Over the last several months, we have made many advancements to Office 365 Advanced Threat Protection (ATP).  Due to our impressive malware catch effectiveness, threat actors have altered attack methods to bypass security capabilities leading to an increase in phishing campaigns.  To this end, we have enhanced our anti-phish capabilities.  Recently we improved the admin experience in Office 365.  Now we combine both the advancements in our anti-phish capabilities and admin experience, to deliver powerful new tools that further upgrade our ability to mitigate phishing campaigns.


Enhancements to the Office 365 ATP anti-phishing policy

Office 365 ATP customers will now benefit from a default anti-phishing policy providing visibility into the advanced anti-phishing features enabled for the organization.  We’re excited to deliver this as customers often ask for a single view where they can fine-tune the anti-phishing protections applied across all users within the organization.  Admins can also continue to create new or user existing custom anti-phishing policies configured for specific users, groups, or domains within the organization.  The custom policies created will take precedence over the default policy for the scoped users.


Customer feedback also led us to increase coverage of our anti-impersonation rule to 60 users and we simplified the spoof protection configurations within the ATP anti-phishing policy.

 anti-phishing default policy settings.pngFigure 1 - ATP anti-phishing default policy settingsanti-phishing impersonation policy settings.pngFigure 2 - ATP anti-phishing impersonation settings


Empowering admins with anti-phishing insights

We recently added a set of in-depth insights to the Security & Compliance Center and now we are excited to announce a new set of anti-phishing insights. These insights provide real-time detections for spoofing, domain and user impersonation, capabilities to manage true and false positives, and include what-if scenarios for fine-tuning and improving protection from these features.


  • Spoof Intelligence insights allow admins to review senders spoofing external domains, providing rich information about the sender and inline management of the spoof safe sender list. If spoof protection is not enabled, admins can review spoofed messages that would have been detected if protection was turned on (what-if analysis), turn on the protection, and manage the spoof safe sender list proactively.
  • Domain and User Impersonation insights allow admins to review senders attempting to impersonate domains that you own, your custom protected domains, and protected users within your organization. You can also review impersonation messages that would have been detected if protection was turned on (what-if analysis), turn on impersonation protection, and proactively manage the safe domain and safe sender list before enforcing any action.

 Spoof Intelligence Widget.pngFigure 3 - Spoof Intelligence insight widget

Spoof Intelligence Flyout.pngFigure


Explorer, Real-time reports and Office 365 management API will now include phish and URL detections

Earlier this year, we released real-time reports for malware, phish and user-reported messages for Office 365 ATP custo.... We are now excited to extend email phishing views in Real-time reports and Explorer experiences to include additional phishing detection details including the detection technology that resulted in the phish detection. These views are enriched with additional details on URLs.  This includes URLs included in messages, filtering based on URL information, display of URL information in the graph/pivot, and Safe Links time-of-click data on allowed/blocked clicks from messages.  Threat Intelligence customers will also get URL data in the ‘all email view’, enabling analysis on URLs for delivered mail, supporting security analysis for missed phish, data loss, and other security investigations.   We have also enriched phish detection events in the Office 365 management API.  The schema will now include email phish and URL click events. We believe these enhanced views are critical to powering security investigation and remediation scenarios across advanced phishing attack vectors.


URL Detection.pngFigure 5 - URL domain and URL clicks view

 Threat Protection Images_Blog (3).pngFigure 6 - Phish detection technology and URL click verdicts

Send Your Feedback

We hope you try these new features and provide feedback.  Your feedback enables us to continue improving and adding features that continue making ATP the premiere advanced security service for Office 365.  If you have not tried Office 365 Advanced Threat Protection, you should begin a free Office 365 E5 trial today and start securing your organization from today’s threat landscape.

New Contributor

Do these features require an ATP license for all users or are they available to Office 365 clients as default security options?


@Brian Lee - these features do require ATP licenses

Occasional Visitor



This is Very Good Indeed!


We have E3 with threat Intelligence as a Add on. Will this work or need E5 ?


