Home » Security Bloggers Network » Office 365 Anti-Phishing Policy: How to Configure It

Office 365 Anti-Phishing Policy: How to Configure It

by Ahona Rudra on June 3, 2026

Key Takeaways

Microsoft 365 includes a default anti-phishing policy that provides basic protection against spoofing and phishing attacks.
Advanced features like impersonation protection, mailbox intelligence, and customizable detection thresholds require Microsoft Defender for Office 365.
Microsoft recommends increasing the phishing threshold from Standard (Level 1) to Aggressive (Level 2) for stronger protection.
Anti-phishing policies secure inbound email, but DMARC is still needed to prevent attackers from spoofing your domain and targeting external recipients.

Microsoft 365 (Office 365) comes with built-in anti-phishing protection, but relying on the default settings leaves significant security gaps. The truth is, most organizations are running on default configurations that leave major security gaps wide open for hackers to exploit. If you want to effectively secure your tenant, you need to understand exactly what Microsoft’s policy covers, where it falls short, and how to fine-tune your settings to keep threats at bay.

What Is the Office 365 Anti-Phishing Policy?

The Office 365 anti-phishing policy is a core security control within Exchange Online Protection (EOP) and Microsoft Defender, designed to detect and block inbound phishing emails. A basic default anti-phishing policy exists in every Microsoft 365 tenant and applies automatically to all recipients. Out of the box, you receive baseline security without needing to activate the protection manually.

This default policy covers essential capabilities, including:

Spoof intelligence: Detecting and analyzing spoofed sender domains to see if they originate from authorized infrastructure.
First contact safety tips: Prompting end-users when they receive a message from a sender they do not regularly communicate with.
Unauthenticated sender indicators: Displaying a mystery symbol (a ? icon) in Outlook next to the sender’s photo or initials if the system cannot verify the email identity.

However, advanced detection mechanisms require higher licensing tiers. Features like user impersonation protection, domain impersonation protection, mailbox intelligence, and adjustable phishing thresholds are locked behind advanced plans.

Microsoft 365 Security Licensing Overview

To avoid confusion and identify what tools are available in your specific tenant, review this quick licensing summary:

What Does the Anti-Phishing Policy Protect Against?

Depending on your subscription level, Microsoft’s policy focuses on blocking four core types of email-based identity deception.

1. Anti-Spoofing (All Plans)

This protection catches instances where the domain name listed in the From address has been explicitly forged. Microsoft’s spoof intelligence engine evaluates whether the sending mail server’s IP address is actually authorized to send mail on behalf of that specific domain. Inbound messages that fail this technical verification step are flagged or automatically moved directly to the user’s Junk Email folder.

2. User Impersonation Protection (Defender Plan 1+)

Attackers frequently target standard employees by pretending to be organizational executives or high-profile public figures, a primary tactic in Business Email Compromise (BEC) campaigns. This feature protects specific, named individual accounts (such as your CEO, CFO, or core IT administrators). It stops lookalike display names and subtle variations in alternative external email addresses that standard authentication tools cannot catch.

3. Domain Impersonation Protection (Defender Plan 1+)

Beyond specific individuals, malicious actors mimic whole domains. This capability protects exact domains from being impersonated in the From header field. This tool proves incredibly useful for guarding your own corporate domain names as well as the domains belonging to key external suppliers or business partners.

4. Mailbox Intelligence (Defender Plan 1+)

Mailbox intelligence leverages advanced machine learning to build an internal sender-recipient communication graph for each employee. By understanding regular communication patterns, the artificial intelligence can easily detect and flag messages from unverified external senders that happen to closely match the behavior or name of an existing contact.

Adjustable Phishing Email Threshold (Defender Plan 1+)

Microsoft implements a standard 1-to-4 scale controlling how aggressively its machine learning algorithms classify an email as potential phishing.

Level 1 (Standard): The default configuration. It provides balanced detection with low false-positive rates.
Level 2 (Aggressive): The baseline setting recommended by Microsoft and industry security teams for most enterprise environments.
Level 3 (More Aggressive): Ideal for high-risk targets or organizations subjected to highly specialized, frequent digital attacks.
Level 4 (Most Aggressive): Maximizes detection but carries a significant risk of capturing legitimate communications.

