Ok, guilty as charged. I thought for sure it was on by default but, nope, it’s not.

ATP is an awesome tool but there are settings that one may not realize have to be configured and Anti-Phishing is just one of those setting that desperately needs to be configured. Found buried under Admin centers\ Security & Compliance\Threat management\ Policy\ ATP anti-phishing in the Admin portal of o365 is where this policy needs to set.

To configure the policy you have to create a new one by choosing Create. Give the policy a name and choose next.

On the Applied to screen, add a condition “The recipient domain is…” and click choose.

Click on add and select all applicable domains for your client. Click on Done. Now “Create this policy.

Now you have to edit the policy. The screen appears automaticly and starting with Impersonation, choose edit and then turn it on.

Add the users you would like to apply this to and click Save. Now click on Add domains and turn on Automatically include the domains I own

            NOTE: If the client has any custom domain be sure to include them here as well.

Once you have included the domains click on save and choose Actions. Most popular choice of action is to quarentine the message. Here you will also want to Turn on impersonation safety tips as well. Once set, click on save.

Mailbox intelligence is on by default.

To begin with, the rest of the choices can be left at default unless needed by the client.

Now, great job, you have successfully implemented a very important policy. Huge win for you and Prescient in the eyes of the client.

I know I learned an important lesson, don’t think that it’s on or off by default. Double check and cya. 20 minutes of going through the process is a pittance compared to a CEO or CFO in your face after being subjected to a spoofing or phishing attach.