2.1.7 Ensure that an anti-phishing policy has been created

Information

By default, Office 365 includes built-in features that help protect users from phishing attacks. Set up anti-phishing polices to increase this protection, for example by refining settings to better detect and prevent impersonation and spoofing attacks. The default policy applies to all users within the organization and is a single view to fine-tune anti-phishing protection. Custom policies can be created and configured for specific users, groups or domains within the organization and will take precedence over the default policy for the scoped users.

Rationale:

Protects users from phishing attacks (like impersonation and spoofing), and uses safety tips to warn users about potentially harmful messages.

Impact:

Turning on Anti-Phishing should not cause an impact; messages will be displayed when applicable.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant then ensure the setting is set as outlined in the highest priority policy listed.
To set the anti-phishing policy

Navigate to Microsoft 365 Defender https://security.microsoft.com.

Click to expand Email & collaboration select Policies & rules

Select Threat policies.

Under Policies select Anti-phishing.

Select the Office365 AntiPhish Default (Default) policy and click Edit protection settings.

Set the Phishing email threshold to at least 2 - Aggressive.

Under Impersonation

Check Enable mailbox intelligence (Recommended)

Check Enable Intelligence for impersonation protection (Recommended).

Under Spoof

Check Enable spoof intelligence (Recommended).

Click Save.

To create an anti-phishing policy using PowerShell:

Connect to Exchange Online service using Connect-ExchangeOnline.

Run the following Exchange Online PowerShell command:

New-AntiPhishPolicy -Name 'Office365 AntiPhish Policy'

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-3, 800-53|SI-8, 800-53|SI-16, CSCv7|7

Plugin: microsoft_azure

Control ID: 2905acb57fbff60713485f3ee258af1a556c0c545b739f7b53649bdb68385098