Office
Sign in

Set up Office 365 ATP anti-phishing policies

ATP anti-phishing protection, part of Office 365 Advanced Threat Protection, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you're an Office 365 Enterprise global or security administrator, you can set up ATP anti-phishing policies. Phishing attacks come in a variety of forms from commodity-based attacks to targeted spear phishing or whaling. With the growing complexity, it's difficult for even a trained eye to identify some of these sophisticated attacks. Fortunately, Office 365 Advanced Threat Protection can help. You can set up an ATP anti-phishing policy to help ensure that your organization is protected against such attacks.

Note: ATP anti-phishing is only available in Advanced Threat Protection, available with Office 365 Enterprise E5. If your organization is using another Office 365 Enterprise subscription, Advanced Threat Protection can be purchased as an add-on. (As a global admin, in the Office 365 admin center, choose Billing > Add subscriptions.) For more information about plan options, see Compare All Office 365 for Business Plans. Make sure your organization is using the latest version of Office 365 ProPlus on Windows to take full advantage of ATP anti-phishing protection.

What to do:

  1. Review the prerequisites

  2. Learn about policy options

  3. Set up an ATP anti-phishing policy

Review the prerequisites

  • Make sure that you are a member of the Company administrators or Security admins role group.

  • Learn about ATP anti-phishing policy options (in this article).

  • You will probably set up multiple ATP anti-phishing policies for your organization. Office 365 enforces these policies in the order they're listed on the ATP anti-phishing page in the Security & Compliance Center. Once you've reviewed the policy options, take some time to determine how many policies you'll need and the priority for each.

  • Plan to spend about 5-15 minutes to set up your first ATP anti-phishing policy.

  • Allow up to 30 minutes for your new or updated policy to spread to all Office 365 datacenters.

Set up an ATP anti-phishing policy

You add, edit, and delete ATP anti-phishing policies in the Office 365 Security & Compliance Center.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the Office 365 Security & Compliance Center, in the left navigation pane, under Threat management, choose Policy.

  3. On the Policy page, choose ATP anti-phishing.

  4. On the Anti-phishing page, do one of the following:

    • To add a new policy select + Create.

    • To edit an existing policy, select the policy name from the list displayed on the Anti-phishing page. On the page that appears, choose Edit policy.

    A wizard launches that steps you through defining your anti-phishing policy.

  5. Specify the name, description, and settings for your policy. See Learn about ATP anti-phishing policy options for more details.

  6. Once you have reviewed your settings, choose Create this policy or Save as appropriate.

Learn about ATP anti-phishing policy options

As you set up or edit your ATP anti-phishing policies, you can choose from several options, as described in the following table:

This setting

Does this

Use when you want to:

Add users to protect

Defines which email addresses will be protected by the policy. You can add up to 60 internal and external addresses that you want to protect from impersonation.

When you want to ensure that mail from outside your organization isn’t an impersonation of one of the users on the list of users you are protecting. Examples of users you might want to protect are high-level executives, business owners, external board members, and so on.

This list of protected users is different from the list of people to which the policy applies, or rather, for which the policy is enforced. You define the applies to list in the Applied to section of the policy options.

For example, if you add Mary Smith <marys@contoso.com> as a user to protect, then apply the policy to the group "All Users". This would ensure that a mail that appeared to impersonate "Mary Smith" sent to a user in the "All Users" group would be acted on by the policy.

Add domains to protect

Allows you to choose which domains you want to protect from impersonation. You can specify that the policy includes all of your custom domains, a comma-separated list of domains, or a combination of the two. If you choose Automatically include domains that I own, and you later add a domain to your Office 365 organization, this anti-phishing policy will be in place for the new domain.

Whenever you want to ensure that mail from outside your organization isn’t an impersonation of one of the domains defined in your list of verified domains or that of a partner domain.

Choose actions

Choose the action to take when Office 365 detects an impersonation attempt against the users and domains you added to the policy. You can choose different actions for users and domains in the same anti-phishing policy. These actions apply to any incoming email that has been identified by Office 365 as impersonating a user account or domain that is under the protection of this anti-phishing policy.

Quarantine message Email will be sent to Office 365 quarantine. When you choose this option, the email is not sent to the original recipient.

Redirect message to another email address Email will be sent to the email address you specify. You can specify multiple email addresses. When you choose this option, the email is not sent to the original recipient.

Move message to the recipients' Junk email folder Email will be sent to the recipients' Junk email folder. When you choose this option, the email is still sent to the original recipient but is not placed in the recipient's inbox.

Deliver the message and add other addresses to the Bcc line Email will be delivered to the original recipient. In addition, the users you identify will be added to the bcc line of the message before it's delivered. When you choose this option, the email is still sent to the original recipient's inbox.