If E5 is required then how many license we should buy ? Currently, we have 9k E3.






Frequent Visitor

We're loving ATP so far. Anxious for the in Depth insights to hit out tenant. 

Super Contributor

@David Fantham I can add up to 60 users for impersonation protection now, but I cannot add the same amount of users for trusted senders and domains. If each of my users has only 1 alias to whitelist, then I am unable to complete that task. My users tend to have multiple aliases to whitelist. How can I accomplish this?


So Explorer is seeing all sorts of messages listed under the View: Phish. Most of this messages are being delivered. What can I do to have those be quarantined or blocked? I do have an anti-phishing policy, but really it's more of an anti-spoofing policy..? @David Fantham


@Robert Woods - the new Anti-Phishing Impersonation mailbox intelligence feature will take care of this for you based on the Microsoft Intelligence Security Graph. You can read more about that protection here


@Jordan Moore - this means that you may not be taking action on specific protection components within the Anti-Phishing policy. Navigate to the Security & Compliance Center, Threat Management, Policy, ATP Anti-Phishing and you should be able to investigate. 


@David FanthamHow can I see how aggressive I need to be setting my phishing thresholds to stop these emails from being delivered? I.e. do I have a way to review the phishing confidence level, as that relates to the aggressiveness of the policy.

Super Contributor

@David Fantham I actually figured out a way to add more than 20 to the exceptions list, but only after they have been caught in quarantine 1x. In the impersonations over the past 7 days report it gives me an option to allow impersonation for the blocked user which bypasses the 20 user limit in the GUI.




@Robert WoodsUnder your explorer > view > phish, are all emails identified as phish going to a quarantine?

I've got an anti-phishing policy, but all the emails identified as phish under explorer are still being delivered.

Super Contributor

@Jordan Moore

Yes, the messages land here: Capture.PNG


This is the setting in my policy that causes this: Capture1.PNG


@Robert Woods

Thanks! What is your phishing threshold set to?

Super Contributor

@Jordan Moore

2 - Aggressive

New Contributor

@Jordan Moore

Not sure why but emails from ai-noreply@applicationinsights.io (address used by Azure Application Insights) get trigger "Domain impersonation" and get blocked.


info from one of emails:

Time received Oct 31, 2018 8:21:30 AM
Return path

Sender (From)
Sender name
Application Insights


Original IP
Threats/Detection technology
Phish/Domain impersonation
Delivery status Blocked
Protection policy/action DIMP-b7cc8738-8704-4a93-a632-16711aae9452/Send to quarantine
Internet Message ID <4e009d43-6664-476b-9594-b4a2e43577ee@CH1GMEHUB12.gme.gbl>
Network Message ID 945ce975-a34e-49ce-d47b-08d63f017838


Could you provide me with any hint what's going on?

New Contributor

@Jordan Moore

Emails from MS Teams noreply@email.teams.microsoft.com are treated as phishing:

NOREPLY@EMAIL.TEAMS.MICROSOFT.COM appears similar to someone who previously sent you email, but may not be that person.




@Rafał Fitt - the best way for you to get a timely and thorough response to your questions is to submit a support ticket through the Microsoft 365 Admin Center. You can file a service request under the 'Support' or 'Need help?' sections. Be sure to attach either the messages in question, or the headers, in order to get a detailed response. 

Occasional Visitor

A new option called "Enable mailbox intelligence based impersonation protection" is now available in the Mailbox Intelligence > Impersonation Policy settings.


Additionally, there is a new setting within Mailbox Intelligence to apply an action "If email is sent by an impersonated user".


Can you you share some details about these new features, and how this action relates to already existing "If email is sent by an impersonated user" setting in the Actions section?


It seems these policy settings are similar, it would be good to understand the precedence of each and what circumstanced would trigger these actions to apply.


Also posed the question in the Feedback section of https://docs.microsoft.com/en-us/office365/securitycompliance/set-up-anti-phishing-policies#phishpol..., which directed me to this page.