Microsoft 365

Turn on impersonation settings in ATP anti-phishing policies

Protect your business against scammers!

Root cause

Someone can pretend as your CEO by email, for example;

From: Your CEO <> or From: Your CEO <>
Subject: Please make a quick payment


I do not have access to my work account right now. I need to make a payment for something important for our company. Please go to *link*.


Your CEO

Sent from iPhone

You should be ahead of this, and protect your key users with this setting in ATP anti-phishing policies.

Turn on impersonation

  1. Login:
  2. Open your anti-phishing policy
  3. Under ‘Phishing threshold & protection’
    • Edit protection settings
  4. Enable users to protect
    • Add your CEO and other key users.
      • If your CEO/key users has a personal and valid address you could add this to trusted senders.
  5. Enable domains to protect
  6. Save
  7. Under ‘Actions’
    • Edit actions
  8. Give the following Actions
    • If email is sent by an impersonated user
      • Quarantine the message
    • If email is sent by an impersonated domain
      • Quarantine the message
  9. Save the policy


Your key users and your domain are now protected against impersonations as below examples.

  • An example impersonation of the user is
  • An example impersonation of the domain is ćó

You could also choose to turn on ‘Mailbox intelligence’ in the above anti-phishing policy, which I really recommend to do because mailbox intelligence uses the content of the mailbox to determine phishing for example:

You get frequently mail from:, and the other day you get an email from: Which is maybe not the real Bill Gates. To protect this behavior, you can send those emails to the quarantine where your end user can release it. If there is frequent contact via the other email address, it will be considered as a safe sender by mailbox intelligence.

Like I already said, mailbox intelligence uses the content of the mailbox, if another user in the same tenant never has emailed with Bill, then the email from will not be flagged.

Share this: