Forum Discussion
Display Name Spoofing very often recently - how to prevent it
Hi experts,
recently, I have noticed increase in emails that tries to impersonate sender (Display Name Spoofing). The Display name shows a real user from our organization, however the sender email/domain is totally different.
I thought I had the protection configured properly but looks like that is not the case :/. I have anti-phish policy with Impersonation as below:
- few critical users listed in "Enable users to protect"
- was going to enable it for all now, but there is no option like that, ..and it looks I need to manually add all internal users
- Enable domains to protect
- Include domains I own (does this include all domains I have registered in M365? See below). I would expect this will prevent these emails
- Include custom domains - I have nothing here, but I am not sure now whether my few domains created in M365 - including default domain, needs to be added here? As from what I know, the custom domains are the domains I create in M365.
Would like to check what is the proper way to configure protection against these email attacks.
We use M365 E3 + M365 E5 Security
For DisplayName spoofing you definitely want User Impersonation protection, and you can only protect up to 350 users (per Anti-Phish policy, not sure if/how well it scales up if you try to do as many policies as necessary to cover all users). User Impersonation Protection
You'll get more than just DisplayName spoofing protection. Even similar email addresses will be detected. You will likely need to then add some Trusted Senders as well, to avoid certain external senders being falsely detected as impersonation attemps. Trusted Senders and Domains
To close the loop on Domain Impersonation - that is focusing on the domain portion of the email address, so it is not going to cover you for DisplayName spoofs. Things like M1crosoft.com would be detected as impersonating Microsoft.com.
2 Replies
For DisplayName spoofing you definitely want User Impersonation protection, and you can only protect up to 350 users (per Anti-Phish policy, not sure if/how well it scales up if you try to do as many policies as necessary to cover all users). User Impersonation Protection
You'll get more than just DisplayName spoofing protection. Even similar email addresses will be detected. You will likely need to then add some Trusted Senders as well, to avoid certain external senders being falsely detected as impersonation attemps. Trusted Senders and Domains
To close the loop on Domain Impersonation - that is focusing on the domain portion of the email address, so it is not going to cover you for DisplayName spoofs. Things like M1crosoft.com would be detected as impersonating Microsoft.com.
Hi sumo83,
Could you clarify what actions you've set for messages flagged as user impersonation? What's your phishing threshold value? Additionally, have you enabled mailbox intelligence and intelligence for impersonation protection?
