MS.DEFENDER.2.2v1 - Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies.

Information

Configuring domain impersonation protection for all agency domains reduces the risk of a user being deceived by a look-alike domain. By configuring impersonation protection in both preset policies, administrators can help protect email recipients from impersonated emails, regardless of whether they are added to the standard or strict policy.

Solution

1. Sign in to Microsoft 365 Defender.
2. In the left-hand menu, go to Email & Collaboration > Policies & Rules.
3. Select Threat Policies.
4. From the Templated policies section, select Preset Security Policies.
5. Under either Standard protection or Strict protection, select Manage protection settings.
6. Select Next until you reach the Impersonation Protection page, then select Next once more.
7. On the Protected custom domains page, add each agency domain and click Add after each.
8. Select Next until you reach the Trusted senders and domains page.
9. (Optional) Add specific domains here to not flag as impersonation when sending messages and prevent false positives. Click Add after each.
10. Select Next on each page until the Review and confirm your changes page.
11. On the Review and confirm your changes page, select Confirm.

See Also

https://github.com/cisagov/ScubaGear/tree/v1.5.0/

Item Details

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-4, 800-53|CA-7, 800-53|CM-2, 800-53|CM-6, 800-53|IA-9, 800-53|SC-7, 800-53|SC-20, 800-53|SC-44, 800-53|SI-3, 800-53|SI-4, 800-53|SI-8

Plugin: microsoft_azure

Control ID: 64352b1f56d0864dc7472a439c3f744a770f7014cc178d40086017a30c07314d