Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Display Name Spoofing very often recently - how to prevent it

Iron Contributor

Hi experts,


recently, I have noticed increase in emails that tries to impersonate sender  (Display Name Spoofing). The Display name shows a real user from our organization, however the sender email/domain is totally different. 


I thought I had the protection configured properly but looks like that is not the case :/. I have anti-phish policy with Impersonation as below:

  • few critical users listed in "Enable users to protect"
    • was going to enable it for all now, but there is no option like that, ..and it looks I need to manually add all internal users
  • Enable domains to protect
    • Include domains I own (does this include all domains I have registered in M365? See below). I would expect this will prevent these emails
    • Include custom domains - I have nothing here, but I am not sure now whether my few domains created in M365 - including default domain, needs to be added here? As from what I know, the custom domains are the domains I create in M365.


Would like to check what is the proper way to configure protection against these email attacks. 


We use M365 E3 + M365 E5 Security

1 Reply

Hi @sumo83,


Could you clarify what actions you've set for messages flagged as user impersonation? What's your phishing threshold value? Additionally, have you enabled mailbox intelligence and intelligence for impersonation protection?