Anti Phishing - Impersonation protection

Hey,

I know that these types of protection are often black boxes to make it more difficult to bypass attacks. But with the best will in the world I don't understand the point of this function.

I'm trying to harden the anti-phishing policies in Defender for O365.

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide

Now here are three different protection options:

User Impersonation

Domain Impersonation

Mailbox intelligence impersonation protection

So far so clear.

Now the purple box for user impersonation states that it only works if the persons have had no previous contact.

(User impersonation protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message can be identified as an impersonation attempt).

Mailbox Intelligence Impersonation Protection states that it compares emails from protected persons with previous contact and lets the emails through accordingly.

(For example: Gabriela Laureano (email address removed for privacy reasons) is the managing director of your company. You therefore add her as a protected sender in the settings of the Enable users for protection policy. However, some of the recipients in the policy regularly communicate with a supplier who is also called Gabriela Laureano (email address removed for privacy reasons). Since these recipients have a communication history with email address removed for privacy reasons, the mailbox intelligence does not recognize messages from email address removed for privacy reasons for these recipients as an attempt to impersonate email address removed for privacy reasons.)

It would make sense if the mailbox intelligence impersonation protection would recognize if the email address of an existing contact were to change or be impersonated and this contact is not defined as a protected sender. However, the example refers to a user who is already set as "protected sender".

What is Mailbox Intelligence Impersonation Protection for now? This is exactly what User impersonation already does when it recognizes previous contact.