Handling false negative and false positive emails related to user impersonation


This is a short guide for handling "User impersonation" related false negatives and false positives.


1. Handling False Negatives 


Administrator tasks: 

Verify if there is any misconfiguration which may be causing false negatives. For example, settings, allow-listing, policy not applied on entire domain etc. 

Configuration checks – Go to security.microsoft.com -> Email & collaboration -> Polices & rules -> Threat policies -> Configuration analyzer. 


Fig 1.0 


Check end user allow-listing: 


Fig 1.1

Do Threat explorer search and find out reason of miss, leverage email entity page for detail analysis as shown in Fig 1.2. 


Fig 1.2 


End users’ responsibilities 

Leverage report message add-in to report message as false negatives as shown in Fig 1.3 


Fig 1.3 


Best practices for managing user impersonation display names


Note: Changing display name in impersonation policy will not change display name shown in global address list. 

Remove apostrophe from display in TargetUsersToProtect list 

The work-around is for the customer to add the names in their policy without the ‘apostrophe’ character. For example, customer should add “Sam Dsouza;Sam.D’souza@contoso.com” instead of Sam D'souza;Sam.D’souza@contoso.com in their policy in the TargetedUsersToProtect list. User impersonation will automatically consider all the combination with special characters. 



Remove suffixes from display name 

For example – Mahesh Kohli (IT) – Remove (IT) from this display name.  Best would be to put just first name & last name.




Managing display names with short abbreviation in TargetUsersToProtect list 

Do not use names with abbreviation like “S S Surname”, instead of that use full name (First name, Last name). However, if it is still the requirement then move abbreviated names at end of the list for that we must remove it and re-add to the list.  






Connect to Exchange Online Protection PowerShell, refer Connect to Exchange Online PowerShell

for more details.

Run the Below commands in below sequence: 

$a = Get-AntiphishPolicy -identity “Office365 AntiPhish Default” 

$a.TargetedUsersToProtect.Add("Chee Lim;lim.bengchee@contoso.com") 

$a.TargetedUsersToProtect.Add("Beng Lim;lim.bengchee@contoso.com") 

Set-AntiphishPolicy -Identity “Anti-Phishing Policy” -TargetedUsersToProtect  $a.TargetedUsersToProtect 

Run the command Get-AntiphishPolicy and ensure the 3 Display names “BengChee Lim”, “Beng Lim” & “Chee Lim” are being shown in the TargetedUsersToProtect parameter. 

Please keep the above commands handy, as in future any further changes to “BengChee Lim” account in ATP Anti-Phishing policy will need to be done via Powerhshell. 


2. Handling false positives 


View impersonation insight reports for user impersonation  



Fig 2.0 


Find out which impersonation is applied (Graph based or User) 



Fig 2.1 

In above Fig 2.1 User type shows mailbox intelligence and impersonated users(s) section is blank which mean mailbox intelligence-based impersonation was applied here. 

To handle GIMP, it is recommended to allow sender for a while or let recipient establish communication which will build a contact graph and going forward mail would be delivered in inbox. 



Fig 2.3 

Fig 2.3 shows process to allow sender in impersonation filter.  

0 Replies