How to Configure the Anti-Phishing Policy in Office 365

Before beginning, ensure you are assigned one of the following roles:

Microsoft Defender XDR Unified RBAC: Core Security settings (manage) or Core Security settings (read).
Exchange Online Permissions: Organization Management or Security Administrator (for full management); Global Reader, Security Reader, or View-Only Organization Management (for read-only access).
Microsoft Entra Permissions: Global Administrator (use as least privilege dictates), Security Administrator, Global Reader, or Security Reader.

Note: Allow up to 30 minutes for a new or updated policy to be applied across your tenant.

Step 1: Access the Anti-Phishing Page

Source

Open your web browser and go to the Microsoft Defender portal
In the left navigation menu, go to Email & collaboration > Policies & rules > Threat policies.

Source

Under the Policies section, click Anti-phishing.

Shortcut: You can bypass the menus and go directly to https://security.microsoft.com/antiphishing.

Step 2: Launch the Policy Creation Wizard

1. On the Anti-phishing page, select + Create to open the new anti-phishing policy wizard.

2. On the Policy name page, configure the following:

Name: Enter a unique, descriptive name.
Description: Enter an optional description.

3. Select Next.

Source

Step 3: Identify Recipients (Users, Groups, and Domains)

On the Users, groups, and domains page, define the internal recipients the policy applies to:

Users: Specify mailboxes or mail users.
Groups: Select distribution groups, mail-enabled security groups, or Microsoft 365 Groups (Dynamic distribution or dynamic Microsoft Entra ID groups are not supported).
Domains: Select accepted domains. All recipients with a primary email address in these domains are included (subdomains are automatically included unless explicitly excluded).
Exclude these users, groups, and domains: Add exceptions if certain internal recipients should skip this policy.

Logic Tip: Multiple values within the same condition use OR logic. Different types of conditions use AND logic (e.g., a policy applied to a specific user and a specific group will only apply if that user belongs to that group).

Select Next when finished.

Step 4: Configure Phishing Threshold & Protection Settings

On the Phishing threshold & protection page, adjust your threat detection boundaries:

Phishing Email Threshold

Use the slider to select one of the following values:

1 – Standard (Default)
2 – Aggressive
3 – More aggressive
4 – Most aggressive

Source

Impersonation Settings

Enable users to protect: Check the box to turn on user impersonation. Select Manage sender(s) to add up to 350 specific internal or external users by their email addresses.
- Note: This protection will not trigger if the sender and recipient have previously communicated via email.
Enable domains to protect: Check the box and choose to Include the domains I own and/or Include custom domains (by selecting Manage custom domain(s)).
Add trusted senders and domains: Select Manage trusted sender(s) and domain(s) to specify exceptions (up to 1,024 entries total).

Mailbox Intelligence

Enable mailbox intelligence: Leave selected (Default and recommended).
Enable intelligence for impersonation protection: Check this box to allow mailbox intelligence to take action on detected attempts.
- Note: This will not trigger if the sender and recipient have previously communicated via email.

Spoof Section

Enable spoof intelligence: Leave selected (Default and recommended) to monitor inbound spoofing.

Select Next when finished.

Step 5: Define Policy Actions

Source

On the Actions page, configure how Microsoft 365 reacts when a threat is detected:

Message Actions

If a message is detected as user impersonation: Select an action from the dropdown (Default: Don’t apply any action). Options include: Don’t apply any action, Redirect, Move to Junk, Quarantine the message, Deliver and Bcc, or Delete before delivery.
If the message is detected as an impersonated domain: Select an action from the dropdown (Default: Don’t apply any action).
If mailbox intelligence detects an impersonated user: Select an action from the dropdown (Default: Don’t apply any action).
Honor DMARC record policy when the message is detected as spoof: (Selected by default) Adjust alignment rules:
- If DMARC is p=quarantine: Choose Quarantine the message (Default) or Move message to Junk.
- If DMARC is p=reject: Choose Reject the message (Default) or Quarantine the message.
If the message is detected as spoof by spoof intelligence: Select an action from the dropdown (Default: Move the message to the recipients’ Junk Email folders).

