Turn on impersonation settings in ATP anti-phishing policies

Protect your business against scammers!

Root cause

Someone can pretend as your CEO by email, for example;

From: Your CEO <your.ceo@gmail.com> or From: Y0ur CE0 <y0ur.ce0@gmail.com>
To: finance@yourcompany.com
Subject: Please make a quick payment


I do not have access to my work account right now. I need to make a payment for something important for our company. Please go to *link*.


Your CEO

Sent from iPhone

You should be ahead of this, and protect your key users with this setting in ATP anti-phishing policies.

Turn on impersonation

  1. Go to the Secure & Compliance center in Office 365 (protection.office.com)
  2. Open Threat Management
  3. Choose Policy -> ATP anti-phising -> Create
  4. Name your policy, for example “your company – Impersonation setting”
  5. At “Applied to” choose yourdomain.com
  6. Save the policy
  7. Open the policy -> at impersonation -> click edit
  8. Add user to protect*
  9. Choose “Add user” -> your.ceo@yourdomain.com**
  10. Give the following Actions
    • If email is sent by an impersonated user
      • Quarantine the message
    • If email is sent by an impersonated domain
      • Quarantine the message
  11. Save the policy

*You can add up to 60 users in the “Add users to protect” section. If you enable the mailbox intelligence based impersonation protection, under “Mailbox intelligence”, you can protect all your users. But, keep in mind that, if you do this, all your users cannot send email from their personal addresses to their work email, in the first place. Therefore, they need to release them from their quarantine at https://protection.office.com/quarantine if you set quarantine the message. With mailbox intelligence on, frequent contacts are also protected for impersonation.

**If your key user has a valid email address other than his business email, you can exclude that email address from this policy.

Never exclude whole domains like gmail.com, hotmail.com etc.

Share this: