Schooling A Sea of Phish Part 1: How Office 365 Advanced Threat Protection Helps Stop Spear Phishing
Published Mar 06 2018 11:39 AM 71.8K Views

From late 2016 into 2017, the team of engineers developing Office 365 Advanced Threat Protection (ATP) invested much of their time focusing on:


  • Maintaining a malware catch rate >99.9% effectiveness
  • Reducing file detonation times to < 60 seconds
  • Launching a bevy of features to enhance the control and capabilities for security admins


and the result of their efforts led to Office ATP achieving all three of those goals.



Figure 1.  The Office 365 Advanced Threat Protection Journey (* coming soon)Figure 1. The Office 365 Advanced Threat Protection Journey (* coming soon)


As we elevated Office ATP to the position of protecting more end users than all its peers combined, threat actors took notice.  During 2017, our threat telemetry indicated that as our malware catch rate increased, the amount of malware being launched at Office 365 users decreased.  The reduced ROI and growing difficulty of launching successful malware campaigns forced threat actors to evolve.  We saw a spike in the number of phishing campaigns across the threat landscape where Office 365 mitigated 1 billion phishing emails in the second half of 2017 alone.  These new campaigns had a level of complexity that signified an evolution in how phishing attacks were fundamentally designed and this prompted us to build upon the already powerful anti-phishing features in Office ATP and Exchange Online Protection (EOP).  As we did for malware catch, file detonation times, and features, we focused more of our efforts on monitoring, understanding, and then further enhancing our technology to continue staying ahead of this new class of advanced, sophisticated, and often targeted phishing attacks.  Over the next month, we will share with you the holistic strategy and layered technologies in Office 365 ATP  that help stop modern phishing attacks.  We encourage you to test these new capabilities in Office 365 ATP and provide your feedback.  While no solution can ever guarantee 100% effectiveness against phish, we believe our technology framework and features provide the best solution available to help navigate through this sea of phish.



How Office 365 ATP Helps Mitigate Spear-Phishing

Phish emails come in several categories and the severity of their impact also varies depending on the type of campaign.  The spectrum of attacks range from generic scams such as the infamous Nigerian prince to a rising tide of advanced targeted business email comprise campaigns (which can be a class of spear-phishing defined below).  Phishing lures also come in many forms, and the level of sophistication of phish lures continues to grow.



Figure 2.  Spectrum of Phishing Campaign types and Potential Phish LuresFigure 2. Spectrum of Phishing Campaign types and Potential Phish Lures


Highly sophisticated attacks yield greater monetary gains per account phished, while more generic attacks yield less money per compromised account but target a broader set of users.  With such a variety of phish vectors and lures, there is no simple method to mitigate phish emails.  An effective anti-phishing solution requires layers of protection, addressing the type of phishing campaign and the lures leveraged to execute the attack.  At Microsoft, we classify distinct categories for phish and we have multiple solutions that help mitigate phish through mail flow.  Detection and response are also important tools for combating phish post email delivery, so reporting and search and destroy capabilities are also critical components of an effective anti-phishing solution.  In this post, we focus on the recent enhancements to our anti-impersonation capabilities.  These capabilities help address:


  • domain impersonation
  • user impersonation


Impersonation techniques are often used for targeted phishing attacks known as spear-phishing, which are aimed at specific groups, individuals, or organizations.  These attacks are customized and tend to leverage a sender or organization name that generates trust with the recipient.  While spear-phishing is only a subset of phish, the campaigns are highly effective because of the trust users gain seeing a known sender name or domain.  Impersonations are also often of individuals in highly placed positions, such as C-level executives, so emails elicit quick response and action from the recipient.  Reducing the impact from these attacks is essential for protecting today’s enterprises.


Anti-Impersonation Enhancements in Office 365 Advanced Threat Protection

To understand the parameters included in our anti-impersonation capabilities, it’s important to understand the components of an email that serve as phish lures leading to user compromise.   Figure 3 is a generic email where we have identified several, potential phish indicators.  Phish indicators include the sender address, the sender name, and all the links including the ‘Pay Now’ image button.  The links serve as phish lures which send end users to credential harvesting websites.  Impersonation can happen via domain impersonation or user impersonation.  Domain impersonation occurs when a commonly used domain is impersonated.  For example, if the real domain is, a domain impersonation might be Ćó  The subtle difference between the two domains is often missed by an end user.  User impersonation is also a frequently used tactic where a sender email address is impersonated.  For example, if my email address is an impersonated form would be  Once more, the difference is subtle and often missed by the recipient.



Figure 3.  Generic email with several phish indicators and potential phish luresFigure 3. Generic email with several phish indicators and potential phish lures


To mitigate impact from email impersonations, Office 365 Advanced Threat Protection offers several powerful features to help block sophisticated impersonation attempts.  We first improved the admin experience creating a straightforward UI making it easy to create, update, and modify settings for anti-impersonation. 



Figure 4.  Anti-Impersonation Policy UIFigure 4. Anti-Impersonation Policy UI


Administrators can create multiple anti-phishing policies and specify different impersonation settings in them.  After naming the setting, the following two steps allow admins to add up to twenty users and domains respectively in addition to the domains already defined in their tenant for protection against impersonation.  It is advisable to choose internal or external users who are in leadership roles such as C-level executives or board members who can leverage their authority to make recipients quickly respond or act on a request.  Choose domains that often interact with your organization such as key suppliers. In the following tab, you can select different actions that can be taken when a specified user or domain is impersonated.  These emails can be redirected to other email addresses, moved to the ‘Junk’ mail folder, quarantined, or delivered to other email addresses as a bcc.  In this tab, you can also choose to turn safety tips on/off for emails which have unusual characters in the email.  



Figure 5.  Choose Action For Impersonated Users or DomainsFigure 5. Choose Action For Impersonated Users or Domains


The next tab is ‘Mailbox Intelligence’.  Turning on this feature further enhances protection by applying our machine learning algorithms to better understand a user’s contact graph.  The contact graph is a map of all the people who are most likely to email a user based on historic mail flow patterns.  The contact graph evolves as it observes more mail flow information of a given user.  With ‘Mailbox Intelligence’ on, we are also able to better manage false positives for the end user.



Figure 6.  User Contact Graph with known senders and unknown sendersFigure 6. User Contact Graph with known senders and unknown senders


The 'Impersonation' settings in the Anti-Phishing policy allows the administrator to whitelist users and domains that should be excluded from the impersonation evaluations.  These are classified as ‘trusted’ senders and domains.  Emails sent from these users or domains will bypass all the settings.  The Impersonation settings can be applied to, or have exceptions for individuals, groups, or entire domains.  This allows customization and scoping of the policy at a granular level.  Be sure to read our suggested tips on optimizing your settings and familiarize yourself with the with the anti-impersonation configurations.


Send Us Your Feedback

We look forward to your feedback once you experience the new Anti-impersonation capabilities for Office 365 Advanced Threat Protection.  Your feedback enables us to continue improving and adding features that support the goal of making Office 365 ATP the premiere advanced security service for Office 365.  If you have not tried Office 365 ATP for your organization yet, you should begin a free Office 365 E5 Trial today and start securing your organization from the modern threat landscape.  Part 2 of this series is coming soon where we will overview another set of enhanced anti-phishing capabilities for Office 365 ATP.


1 Comment
Version history
Last update:
‎May 11 2021 01:53 PM
Updated by: