How to Prevent Email Impersonation Attacks Using Microsoft Defender for Exchange Online Plan 1

Nowadays, cyber attacks are not only a growing trend, they have evolved into a continuous, high-volume threat landscape driven by geopolitical tensions, artificial intelligence, and the rapid expansion of digital ecosystems, where they are directly impacting organizations in terms of both security and financial stability. And among them, impersonation attacks are becoming very normal and they are increasing rapidly day by day. Before diving into the topic, let’s first understand what an impersonation attack is, how they are affecting the organizations and how Microsoft Defender plans can protect organizations and users from these fraudulent activities.

An impersonation attack is a type of phishing in which a threat actor pretends to be a trusted individual, such as an employee, manager, managing director, CEO, or even known vendors or customers to deceive victims into revealing sensitive information, transferring funds, or installing malware. Unlike normal spam emails, impersonation attacks are highly dangerous because they appear legitimate since the attackers often use similar display names, spoofed domains, or compromised IDs to make their communication look authentic.

Generally, these kinds of attackers first study companies, through their social media profiles or company websites very closely, and using this information, they send convincing emails requesting urgent payments, password resets, or other sensitive data related to the organization. Since these emails appear realistic and trustworthy, users often fall into the trap, leading to serious consequences such as financial loss, data breaches, and disruption of business operations.

Now, Microsoft has a solution for this impersonation attack, and that is Microsoft Defender for Exchange Online Plan 1. It helps organizations reduce such threats through in-built anti-phishing settings and intelligent detection mechanisms. With this plan, IT administrators of an organization can configure the policy or settings by specifying such users or domains that need monitoring so that Microsoft can detect suspicious similarities using machine learning and artificial intelligence, and when such an impersonation attack is found, Microsoft Defender can proceed with actions like email quarantine, adding a warning banner to the threat emails, or proceeding it for a review. Now, let’s learn how to configure these policies as an administrator and protect our organizations effectively.

Prerequisites

Before implementing / configuring the policies, ensure you have the following:

1. Microsoft defender for exchange online plan 1 license
2. Global administrator ID
   

Configurations :

There are two ways to configure impersonation settings: either through preset security policies or by creating a new anti-phishing policy.

[A] Configuring through Preset Security Policy

Steps:-

• Go to security.microsoft.com and sign in with your global admin ID
• On the left hand side, navigate to email and collaboration -> Policies & Rules -> Threat Policies -> Preset security policies
• Choose a preset policy [ select one of the following ]
• Standard protection (recommended baseline)
• Strict Protection ( more aggressive filtering )
• Select “manage protection settings”
• First apply exchange online protection for all the users and then click next
• Under “Apply Defender for Office 365 protection,” you can either select all users or only those who have a Defender plan to ensure accurate and efficient protection. Then click Next.
• On the page “Add email addresses to flag when impersonated by attackers,” add internal or external email addresses of users who may be impersonated, such as executives, board members, or other key personnel. Messages detected with impersonated senders will be quarantined. Once added, click Next.
• Under “Add domains to flag when impersonated by attackers,” add domain names. These can include your own domains as well as those of key suppliers and partners. Messages detected with impersonated sender domains will be quarantined. After adding them, proceed to the next page.
• Under “Add trusted domains to not flag as impersonation”, add trusted domains you frequently communicate with. Emails from these domains will not be flagged as impersonation and will be delivered normally.
• Now select next , review and and confirm the settings and proceed .

B] Configuring through anti phishing policy :

Steps:

• Go to security.microsoft.com and sign in with your global admin ID
• On the left hand side, navigate to email and collaboration -> Policies & Rules -> Threat Policies -> Anti-Phishing
• Create a new policy -> add a name and description (optional) -> Click Next
• Under “Users, groups, and domains,” include your domain so the policy applies to it, then click Next.
• Under the page “Phishing threshold & protection” ,scroll down and enable the impersonation settings
• “Enable Users to Protect” – tick the box and add internal or external email addresses of users who may be impersonated, such as executives, board members, or other key personnel.
• “Enable domain to protect” – tick the box and add domain names. These can include your own domains as well as those of key suppliers and partners
• You can also add trusted sender and domain names that you frequently communicate with.
• Tick the box for “enable intelligence for impersonation protection” , “enable spoof intelligence” and click on Next
• Choose the actions you want to implement like – move the message to junk, quarantine, delete and redirect and then select next
• Review and Submit.

This is how you can configure the policy and can protect users from such impersonation attacks in the future.