This is a short guide for handling "User impersonation" related false negatives and false positives.
1. Handling False Negatives
Verify if there is any misconfiguration which may be causing false negatives. For example, settings, allow-listing, policy not applied on entire domain etc.
Configuration checks – Go to security.microsoft.com -> Email & collaboration -> Polices & rules -> Threat policies -> Configuration analyzer.
Check end user allow-listing:
Do Threat explorer search and find out reason of miss, leverage email entity page for detail analysis as shown in Fig 1.2.
End users’ responsibilities
Leverage report message add-in to report message as false negatives as shown in Fig 1.3
Best practices for managing user impersonation display names
Note: Changing display name in impersonation policy will not change display name shown in global address list.
Remove apostrophe from display in TargetUsersToProtect list
The work-around is for the customer to add the names in their policy without the ‘apostrophe’ character. For example, customer should add “Sam Dsouza;Sam.D’firstname.lastname@example.org” instead of Sam D'souza;Sam.D’email@example.com in their policy in the TargetedUsersToProtect list. User impersonation will automatically consider all the combination with special characters.
Remove suffixes from display name
For example – Mahesh Kohli (IT) – Remove (IT) from this display name. Best would be to put just first name & last name.
Managing display names with short abbreviation in TargetUsersToProtect list
Do not use names with abbreviation like “S S Surname”, instead of that use full name (First name, Last name). However, if it is still the requirement then move abbreviated names at end of the list for that we must remove it and re-add to the list.