Cybersecurity

How to Configure Anti-Phishing Policies in Microsoft 365

Published 11 December 2025 · 7 min read

Anti-phishing policies protect against impersonation attacks, spoofed senders, and social engineering emails. Properly configured anti-phishing is one of the most effective controls against business email compromise (BEC) attacks.

Harden the default policy

Defender → Policies & rules → Threat policies → Anti-phishing → Office 365 AntiPhish Default
⚙️
Harden the default policy
Phishing threshold
2 - Aggressive
Enable spoof intelligence
Yes
Enable mailbox intelligence
Yes
If message detected as spoof
Move to Junk

Create a strict policy for executives

Create a separate stricter policy for executives, Finance, and IT admins - they are disproportionately targeted by spear phishing.

Anti-phishing → + Create
⚙️
Executive protection policy
Name
Anti-Phishing - Executive Protection
Priority
1 (highest)
Phishing threshold
3 - More aggressive
Enable user impersonation protection
Yes - add CEO CFO Finance Director
Enable domain impersonation
Yes - add your domain and key suppliers
Action on impersonation
Quarantine the message
💡
Add supplier domains
Attackers create look-alike domains to trick Finance. Add domains of suppliers you regularly receive invoices from.

Spoof intelligence

Defender → Anti-phishing → Spoof intelligence insight

Review senders being flagged and decide whether to allow or block each one.

Testing

Send a test email from Gmail with your CEO display name in the From field to a test user. If anti-phishing is working, it should be flagged or quarantined and a safety tip should appear.

Frequently Asked Questions

Q: What is the difference between anti-phishing and anti-spam?

Anti-spam filters bulk unsolicited email. Anti-phishing targets social engineering that impersonates trusted senders. Both run simultaneously.

Q: Will impersonation protection block legitimate newsletters?

Legitimate internal email from your CEO will pass. Newsletters from external platforms may trigger it - review the quarantine regularly.

Q: Can I see what emails are being quarantined?

Yes. Defender → Email & collaboration → Review → Quarantine. Users can also access their own quarantine at security.microsoft.com/quarantine.

Related Guides
-> Defender for Office 365-> DMARC DKIM SPF-> Block Legacy Auth
// need intune set up properly?
Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages