Office 365 Will Help Admins Find Impersonation Attack Targets

Microsoft will make it easier for Defender for Office 365 customers to identify users and domains targeted in impersonation-based phishing attacks as recently revealed on the Microsoft 365 roadmap.

Defender for Office 365 (previously known as Office 365 Advanced Threat Protection) protects the emails of Office 365 enterprise accounts from various threats including but not limited to credential phishing and business email compromise.

Impersonation happens when a threat actor uses a sender or domain in an email message designed to closely resemble a real sender or domain ([email protected] instead of [email protected] and ćóntoso.com instead of contoso.com).

Impersonation attacks take advantage of this tactic with the end goal of deceiving recipients that the email they just read comes from a trusted source.

Also Read: Limiting Location Data Exposure: 8 Best Practices

New impersonation detection filters

Security admins will be able to use new filters dubbed Impersonated user and Impersonated domain together with the Threat Explorer and real-time detections to detect organization users and domains targeted in impersonation attacks.

These filters add to already present capabilities that make it possible to get a list of phishing emails caught by Defender for Office 365’s existing impersonation detection filters.

“Today we provide filters for Detection Technology with User impersonation or Domain impersonation which show all Phish emails caught by our impersonation detection,” Microsoft explains.

“We are adding new filters called Impersonated user and Impersonated domain to enable Security Operations teams to explicitly hunt for specific users or domains within their organization that are targets of impersonation attacks.”

The new information will be available for security team admins via the Impersonation insight pages as well as on a newly added Email Entity page.

Microsoft Defender for Office 365 support for hunting impersonated domains and users is still currently in development.

However, Microsoft is working on making it generally available worldwide in all environments, to all Microsoft Defender for Office 365 users, by the end of February.

Impersonation protection not enabled by default

Even though Microsoft Defender for Office 365 comes with built-in anti-phishing protection, impersonation protection is not configured or enabled in the default policy.

To take advantage of the new capabilities, admins have to also enable impersonation protection features by modifying the default anti-phishing policies settings.

Later this month, Microsoft will also start to notify users of Microsoft Defender for Office 365 of suspected nation-state hacking activity detected within their tenants.

Also Read: 10 Practical Benefits of Managed IT Services

The company also added priority protection for accounts of high-profile employees including executive-level managers who are frequently targeted in attacks.