Safety Tips & Indicators

Toggle the checkboxes to turn these visual mailbox indicators on or off:

Show first contact safety tip
Show user impersonation safety tip
Show domain impersonation safety tip
Show user impersonation unusual characters safety tip
Show (?) for unauthenticated senders for spoof (Selected by default)
Show “via” tag (Selected by default)

Select Next when finished.

Step 6: Review and Submit

On the Review page, double-check your custom configurations. You can select Edit in any section to make modifications.
When satisfied, select Submit.
On the confirmation page, select Done.

Modifying Existing Policies

If you need to change settings later instead of creating a new policy:

Go to the Anti-phishing dashboard page.
Click anywhere in the row of the target policy (such as the Office 365 AntiPhish Default (Default) policy) other than the checkbox next to the name.
In the flyout panel that opens on the right, click Edit in the respective section you wish to change. Custom policies can also be enabled, disabled, deleted, or prioritized from this view.

What Doesn’t the Office 365 Anti-Phishing Policy Cover?

The idea that you no longer need DMARC is just an Office 365 Security Myth. While Microsoft Defender offers robust defenses for inbound tracking, relying entirely on it creates a dangerous blind spot. There are critical communication attack paths that the inbound policy cannot protect against by design.

Outbound Domain Spoofing to the Public

Microsoft’s anti-phishing policy evaluates the security of inbound mail entering your tenant. It does not stop cybercriminals from launching email servers outside of Microsoft 365 and sending millions of malicious emails that claim to come from your exact domain to outside targets.

To block attackers from weaponizing your name against external recipients, you must deploy an outbound authentication technology like Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Check out our comprehensive guide on Why Microsoft 365 Users Still Need DMARC.

External Exploitation of Your Brand Reputation

If an email identity thief spoofs your exact company domain name to compromise your clients, business partners, or consumers, your tenant’s anti-phishing policy remains entirely unaware. The recipient’s independent mail server must see a published record and enforce an outbound DMARC rule to safely block and drop those fraudulent messages. Relying solely on inbound filters leaves your corporate brand completely unprotected externally.

Lookalike and Homograph Domain Names

Neither an inbound anti-phishing strategy nor DMARC can natively prevent an attacker from purchasing visually confusing lookalike domains (e.g., registering micros0ft.com with a zero instead of an ‘o’). Because the domain itself is technically a separate, unique registered asset, blocking it requires structured proactive brand monitoring, legal takedowns, and defensive domain registration practices.

Display Name Spoofing via Public Providers

An attacker can establish a completely free, valid account on Gmail or Outlook.com and alter the display name text string to match your executive team members. While Microsoft’s user impersonation settings catch some variations internally, broad display name spoofing variations coming from valid external mail providers remain incredibly difficult to safely mitigate by inbound mail policies alone without risking regular business communication.

To better secure your brand, review the technical breakdowns of What Is an Impersonation Attack?

How Do the Anti-Phishing Policy and DMARC Work Together?

Understanding email protection requires seeing how inbound policy and outbound authentication align. They are complementary mechanisms, not competing alternatives.

Microsoft’s Anti-Phishing Policy (Inbound Defense): This system inspects incoming mail stream traffic crossing into your employee inboxes. It decides whether a message should be allowed past your firewall, routed directly to Spam, or blocked entirely based on local behavior profiles.
DMARC for Office 365 (Outbound and Brand Defense): Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a standard email authentication protocol that builds upon SPF and DKIM to prevent domain spoofing. Implemented as a globally published DNS record, DMARC explicitly instructs Exchange Online Protection (EOP) and external receiving servers across the globe on how to handle emails claiming to come from your domain. If an email fails core authentication alignment checks, your DMARC policy provides explicit enforcement instructions (such as p=quarantine or p=reject), which helps protect your organization’s brand reputation from being exploited in phishing campaigns.

