Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Managing false negative and false positive emails concerning user impersonation

Microsoft

This brief guide addresses false negatives and false positives associated with "User impersonation."

 

Handling False Negatives
 

Administrator tasks: 

Check for any misconfigurations that could potentially lead to false negatives. This could include issues such as incorrect settings, incomplete allow-listing, or policies not being applied to the entire domain.

Configuration checks – Go to security.microsoft.com -> Email & collaboration -> Polices & rules -> Threat policies -> Configuration analyzer. 

 

mkohli_0-1718268049192.png

 

Fig 1.0 

 

Check end user allow-listing: 

mkohli_1-1718268049195.png

 

Fig 1.1

Conduct a Threat Explorer search to identify the reason for the miss. Utilize the email entity page for a detailed analysis, as depicted in Fig 1.2.

mkohli_2-1718268049200.png

 

Fig 1.2 

 

End users’ responsibilities

 

Leverage report message add-in to report message as false negatives as shown in Fig 1.3 

mkohli_3-1718268049204.png

 

Fig 1.3 

 

Best practices for managing user impersonation display names

 

Note: Changing display name in impersonation policy will not change display name shown in global address list. 

 

Remove apostrophe from display in TargetUsersToProtect list

 

The workaround involves customers adding names to their policy without using the 'apostrophe' character. For instance, they should input "Sam Dsouza;Sam.D’souza@contoso.com" instead of "Sam D'souza; Sam.D’souza@contoso.com" in their policy's TargetedUsersToProtect list. User impersonation will automatically account for all combinations with special characters.

mkohli_4-1718268049209.png

 

 

Remove suffixes from display name

 

As an example, in "Mahesh Kohli (IT)," exclude "(IT)" from the display name. It's preferable to only include the first name and last name.

 

mkohli_5-1718268049212.png

 

 

Managing display names with short abbreviation in TargetUsersToProtect list 

 

Avoid using abbreviated names such as "S S Surname"; instead, use the full name (First name, Last name). However, if abbreviated names are still required, move them to the end of the list. To do so, remove them from the list and then re-add them at the end.

 

mkohli_6-1718268049217.png

 

 

 

 

Connect to Exchange Online Protection PowerShell, refer Connect to Exchange Online PowerShell

for more details.

Run the Below commands in below sequence: 

$a = Get-AntiphishPolicy -identity “Office365 AntiPhish Default” 

$a.TargetedUsersToProtect.Add("Chee Lim;lim.bengchee@contoso.com") 

$a.TargetedUsersToProtect.Add("Beng Lim;lim.bengchee@contoso.com") 

Set-AntiphishPolicy -Identity “Anti-Phishing Policy” -TargetedUsersToProtect  $a.TargetedUsersToProtect 


Run the command Get-AntiphishPolicy to confirm that the "TargetedUsersToProtect" includes the Display names "BengChee Lim", "Beng Lim", and "Chee Lim".

 

Handling false positives

 

View impersonation insight reports for user impersonation 

 

mkohli_7-1718268049222.png

 

Fig 2.0 

 

Find out which impersonation is applied (Graph based or User) 

 

mkohli_8-1718268049224.png

 

Fig 2.1 
In above Fig 2.1 the user type indicates "Mailbox Intelligence," and the impersonated user section is blank, indicating the application of mailbox intelligence-based impersonation.

 

To address false positives caused by GIMP, it's suggested to temporarily allow the sender in trusted sender list or encourage the recipient to initiate communication. This will help establish a contact graph, ensuring future emails are delivered to the inbox.

mkohli_9-1718268049233.png

 

Fig 2.3 

Fig 2.3 shows process to allow sender in impersonation filter.  

 

0 Replies