Dear Valued Customers,

Welcome to the latest edition of our Microsoft 365 Security and Compliance Update. As part of our ongoing commitment to transparency, we are excited to share our recent enhancements and activities to ensure your Microsoft 365 tenants remain secure and compliant.

In these updates, we delve into the continuous improvements and proactive measures we’ve implemented across our suite of services. Our goal is to provide you with insights into the tireless work our teams perform behind the scenes to safeguard your data and uphold the highest compliance standards.

Stay tuned as we explore these updates in detail, and as always, we appreciate your trust in Microsoft 365 as your secure and compliant productivity solution.

Best Regards,
The Global Micro Solutions Microsoft 365 Security and Compliance Team

March 2024 – Impersonation Protection in Defender for Office 365

Background

Microsoft Defender for Office 365 significantly bolsters anti-phishing capabilities beyond what’s offered by Exchange Online Protection. It employs advanced AI and machine learning algorithms to analyze mailbox behavior, providing a more nuanced and effective defense against phishing attacks. Its robust impersonation protection features and advanced phishing thresholds offer superior protection against sophisticated attacks. This makes it a more powerful, all-encompassing solution for safeguarding against emerging phishing threats.

How do threat actors trick users with impersonation?

Impersonation is when the sender of an email message looks similar to a real or expected sender’s email address. Attackers often use impersonated sender email addresses in phishing or other attacks to gain the recipient’s trust. There are two basic types of impersonation:

Domain impersonation: Contains subtle differences in the domain. For example, lila@ćóntoso.com impersonates lila@contoso.com.

User impersonation: Contains subtle differences in the email alias. For example, rnichell@contoso.com impersonates michelle@contoso.com.

Domain impersonation differs from domain spoofing because the impersonated domain is often a real, registered domain, but with the intent to deceive. Messages from senders in the impersonated domain can pass regular email authentication checks that would otherwise identify the messages as spoofing attempts (SPF, DKIM, and DMARC).

How do you prepare for Impersonation Protection?

There are 3 steps to enabling Impersonation Protection.

1. Select the internal or external email addresses of top-level executives, board members, and others in key roles whom attackers might impersonate.
2. Add custom domains owned by your organization or domains that belong to your key suppliers and partners to be detected when impersonated by attackers.
3. List the individual senders and all senders in entire domains that you wish to exclude from impersonation protection and never flag them as impersonation attacks. These senders will still be subject to scanning by filters other than impersonation. An example of this would be services like DocuSign and Adobe Sign, which send mail on behalf of your users.

Is there a cost to enabling this capability?

It is included at no charge in M365 Security and Compliance Plan 1 and Plan 2.

When will this change be rolled out to your Microsoft Tenant?

The feature is available immediately. Log a call with support@globalmicro.co.za and provide them with the information listed in the three steps above.