Don't apply any action Email will be delivered to the original recipient's inbox. No other action will be taken on the email message.

Turn on phishing protection tips Enables anti-phishing safety tips in email.

When you want to take an action on messages that Office 365 has determined to be an impersonation of a user or domain as defined in the policy.

Enable mailbox intelligence

Enables or disables mailbox intelligence for this policy. You can only enable mailbox intelligence for cloud-based accounts, that is, accounts whose mailbox is hosted entirely in Office 365.

When you want to enhance impersonation results for users based on each user's individual sender map. Mailbox intelligence is built around the people you send and receive mail from. This intelligence allows Office 365 to customize the impersonation policy at a user-level in order to better handle false positive results.

Add trusted senders and domains

Defines email addresses and domains that will not be considered impersonations by this policy. Messages from the sender email addresses and domains you add as trusted senders and domains won't ever be classified as an impersonation-based attack. As a result, the actions and settings in this policy won't be applied to messages from these senders and domains.

When users interact with domains or users that trigger impersonation but are considered to be safe. For example, if a partner has the same/similar display name or domain name as a user defined on the list.

Applied to

Defines the recipients whose incoming email messages will be subject to the rules of the policy. You can create conditions and exceptions for the recipients associated with the policy.

For example, you can create a global policy for your organization by applying the rule to all recipients in your domain.

You can also create exception rules, such as a rule that does not scan email messages for a specific group of recipients.

Each policy must be associated with a set of users, for example, users in a particular group or domain.

Advanced phishing thresholds

Defines the level of settings for how phishing messages are handled.

Standard Email suspected to be phish is handled in the standard way.

Aggressive Email suspected to be phish with a high or very high degree of confidence are handled by the system in the same way.

More aggressive Email suspected to be phish with a medium, high, or very high degree of confidence are handled by the system in the same way.

Most aggressive Email suspected to be phish with a low, medium, high, or very high degree of confidence are handled by the system in the same way.

When you want to be more aggressive in the treatment of potentially phishing messages within Office 365. For example, messages with a very high probability of being phish will have the most aggressive actions taken on them while messages with a low probability have less aggressive actions taken on them.  This setting also impacts other parts of the filtering system that combine signals together. The chance of moving good messages increases as the level of settings increases.

After your organization has set up ATP anti-phishing policies, you can see how the service is working by viewing reports for Advanced Threat Protection.

Example: Anti-phishing policy to protect a user and a domain

This example sets up a policy called "Domain and CEO" that provides both user and domain protection from impersonation and then applies the policy to all email received by users within the domain contoso.com. The security administrator has determined that the policy must meet these business requirements:

  • The policy needs to provide protection for the CEO's email account and the entire domain.

  • Messages that are determined to be impersonation attempts against the CEO's user account need to be redirected to the security administrator's email address.

  • Messages that are determined to be impersonation attempts against the domain are less urgent and should be quarantined for later review.

The security administrator at Contoso might use values like the following in order to create an anti-phishing policy that meets these needs.

Setting or option

Example

Name

Domain and CEO

Description

Ensure that the CEO and our domain are not being impersonated.

Add users to protect

The CEO's email address at a minimum.

Add domains to protect

The organizational domain that includes the office of the CEO.

Choose actions

If email is sent by an impersonated user: Choose Redirect message to another email address and then type the email address of the security administrator, for example, securityadmin@contoso.com.

If email is sent by an impersonated domain: Choose Quarantine message.

Mailbox intelligence

By default, mailbox intelligence is selected when you create a new anti-phishing policy. Leave this setting On for best results.

Add trusted senders and domains

For this example, don't define any overrides.

Applied to

Select The recipient domain is. Under Any of these, select Choose. Select + Add. Select the checkbox next to the name of the domain, for example, contoso.com, in the list and then select Add. Select Done.

Delete an ATP anti-phishing policy

You can add and edit policies in the Security & Compliance Center. We recommend using the Security & Compliance Center to review or edit any of your ATP policies.

  1. Go to https://protection.office.com and sign in with your work or school account.

  2. In the left navigation, under Threat management, choose Policy.

  3. On the Policy page, choose ATP anti-phishing.

  4. On the Anti-phishing page, select the policy name from the list displayed on the Anti-phishing page. On the page that appears, choose Delete policy. Allow up to 30 minutes for your changes to spread to all Office 365 datacenters.

Related topics

Office 365 Advanced Threat Protection
Anti-phishing protection in Office 365
ATP anti-phishing capabilities in Office 365
Set up ATP safe links policies in Office 365
Set up ATP safe attachments policies in Office 365
View the reports for Advanced Threat Protection

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×