam or phishing verdicts that were determined by the service. For more information on how to get message headers and the complete list of all available anti-spam and anti-phishing message headers, see Anti-spam message headers in Microsoft 365.


You can copy and paste the contents of a message header into the Message Header Analyzer tool. This tool helps parse headers and put them into a more readable format.

You can also use the configuration analyzer to compare your EOP and Defender for Office 365 security policies to the Standard and Strict recommendations.

Best practices to stay protected