anti-phishing-protection-about.md

title	f1.keywords	ms.author	author	manager	audience	ms.topic	ms.localizationpriority	search.appverid	ms.assetid	ms.collection	ms.custom	description	ms.service	ms.date	appliesto
Anti-phishing protection	NOCSH	chrisda	chrisda	deniseb	ITPro	conceptual	medium	MET150	75af74b2-c7ea-4556-a912-8c48e07271d3	m365-security tier2	TopSMBIssues	Admins can learn about the anti-phishing protection features in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.	defender-office-365	07/24/2023	✅ <a href="https://learn.microsoft.com/defender-office-365/eop-about" target="_blank">Exchange Online Protection</a> ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a> ✅ <a href="https://learn.microsoft.com/defender-xdr/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a>

Anti-phishing protection in Microsoft 365

[!INCLUDE MDO Trial banner]

Phishing is an email attack that tries to steal sensitive information in messages that appear to be from legitimate or trusted senders. There are specific categories of phishing. For example:

• Spear phishing uses focused, customized content that's specifically tailored to the targeted recipients (typically, after reconnaissance on the recipients by the attacker).

• Whaling is directed at executives or other high value targets within an organization for maximum effect.

• Business email compromise (BEC) uses forged trusted senders (financial officers, customers, trusted partners, etc.) to trick recipients into approving payments, transferring funds, or revealing customer data. Learn more by watching this video.

• Ransomware that encrypts your data and demands payment to decrypt it almost always starts in phishing messages. Anti-phishing protection can't help you decrypt encrypted files, but it can help detect the initial phishing messages that are associated with the ransomware campaign. For more information about recovering from a ransomware attack, see Ransomware incident response playbooks.

With the growing complexity of attacks, it's even difficult for trained users to identify sophisticated phishing messages. Fortunately, Exchange Online Protection (EOP) and the additional features in Microsoft Defender for Office 365 can help.

Anti-phishing protection in EOP

Microsoft 365 organizations with mailboxes in Exchange Online or standalone EOP organizations without Exchange Online mailboxes contain the following features that help protect your organization from phishing threats:

• Spoof intelligence: Use the spoof intelligence insight to review detected spoofed senders in messages from external and internal domains, and manually allow or block those detected senders. For more information, see Spoof intelligence insight in EOP.

• Anti-phishing policies in EOP: Turn spoof intelligence on or off, turn unauthenticated sender indicators in Outlook on or off, and specify the action for blocked spoofed senders. For more information, see Configure anti-phishing policies in EOP.

  Honor the sender's DMARC policy when the message is detected as spoof: Control what happens to messages where the sender fails explicit DMARC checks and the DMARC policy is set to p=quarantine or p=reject. For more information, see Spoof protection and sender DMARC policies.

• Allow or block spoofed senders in the Tenant Allow/Block List: When you override the verdict in the spoof intelligence insight, the spoofed sender becomes a manual allow or block entry that only appears on the Spoofed senders tab on the Tenant Allow/Block Lists page at https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem. You can also manually create allow or block entries for spoofed senders before they're detected by spoof intelligence. For more information, see Spoofed senders in the Tenant Allow/Block List.

• Implicit email authentication: EOP enhances standard email authentication checks for inbound email (SPF, DKIM, and DMARC with sender reputation, sender history, recipient history, behavioral analysis, and other advanced techniques to help identify forged senders. For more information, see Email authentication in Microsoft 365.

Additional anti-phishing protection in Microsoft Defender for Office 365

Microsoft Defender for Office 365 contains additional and more advanced anti-phishing features:

• Anti-phishing policies in Microsoft Defender for Office 365:
  • Configure impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds. For more information, see Configure anti-phishing policies in Microsoft Defender for Office 365.
  • Details about detected impersonation attempts are available in the impersonation insight. For more information, see Impersonation insight in Defender for Office 365.
  • For more information about the differences between anti-phishing policies in EOP and anti-phishing policies in Defender for Office 365, see Anti-phishing policies in Microsoft 365.
• Campaign Views: Machine learning and other heuristics identify and analyze messages that are involved in coordinated phishing attacks against the entire service and your organization. For more information, see Campaign Views in Microsoft Defender for Office 365.
• Attack simulation training: Admins can create fake phishing messages and send them to internal users as an education tool. For more information, see Get started using Attack simulation training.

Other anti-phishing resources

• For end users: Protect yourself from phishing schemes and other forms of online fraud.
• How Microsoft 365 validates the From address to prevent phishing.