Updated March 15, 2024: Due to technical issues, we have to roll back the changes and remove the UX and cmdlets. We will update you with a new MCpost when the feature is ready again. Meanwhile, we recommend using impersonation protection capabilities to safeguard your users from any impersonation attack.
- Customers currently in automatic state, will be returned to their previous state.
- For customers who have made changes and have moved to Manual state, those changes will be retained.
To enhance protection against Domain impersonation using Microsoft Defender for Office 365, the system will enable Domain impersonation protection by default. Additionally, existing customers who unintentionally kept Domain impersonation protection OFF in their tenant environment will start receiving the benefits of this protection for their company/organization’s owned domains.
[When this will happen:]
We will communicate via Message center when we are ready to proceed.
[How this will affect your organization:]
The upcoming change will provide security administrators the capability to manage Domain impersonation protection automatically enabled by default within AntiPhish Default and Custom Policies. This state will only be enabled by default for tenants who have the Domain impersonation setting turned OFF. (Specifically, when AntiPhish policy -> Impersonation settings -> Custom Domains; EnableOrganizationDomainsProtection:False within PowerShell).
Additionally, there will also be an option for admins to choose not to enable these protections by default. They can set ImpersonationProtectionState: Manual in order to opt-out of Automatic state of domain impersonation protection.
When the policy is effective (approx. 30 days after the opt-out period), users will see that domain impersonated emails are handled according to the policy settings chosen by MDO controlled settings as per Automatic state of the protection set by Security admins. (Or by settings configured by the Security admins per Manual state). The configured policies will determine the actions taken for such emails, ensuring that appropriate measures are in place to mitigate the risks associated with Domain impersonation attacks. This provides end users with increased confidence and assurance that impersonated emails will be managed effectively based on the guidelines established by their organization’s security administrators.
Note: This change is only applicable to accepted domains and not applicable to custom domains (i.e. targeted domains) and it does not apply to Preset policies. The following settings will be enabled in Automatic state for Organization Domain Impersonation protection:
- ImpersonationProtectionState – Automatic
- EnableOrganizationDomainsProtection – True
- EnableSimilarDomainsSafetyTips – True
- TargetedDomainProtectionAction – MoveToJmf
[What you need to do to prepare:]
During rollout, only the user experience and cmdlets related to the Domain impersonation protection change will be made available to customers. However, no immediate actions will be taken on domain impersonated messages based on these changes.
Customers have the option to opt out of Automatic state of protection controlled by Microsoft and adjust their settings manually according to their preferences before the effective date. From that date onwards, the chosen setting will be honored, and the Domain impersonation protection will take action accordingly on the messages detected as such. (For example, send to junk or quarantine).
With the upcoming automatic state rollout for Domain impersonation protection, other forms of impersonation protection will be turned OFF, as per the previous policy setting. If you want to activate impersonation protection for all other types of impersonations, you will need to disable the automatic state and manually enable protection settings for each of them.
We are actively planning to introduce automatic state functionality for other impersonation protections in the future such as custom domain and user impersonation protection, mailbox intelligence-based impersonation protection.
For more detailed information about Domain impersonation protection and its configuration in MDO, you can refer to the following public documentation: Anti-phishing policies and Impersonation insight.
