Feb 13 2018
- last edited on
Feb 19 2021
We are configuring the Anti-Phishing Policy in Security & Compliance Center . There is an option to "Add users to protect". Understand we could use this option to target VIP users. But if we need to target this policy to all users in the tenant (i.e. Default policy), can we leave ""Add users to protect"" option empty and configure "Add domains to protect" option and "Applied to" option to include all our domains. ? Would that apply Anti-Phishing protection to all our users and domains ? Otherwise we will require multiple policies to cover all users and there 30K mailboxes in the cloud.
Feb 13 2018 11:37 PM
According to the last example in this article, it should be possible to create a policy that covers all users. I agree though, neither the UI nor the documentation are very intuitive, let me ask around...
Feb 14 2018 06:08 PMSolution
The new Anti-Phishing policy is about:
1. Protecting your accepting domains from look-alikes and impersonation attacks
2. Protecting your targeted high profile users from impersonation and look alike attacks.
So in users to Protect, you should specify, you should specify the users/their email addresses that you want to do a impersonation check on
In domains to protect, we already include your accepting domains by default, but you can add other partner domains as well.
Finally, you can configure your action to TIP ( we recommend starting with a tip) and then graduate to junking/quarantine.
You can apply this policy to everyone in your organization.
So for example, you can create a policy that checks against look-alike attacks against your CEO's name and assign that policy to all users in your org (though applied to setting).
Hope this helps.
Abhishek Agrawal, Principal PM Lead, Office 365 [MSFT]
Apr 06 2018 07:36 AM
I need notifications on quarantines. I find that I forget to check it often. Any way to set this up?
Apr 09 2018 01:26 PM
Apr 09 2018 01:59 PM
Yes, Sir. I find them by going into the S&C center, clicking on review, then quarantine, then switching the filter to phish.
I don't see a way to set the notifications and quarantine option in the rules, it seems to be either or.
Sep 13 2018 09:01 AM
How long do changes made to the anti-phishing policy take to take effect?
Sep 13 2018 09:23 AM
What is the difference between anti-spoofing protection and impersonation within the antiphishing policy configuration options? Isn't spoofing the same thing?
Mar 27 2019 06:05 PM
The post you had here is quite old but to answer for the quarantine notification, you'd need to set it on the EOP Spam filtering end user notification. EOP spam quarantine and ATP Anti-Phishing quarantine would appear to be in the same quarantine and the end user notification would just give the notification message every 3 days. It won't be any difference whether the spam filter quarantine or anti-phishing quarantine, the notification will just send the list of messages in quarantine.
The catch is that you need to set your spam filter for quarantine as well.