Prevent Phishing Attacks in Microsoft 365

Imagine an employee receiving an email from the company's IT department requesting a security check. They follow a link and unknowingly enter their credentials into a convincing phishing site, giving hackers access to the company's network. Credential phishing is just one of many attacks, including spear phishing, whaling, and malware phishing. That's why monitoring phishing reports in Microsoft 365 is crucial, and this guide will show you how to do it effectively.

Native Solution

Microsoft 365 Permission Required

High

Global Admin, Security Admin, Security Reader, or Global Reader.

Option 1 Using Microsoft 365 Defender Portal

Login to the Microsoft 365 Defender portal.
Go to the Threat protection status report under Reports»Email & collaboration reports.
Select "View details" in the Threat protection status report to view the data.
Change the report view from 'View data by Overview' to "View data by Email > Phish" to monitor phishing related reports.

Option 2 Using Windows PowerShell

Connect to the Exchange Online PowerShell.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the PowerShell cmdlet below to obtain a report on Microsoft 365 phishing emails.

Windows PowerShell

 Get-MailDetailATPReport | Where-Object {$_.VerdictSource -eq 'Phish'} | Select-Object Date, Subject, SenderAddress, RecipientAddress, MessageId | Format-Table -AutoSize

Option 3 Using PowerShell Script

The above cmdlet is useful for retrieving phishing emails in Microsoft 365. However, obtaining the desired reports requires additional processing, which can be tedious and time-consuming.
Thus, we’ve developed a PowerShell script to easily export phishing reports in Microsoft 365.
Please note that the script is designed to generate 9 different email protection reports. For phish-related reports, use the script by providing a specific parameter, such as PhishEmailsReceived, PhishEmailsSent, and IntraOrgPhishMails in the below format.
./MailProtectionReport.ps1 -parameter

MailProtectionReport.ps1

AdminDroid Solution

More than 150 reports are under the free edition.

Microsoft 365 Permission Required

Delegated

Any user with report access assigned by the Super Admin.

StepsUsing AdminDroid

Open the AdminDroid Office 365 Reporter.
Navigate to the All Phish Mails report under Audit»Email»Phish Mails.

AdminDroid's Microsoft 365 phishing reports offer detailed insights into phishing emails, including incoming and outgoing messages, detection statistics, etc.

The above chart helps to track daily phishing email volumes and identify peak periods of phishing attacks, enhancing security against evolving threats.

Explore a full range of reporting options

Effortlessly Monitor Phishing Activity with AdminDroid Reports!

Monitor AdminDroid's Microsoft 365 phishing reports that help to protect your network from cyber threats and unauthorized access.

Witness the report in action using the

Live Demo

Important Tips

Configure Microsoft 365 company branding to help users spot phishing pages and protect your organization from malicious credential phishing attacks.

Use safe attachments in Microsoft 365 to automatically scan malicious attachments in emails and text messages, protecting against phishing attacks.

Implement zero-hour auto purge in Exchange Online to detect and eliminate spam & phishing messages, even if they become harmful after delivery.

Exchange OnlineBlock Phishing Messages to Defend Your Microsoft 365

Showing 1 of 7

How to recognize and avoid phishing scams in Microsoft 365? How to report a phishing message in Microsoft 365? What happens when you report a message as phishing in Microsoft 365? What is anti-phishing in Microsoft 365? How to configure anti-phishing policies in Microsoft 365? How to set the phishing email threshold in Microsoft 365? What is attack simulation training in Microsoft 365?

How to recognize and avoid phishing scams in Microsoft 365?

Recognizing and avoiding phishing scams in Microsoft 365 is crucial for maintaining security. As an admin, it's essential to train users effectively to identify phishing emails.

Identify Phishing Emails in Microsoft 365

Here are steps to identify phishing emails in Microsoft 365:

Urgent messages: Phishing messages often convey a sense of urgency, prompting you to take immediate action without considering the consequences.
Spelling and grammar: Legitimate companies typically hire professionals for their advertisements and email communications to maintain a good reputation. Attackers, however, often make spelling and grammar mistakes, especially those from foreign languages.
Caution against generic greetings: Be cautious when you receive emails with generic greetings like "Dear Sir/Madam," as attackers often use these in phishing attempts. They may not have your specific information and could be trying to deceive you into revealing sensitive information.

Avoid Phishing Scams in Microsoft 365

Here are some best practices to stay protected from phishing emails and safeguard yourself and your organization against such attacks.

