Managing false negative and false positive emails concerning user impersonation

This brief guide addresses false negatives and false positives associated with "User impersonation."

 

Handling False Negatives
 

Administrator tasks: 

Check for any misconfigurations that could potentially lead to false negatives. This could include issues such as incorrect settings, incomplete allow-listing, or policies not being applied to the entire domain.

Configuration checks – Go to security.microsoft.com -> Email & collaboration -> Polices & rules -> Threat policies -> Configuration analyzer. 

 

 

Fig 1.0 

 

Check end user allow-listing: 

 

Fig 1.1

Conduct a Threat Explorer search to identify the reason for the miss. Utilize the email entity page for a detailed analysis, as depicted in Fig 1.2.

 

Fig 1.2 

 

End users’ responsibilities

 

Leverage report message add-in to report message as false negatives as shown in Fig 1.3 

 

Fig 1.3 

 

Best practices for managing user impersonation display names

 

Note: Changing display name in impersonation policy will not change display name shown in global address list. 

 

Remove apostrophe from display in TargetUsersToProtect list

 

The workaround involves customers adding names to their policy without using the 'apostrophe' character. For instance, they should input "Sam Dsouza;Sam.D’souza@contoso.com" instead of "Sam D'souza; Sam.D’souza@contoso.com" in their policy's TargetedUsersToProtect list. User impersonation will automatically account for all combinations with special characters.

 

 

Remove suffixes from display name

 

As an example, in "Mahesh Kohli (IT)," exclude "(IT)" from the display name. It's preferable to only include the first name and last name.

 

 

 

Managing display names with short abbreviation in TargetUsersToProtect list 

 

Avoid using abbreviated names such as "S S Surname"; instead, use the full name (First name, Last name). However, if abbreviated names are still required, move them to the end of the list. To do so, remove them from the list and then re-add them at the end.

 

 

 

 

 

Connect to Exchange Online Protection PowerShell, refer Connect to Exchange Online PowerShell

for more details.

Run the Below commands in below sequence: 

$a = Get-AntiphishPolicy -identity “Office365 AntiPhish Default” 

$a.TargetedUsersToProtect.Add("Chee Lim;lim.bengchee@contoso.com") 

$a.TargetedUsersToProtect.Add("Beng Lim;lim.bengchee@contoso.com") 

Set-AntiphishPolicy -Identity “Anti-Phishing Policy” -TargetedUsersToProtect  $a.TargetedUsersToProtect 

Run the command Get-AntiphishPolicy to confirm that the "TargetedUsersToProtect" includes the Display names "BengChee Lim", "Beng Lim", and "Chee Lim".

 

Handling false positives

 

View impersonation insight reports for user impersonation 

 

 

Fig 2.0 

 

Find out which impersonation is applied (Graph based or User) 

 

 

Fig 2.1 
In above Fig 2.1 the user type indicates "Mailbox Intelligence," and the impersonated user section is blank, indicating the application of mailbox intelligence-based impersonation.

 

To address false positives caused by GIMP, it's suggested to temporarily allow the sender in trusted sender list or encourage the recipient to initiate communication. This will help establish a contact graph, ensuring future emails are delivered to the inbox.

 

Fig 2.3 

Fig 2.3 shows process to allow sender in impersonation filter.