Check provider logo

Defender anti-phishing policy active, quarantines spoofed senders and DMARC reject/quarantine failures, honors DMARC policy, safety tips enabled

defender_antiphishing_policy_configured

Severitylow
Servicedefender
by Prowler
email-securitye5

Microsoft Defender for Office 365 anti-phishing policies are evaluated for custom scoping to users, groups, or domains and precedence over the default, plus key settings: spoof intelligence, DMARC honoring, quarantine actions for spoof/DMARC, safety tips, unauthenticated sender indicators, and policy enablement.

Risk

Missing or lax configuration lets spoofed and impersonated emails reach inboxes. Ignoring DMARC or not using quarantine enables delivery of fraudulent messages, driving credential theft, BEC, and account takeover, compromising data confidentiality and integrity and enabling lateral movement via mailbox rule abuse.

Run this check with Prowler CLI

prowler m365 --checks defender_antiphishing_policy_configured

Run in Prowler Cloud

Recommendation

Apply defense in depth for email:

  • Create high-priority custom policies for sensitive users/groups/domains
  • Enable spoof intelligence; honor DMARC (p=quarantine, p=reject) with quarantine actions
  • Turn on safety tips and unauthenticated sender tags
  • Review policy precedence, scope, and thresholds regularly to minimize false positives

Remediation

Other
  1. Go to Microsoft 365 Defender: https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Anti-phishing
  2. Open the Default anti-phishing policy and click Edit
  3. Spoof settings: ensure Enable spoof intelligence is On and set If the message is detected as spoof by spoof intelligence to Quarantine
  4. DMARC: turn On Honor DMARC record policy and set both actions to Quarantine:
    • If DMARC policy is p=quarantine: Quarantine
    • If DMARC policy is p=reject: Quarantine
  5. Safety tips & indicators: turn On Show first contact safety tip, Show (?) for unauthenticated senders for spoof, and Show "via" tag
  6. Save changes
  7. If using custom anti-phishing policies, ensure their rule Status is On

Source Code

Resource Type

NotDefined

References