Anti-Phishing > Impersonation Insights inaccuracy
Working with a client who are piloting Standard Preset Policies. We have not added any Users to Protect. We have added "owned domains" to the Domains to Protect list. No other anti-phish policies in the tenant have any users listed in Users to Protect. I repeat, zero policies have any users listed in Users to Protect, none, zero. In Impersonation Insights (https://security.microsoft.com > Email & Collaboration > Threat Policies > Anti-Phishing > Impersonation Insights, we have 2 listed in the "Users" tab: And in the details pane for either message, we see this: I can't find anywhere in documentation that explains why this would happen. It seems as though our user is being treated as a "Protected User", yet we've not added this user to any Anti-Phish policy's "Users to Protect" list. We DO have mailbox and impersonation intelligence enabled on the policies. When I read up on Mailbox Impersonation setting, I see this note: The question I have is this - when Mailbox Intelligence identity's a message as impersonation, and when the impersonated user is NOT a protected user, is this enough to trick Impersonation Insight into pretending as though the impersonated user is a Protected User?
