Handling false negative and false positive emails related to user impersonation

Microsoft

This is a short guide for handling "User impersonation" related false negatives and false positives.

 

1. Handling False Negatives 

 

Administrator tasks: 

Verify if there is any misconfiguration which may be causing false negatives. For example, settings, allow-listing, policy not applied on entire domain etc. 

Configuration checks – Go to security.microsoft.com -> Email & collaboration -> Polices & rules -> Threat policies -> Configuration analyzer. 

mkohli_1-1635435399927.png

Fig 1.0 

 

Check end user allow-listing: 

mkohli_2-1635435399896.png

Fig 1.1

Do Threat explorer search and find out reason of miss, leverage email entity page for detail analysis as shown in Fig 1.2. 

mkohli_3-1635435399948.png

Fig 1.2 

 

End users’ responsibilities 

Leverage report message add-in to report message as false negatives as shown in Fig 1.3 

mkohli_4-1635435399902.png

Fig 1.3 

 

Best practices for managing user impersonation display names

 

Note: Changing display name in impersonation policy will not change display name shown in global address list. 

Remove apostrophe from display in TargetUsersToProtect list 

The work-around is for the customer to add the names in their policy without the ‘apostrophe’ character. For example, customer should add “Sam Dsouza;Sam.D’souza@contoso.com” instead of Sam D'souza;Sam.D’souza@contoso.com in their policy in the TargetedUsersToProtect list. User impersonation will automatically consider all the combination with special characters. 

mkohli_5-1635435399936.png

 

Remove suffixes from display name 

For example – Mahesh Kohli (IT) – Remove (IT) from this display name.  Best would be to put just first name & last name.

 

mkohli_6-1635435399938.png

 

Managing display names with short abbreviation in TargetUsersToProtect list 

Do not use names with abbreviation like “S S Surname”, instead of that use full name (First name, Last name). However, if it is still the requirement then move abbreviated names at end of the list for that we must remove it and re-add to the list.  

 

mkohli_7-1635435399955.png

 

 

 

Connect to Exchange Online Protection PowerShell, refer Connect to Exchange Online PowerShell

for more details.

Run the Below commands in below sequence: 

$a = Get-AntiphishPolicy -identity “Office365 AntiPhish Default” 

$a.TargetedUsersToProtect.Add("Chee Lim;lim.bengchee@contoso.com") 

$a.TargetedUsersToProtect.Add("Beng Lim;lim.bengchee@contoso.com") 

Set-AntiphishPolicy -Identity “Anti-Phishing Policy” -TargetedUsersToProtect  $a.TargetedUsersToProtect 

Run the command Get-AntiphishPolicy and ensure the 3 Display names “BengChee Lim”, “Beng Lim” & “Chee Lim” are being shown in the TargetedUsersToProtect parameter. 

Please keep the above commands handy, as in future any further changes to “BengChee Lim” account in ATP Anti-Phishing policy will need to be done via Powerhshell. 

 

2. Handling false positives 

 

View impersonation insight reports for user impersonation  

 

mkohli_8-1635435399961.png

Fig 2.0 

 

Find out which impersonation is applied (Graph based or User) 

 

mkohli_9-1635435399942.png

Fig 2.1 

In above Fig 2.1 User type shows mailbox intelligence and impersonated users(s) section is blank which mean mailbox intelligence-based impersonation was applied here. 

To handle GIMP, it is recommended to allow sender for a while or let recipient establish communication which will build a contact graph and going forward mail would be delivered in inbox. 

 

mkohli_10-1635435399945.png

Fig 2.3 

Fig 2.3 shows process to allow sender in impersonation filter.  

0 Replies