Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Although Microsoft 365 includes many anti-phishing features, some phishing messages can still be delivered to mailboxes in your organization. This article describes how to discover why a phishing message was delivered, and how to adjust anti-phishing settings without accidentally making things worse.
First things first: deal with any compromised accounts and make sure you block any more phishing messages from getting through
If a recipient's account was compromised as a result of the phishing message, follow the steps in Responding to a compromised cloud email account.
If you have Microsoft Defender for Office 365 (included or in an add-on subscription), you can use Office 365 Threat Intelligence to identify other users who also received the phishing message. Defender for Office 365 includes more ways to block phishing messages:
- Safe Links in Microsoft Defender for Office 365
- Safe Attachments in Microsoft Defender for Office 365
- Configure anti-phishing policies in Microsoft Defender for Office 365. You can temporarily increase the Phishing email threshold in the policy from Standard to Aggressive, More aggressive, or Most aggressive.
Verify these policies are working. Safe Links and Safe Attachments protection is turned on by default via Built-in protection in preset security policies. Anti-phishing has a default policy that applies to all recipients where anti-spoofing protection is turned on by default. Impersonation protection isn't turned on in the policy, and therefore needs to be configured. For instructions, see Configure anti-phishing policies in Microsoft Defender for Office 365.
Report the phishing message to Microsoft
Reporting phishing messages is helpful in tuning the filters that are used to protect all customers in Microsoft 365. For instructions, see Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft.
Inspect the message headers
You can examine the headers of the phishing message to see if there's anything that you can do yourself to prevent more phishing messages from coming through. In other words, examining the messages headers can help you identify any settings in your organization that were responsible for allowing the phishing messages in.
Specifically, you should check the X-Forefront-Antispam-Report header field in the message headers for indications of skipped filtering for spam or phishing in the Spam Filtering Verdict (SFV) value. Messages that skip filtering have an entry of SCL:-1, which means one of your settings overrode the phishing verdict and allowed delivery of the message. For more information on how to get message headers and the complete list of all available anti-spam and anti-phishing message headers, see Anti-spam message headers.
Tip
You can copy and paste the contents of a message header into the Message Header Analyzer tool. This tool helps parse headers and presents them in a human readable format.
You can also use the configuration analyzer to compare your threat policies to the Standard and Strict recommendations.
Best practices to stay protected
On a monthly basis, run Secure Score to assess your organization's security settings.
Use Threat Explorer and real-time detections to search for good messages quarantined by mistake (false positives) or delivered bad messages (false negatives). You can search by sender, recipient, or message ID. For a quarantined message, use the Detection technology value to find an appropriate method to override. For an allowed message, view which policy allowed the message.
Email from spoofed senders (the From address doesn't match the source of the message) is classified as phishing in Defender for Office 365. Some spoofing is benign, and some users might want blocked messages from specific spoofed senders.
Periodically review the following features to identify benign or desired messages identified as spoofing:
- Spoof intelligence insight
- Entries for spoofed senders in the Tenant Allow/Block List
- Spoof detections report
After you configure any necessary overrides, you can confidently configure spoof intelligence in anti-phishing policies to Quarantine suspicious messages instead of delivering them to the user's Junk Email folder.
In Defender for Office 365, you can also use the Impersonation insight page at https://security.microsoft.com/impersonationinsight to track user impersonation or domain impersonation detections. For more information, see Impersonation insight in Defender for Office 365.
Periodically review the Threat Protection Status report for phishing detections.
Don't include your Microsoft 365 domains in the allowed senders list or the allowed domains list in anti-spam policies. Although this configuration prevents blocking some legitimate messages, it also results in the delivery of malicious messages normally blocked by the spam and/or phishing filters. Instead of allowing the domain, correct the underlying email delivery problem.
If Microsoft 365 blocks legitimate messages from senders in your Microsoft 365 domain, completely configure the SPF, DKIM, and DMARC records in DNS for all of your Microsoft 365 domains:
Verify your SPF record identifies all sources of email for your domain (don't forget non-Microsoft services!).
To ensure destination email systems can reject messages from unauthorized sources for your domain, use hard fail (
-all) in the SPF record. You can use the spoof intelligence insight to help identify senders using your domain so you can include all authorized non-Microsoft senders in your SPF record.
For configuration instructions, see:
We recommend that mail for your Microsoft 365 domain is delivered directly to Microsoft 365 (point the MX record of your Microsoft 365 domain to Microsoft 365). If you must use a non-Microsoft service in front of Microsoft 365, use Enhanced Filtering for Connectors. For instructions, see Enhanced Filtering for Connectors in Exchange Online.
Have users use the built-in Report button in Outlook. Configure the user reported settings to send user reported messages to a reporting mailbox, to Microsoft, or both. User reported messages are then available to admins on the User reported tab on the Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Admin can report user reported messages or any messages to Microsoft as described in Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft. User or admin reporting of false positives or false negatives to Microsoft is important, because it helps train our detection systems.
Multifactor authentication (MFA) is a good way to prevent compromised accounts. You should strongly consider enabling MFA for all of your users. For a phased approach, start by enabling MFA for your most sensitive users (admins, executives, etc.) before you enable MFA for everyone. For instructions, see Set up multifactor authentication.
Forwarding rules to external recipients are often used by attackers to extract data. Use the Review mailbox forwarding rules information in Microsoft Secure Score to find and even prevent forwarding rules to external recipients. For more information, see Mitigating Client External Forwarding Rules with Secure Score.
Use the Autoforwarded messages report to view specific details about forwarded email.