An effective organization requires both components. The anti-phishing policy shields your local staff internally, while DMARC safeguards your company’s domain reputation globally from being weaponized against your client base.

Furthermore, DMARC actively feeds intelligence back into your Microsoft tenant. When the option “Honor DMARC record policy when the message is detected as spoof” is enabled in your anti-phishing policy, Microsoft will automatically enforce your own published global rule against any unauthorized inbound spoofed emails attempting to reach your staff.

What Are the Anti-Phishing Best Practices for Office 365?

To optimize your email security posture and better comply with Microsoft Sender Requirements, implement these configurations:

Deploy Preset Policies: Utilize standard or strict preset security baselines rather than tweaking individual settings endlessly by hand. Microsoft automatically updates these baselines to combat shifting global threat behavior.
Isolate VIP Identities: Populate your user impersonation defense engine with high-value targets. Ensure all executive leaders, finance department handles, and primary infrastructure administrators are fully enumerated on the list to counter BEC threats.
Harden Classification Tiers: Change your advanced phishing threshold parameter baseline to level 2 (Aggressive). Push the system up to level 3 in environments that encounter frequent, highly targeted spear-phishing campaigns.
Enforce Inbound DMARC Honor Checks: Ensure the system is configured to honor your published DMARC record policy. This setting ensures your tenant blocks incoming spoofed mail that fails your authentication rules.
Publish a Strict Outbound DMARC Policy: Create and host an explicit DMARC record for your domains. Work toward upgrading your rule to enforcement levels (p=quarantine or p=reject) so external providers block spoofed mail claiming to be from your domain.
Audit DMARC Aggregate Telemetry Data: Consistently track and analyze inbound XML aggregate reports. These reports reveal DMARC failures, and external assets sending mail using your domain identity, exposing shadow IT and malicious actors.

Secure Your Entire Email Ecosystem

Microsoft’s anti-phishing measures help protect your inbox. DMARC protects your domain. To eliminate visibility gaps and ensure comprehensive brand protection, you must use both layers together.

PowerDMARC makes it easy to implement, monitor, and enforce DMARC authentication alongside your Office 365 anti-phishing settings on a single centralized platform.

Don’t let attackers exploit your domain reputation. Take full control of your outbound visibility and eliminate spoofing risks today. Start your 15-day PowerDMARC free trial now!

Frequently Asked Questions

What is the anti-phishing policy in Office 365?

It is a built-in security control within Exchange Online Protection (EOP) and Microsoft Defender for Office 365 that helps identify, flag, and mitigate inbound phishing, domain spoofing, and impersonation attempts targeting your mailboxes.

Is anti-phishing protection enabled by default in Microsoft 365?

Yes, every tenant includes a default anti-phishing policy that applies to all users immediately upon setup. However, this basic policy only provides fundamental spoof tracking and user notifications; advanced protection features require explicit administrative configuration and higher tier licensing.

What is the difference between EOP and Microsoft Defender for Office 365 anti-phishing?

EOP is included in all subscription models and covers basic anti-spoofing and foundational safety tips. Microsoft Defender for Office 365 adds advanced detection features, such as user and domain impersonation safeguards, mailbox intelligence behavior graphs, and adjustable detection threshold sliders.

Does Office 365 anti-phishing policy protect against domain spoofing?

It protects your internal staff from inbound domain spoofing attempts. It does not prevent external criminals from spoofing your corporate domain identity when sending emails to outside parties, clients, or partners.

How do I configure anti-phishing policies in Microsoft Defender for Office 365?

Log in to the Microsoft Defender portal (security.microsoft.com) and navigate to Email & Collaboration → Policies & rules → Threat policies → Anti-phishing. From there, you can edit the default policy or construct custom protection rules.

Do I need DMARC if I have Office 365 anti-phishing enabled?

Yes. Microsoft’s native configuration focuses on filtering inbound email traffic to protect your internal users. DMARC provides outbound domain validation, stopping bad actors from abusing your brand name to trick external entities.