Blog Post

Microsoft Defender for Office 365 Blog
4 MIN READ

Simplifying the Quarantine Experience

FaithEbenezerOquong's avatar
FaithEbenezerOquong
Icon for Microsoft rankMicrosoft
Aug 24, 2021
Managing false positives should be easy As cyber security becomes a crucial part of the day-to-day activities of every organization, it becomes vital to allow different organizations to customize t...
Updated Aug 23, 2021
Version 1.0
configuration
investigation
prevention
JeremyTBradshaw's avatar
JeremyTBradshaw
Iron Contributor
Apr 13, 2022

VNJoe The Anti-Phishing policies have settings for impersonation.  Would you agree that spoofing and impersonation are at least related concepts?  You must agree there is some overlap in the concepts of spoofing and phishing.  I'm not sure whose definition of "phishing" you will accept as tolerable.  But here's the definition from Phishing.org:

 

What Is Phishing?
Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

When the SPF/DKIM tests fail, that is potential spoofing.  When somebody is intentionally spoofing somebody else, that is potential phishing.  The rest of that spoofed email's traits are what they have to go off of to determine if it is just spoofing with no intent to lure, or if it is actually phishing.  If there's a non-safe link in the body, and we already concluded the message is spoofing, then what is so bad about treating this message as a phish or high confidence phish?  If there is no SPF, that sender is leaving themselves open to be spoofed, and composite authentication should give them negative points for that.  I would side with Microsoft on this one and say a message with no SPF and a URL in the body that is detected as bad by Safe Links is more likely, or at least equally likely, to be phishing than it is to be spam.  Spam has nothing to do with spoofing.  Phishing has all kinds to do with spoofing.

 

I'm not trying to be argumentative just for the sake of it, more so just friendly debate to flush some more details.  And I already was persuaded earlier to agree with your other points.  The issue that you're pointing out about the misclassification seems up for debate.  Below is another excerpt from Phishing.org:

 

Phishing and Spoofing
Phishing is a serious problem that is achieved in a number of different ways. Email spoofing and website spoofing are two of the primary methods by which phishers acquire sensitive information from unsuspecting Internet users.

Can you maybe just include how you think it ought to be designed in EOP/MDO?  If there is a better way, maybe they need to be told/shown rather than just criticized for not having gotten it right yet.

 

I do agree about the point that the actions for Phishing / High Confidence Phishing being in the Anti-Spam policies is a misplacement.  My best guess is that it's because Anti-Phishing policies didn't come along until way later on in EOP's life, whereas Anti-Spam policies have been there all along.  I'm betting they will eventually fix this, probably even sooner thanks to your efforts spent here.