CISA.MS.EXO.11.1 - Impersonation protection checks SHOULD be used.
Overview
Impersonation protection checks SHOULD be used.
Rationale: Users might not be able to reliably identify phishing emails, especially if the FROM address is nearly indistinguishable from that of a known entity. By automatically identifying senders who appear to be impersonating known senders, the risk of a successful phishing attempt can be reduced.
Remediation action:
- Sign in to Microsoft 365 Defender.
- In the left-hand menu, go to Email & Collaboration > Policies & Rules.
- Select Threat Policies.
- From the Templated policies section, select Preset Security Policies.
- Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
- Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.
Note: If the toggle slider in step 5 is grayed out, click on Manage protection settings instead and configure the policy settings according to Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users | Microsoft Learn.
Related links
- Defender admin center - Preset security policies
- CISA 11 Phishing Protections - MS.EXO.11.1v1
- CISA ScubaGear Rego Reference
- Microsoft Learn - Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.11.1 |
| Severity | High |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaImpersonation |
| Tags | CISA, CISA.MS.EXO.11.1, MS.EXO, MS.EXO.11.1 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaImpersonation.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaImpersonation.ps1