Hey there, fellow tech aficionados! Steve here, back with another insightful blog post. Today, we’re diving deepinto the realm of Microsoft Defender to explore a crucial recommended action: ensuring that intelligence for impersonation protection is enabled. This often-overlooked aspect of cybersecurity plays a pivotal role in safeguarding your digital ecosystem against sophisticated threats.

Throughout this post, I’ll be your guide as we navigate the intricacies of this recommended action. From breaking down the concept of impersonation protection intelligence to providing step-by-step guidance on how to implement it effectively, I’m here to demystify the process. Whether you’re a seasoned IT professional seeking to bolster your organization’s defenses or an enthusiast eager to delve into the world of cybersecurity, I’m confident you’ll find value and clarity in the insights shared here. So, buckle up and join me on this journey as we empower ourselves with knowledge and take proactive steps towards enhancing our security posture. Let’s dive in!

Recommended action

Ensure that intelligence for impersonation protection is enabled

Microsoft Security Score

Before Mitigation:

After Mitigation:

Secure Score Improvement: +0.76%

General

Description

Enables enhanced impersonation results based on each user’s individual sender map and allows you to define specific actions for impersonated messages.

This setting is available only if ‘Enable mailbox intelligence’ is selected.

Implementation status

100% of users are affected by policies that are configured less securely than is recommended

  • Office365 AntiPhish Default – 1 users (100%)

Implementation

Prerequisites

You have Microsoft Defender for Office 365 P1.

Next steps

Ensure that all users have an assigned anti-phishing policy with ‘Enable mailbox intelligence’ and ‘Enable intelligence for impersonation protection’ options enabled, by either updating your existing policies or creating new ones.

Learn more

Configure anti phishing policies in EOP | Microsoft Docs

Mitigation

Please reference the “Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365” document link below for further information.

Anti-phishing policies | Microsoft Learn

1. Launch Edge Chromium browser.

2. Enter https://security.microsoft.com in the browser’s Address bar.

3. You land on the Microsoft Defender Portal Homepage.

4. On the left-side Menu Bar, navigate to “Email & collaboration”.

5. Proceed to “Policies & rules”, then, <click> “Threat policies”

6. At “Thread policies”, <click> “Anti-phishing”

7. Landing on the Anti-phishing page, we will create an Anti-phishing policy named Enable Impersonation Protection Features Anti-phishing policy.

8. <click> Create

9. At Policy name, enter the Policy name Enable Impersonation Protection Features.

10. In the Description field Mitigation of “Ensure that intelligence for impersonation protection is enabled” Security Score discovered weakness.

11. <click> Next.

12. At Users, groups and domains, drop down to Domains and enter contoso.com. (Note: Options to include Users and Groups are also available.)

13. <click> Next.

14. At Phishing threshold and protection

15. Check the Checkboxes Enable domains to protect (1), Include domains I own, Enable Intelligence for impersonation protection (Recommended), and Enable spoof intelligence (Recommended).

16. <click> Next.

17. You land on the Actions screen

18. Here we complete the identified fields as shown below.

19. <click> Next.

20. We review our Inputs and <click> Submit.

21. A Confirmation message is received.

22. <click> Done.

23. The new policy now appears in the “Anti-phishing” policy listing.

24. After a twenty-four (24) hour period when the Anti-phishing Policy Enable Impersonation Protection Features went into effect, two (2) significant changes were reflected:

-The Microsoft Secure Score grew from ‘54.63%’ to ‘63.61%’ (+8.98).

-The original discovery and “Rank” of “Ensure that intelligence for impersonation protection is enabled” went from ‘18’ to ‘99’.

Note: The lower the “Rank” number, the higher the urgency to perform corrective action.

I hope you enjoyed this post.

Steve