Default Anti-phishing with Office 365 ATP for all users ?

Occasional Contributor

We are configuring the Anti-Phishing Policy in Security & Compliance Center . There is an option to "Add users to protect". Understand we could use this option to target VIP users. But if we need to target this policy to all users in the tenant (i.e. Default policy), can we leave ""Add users to protect"" option empty and configure "Add domains to protect" option and "Applied to" option to include all our domains. ? Would that apply Anti-Phishing protection to all our users and domains ? Otherwise we will require multiple policies to cover all users and there 30K mailboxes in the cloud.



13 Replies

According to the last example in this article, it should be possible to create a policy that covers all users. I agree though, neither the UI nor the documentation are very intuitive, let me ask around...

best response confirmed by Mohan Seenippandian (Occasional Contributor)

Hello Mohan,

The new Anti-Phishing policy is about:

1. Protecting your accepting domains from look-alikes and impersonation attacks

2. Protecting your targeted high profile users from impersonation and look alike attacks.


So in users to Protect, you should specify, you should specify the users/their email addresses that you want to do a impersonation check on

In domains to protect, we already include your accepting domains by default, but you can add other partner domains as well.


Finally, you can configure your action to TIP ( we recommend starting with a tip) and then graduate to junking/quarantine.


You can apply this policy to everyone in your organization.


So for example, you can create a policy that checks against look-alike attacks against your CEO's name and assign that policy to all users in your org (though applied to setting).


Hope this helps.



Abhishek Agrawal, Principal PM Lead, Office 365 [MSFT]

Thanks for tuning in Abhishek!

Thanks Abhishek .

I need notifications on quarantines. I find that I forget to check it often. Any way to set this up?

Hey Robert,

The only method i've come to know as far as receiving a notification for the anti-phishing policy is setting the policy to set the action to "Redirect message to other email address". Although it's been on for weeks, and I have yet to receive an "alert". Have emails been sent to your quarantine?

Yes, Sir. I find them by going into the S&C center, clicking on review, then quarantine, then switching the filter to phish.


I don't see a way to set the notifications and quarantine option in the rules, it seems to be either or.

Yep, this is what I've found as well.

How long do changes made to the anti-phishing policy take to take effect?


antiphishing policy options.jpgWhat is the difference between anti-spoofing protection and impersonation within the antiphishing policy configuration options? Isn't spoofing the same thing?

I found that it takes 30 minutes.

@Jordan Moore 

The post you had here is quite old but to answer for the quarantine notification, you'd need to set it on the EOP Spam filtering end user notification.  EOP spam quarantine and ATP Anti-Phishing quarantine would appear to be in the same quarantine and the end user notification would just give the notification message every 3 days.  It won't be any difference whether the spam filter quarantine or anti-phishing quarantine, the notification will just send the list of messages in quarantine.


The catch is that you need to set your spam filter for quarantine as well.