Do not open or download any file attached to a suspicious email.
Never reply to an email that asks you to send personal or account information.
Avoid clicking links in suspicious emails that direct you to a company site.
Ensure emails are legitimate by contacting the company through their official channels like phone or website.
Search the web for the email subject line followed by "hoax" to check if others have reported it as a scam.
Use Advanced Threat Protection provided by Microsoft for an additional layer of security against phishing attacks.

Microsoft 365's Advanced Threat Protection (ATP) offers strong defense mechanisms against phishing, but maintaining its effectiveness requires careful oversight. Unauthorized changes to ATP settings can weaken your defenses, increasing the risk of phishing attacks.

AdminDroid enhances your security efforts by providing detailed oversight of ATP configurations!

With AdminDroid's Advanced Threat Protection (ATP) Activities report, you can prevent unauthorized access and modifications in ATP settings.
This report provides various details, including username, protection policy, event time, modified parameters, etc., to aid in maintaining high protection against evolving phishing threats.

How to report a phishing message in Microsoft 365?

In addition to the mentioned practices, users can report any phishing messages to Microsoft if they seem like an attempt to trick you into sharing sensitive information. Reporting these messages not only safeguards users but also enhances Microsoft's ability to identify and prevent phishing attempts.

How to report an email as phishing in Outlook?

Reporting a phishing email in Outlook is a straightforward process that helps protect your account and organization from potential threats.

Login to the Microsoft Outlook account.
Select the phishing message in your inbox.
Under the ‘Report’ drop-down, select the 'Report phishing' option.

How to report a phishing message in Microsoft Teams?

Phishing attacks are now targeting popular communication tools like Microsoft Teams. To help users, Microsoft introduced a feature for reporting suspicious messages. Here’s how to do it:

To report a suspicious message in Teams, select the message and click 'More options' (ellipses).
Next, select 'More actions' and choose the 'Report this message option.

Before users can report suspicious messages in Teams, an admin must enable this feature in the Teams admin center. Here’s how:

Go the Messaging policies in the Teams admin center.
Under 'Manage policies' choose the 'Global (Org-wide default)' policy.
Toggle the switches for 'Report inappropriate content' and 'Report a security concern' to On and click 'Save'.

With these settings enabled, users can now easily report suspicious messages in Microsoft Teams, ensuring enhanced security and prompt action against phishing threats.

What happens when you report a message as phishing in Microsoft 365?

When you report a message as phishing in Microsoft 365, the process differs slightly depending on whether the messages are reported from Outlook or Teams.

Reporting Phishing Messages in Microsoft Outlook

The reported message is sent to the configured reporting mailbox, to Microsoft, or both, depending on your organization's settings.
The message is then deleted from the user's inbox.

Reporting Suspicious Phishing Messages in Microsoft Teams

The reported messages are not deleted in MS Teams, allowing users to report a message multiple times.
An email notification is sent to the user who reported the message, stating, "You have successfully reported a Teams message as a security risk."
The reported message is sent to the configured reporting mailbox, to Microsoft, or both, based on your organization's settings.

Admins can view user-reported messages under the ‘User reported’ tab on the Submissions page in Microsoft 365 Defender. Monitoring these messages is essential for identifying legitimate senders and potential phishing attempts. If admins have not configured direct submission to Microsoft, they can submit these identified phishing attempts for analysis through this page.

What is anti-phishing in Microsoft 365?

Anti-phishing protection in Microsoft 365 involves several key components and practices to protect users and organizations from phishing attacks. Here's a breakdown of some of the key elements:

Spoof IntelligenceMicrosoft 365 uses spoof intelligence to detect spoofed senders, both from external and internal domains. This feature allows admins to manually allow or block these spoofed senders, enhancing protection against spoofing attacks.
Anti-phishing Policies in Exchange Online Protection (EOP)These policies allow admins to fine-tune control over phishing protection mechanisms. Admins can enable spoof intelligence, enable first contact safety tip, and manage messages that fail explicit DMARC checks, etc., using these policies.
Tenant Allow/Block ListAdministrators can manage spoofed senders by manually allowing or blocking them through the Tenant Allow/Block List. This list contains entries for spoofed senders that have been overridden in the spoof intelligence settings.
Implicit Email AuthenticationMicrosoft 365 includes implicit email authentication mechanisms like SPF, DKIM, and DMARC to verify the authenticity of incoming emails and prevent phishing.
Anti-phishing Policies in Microsoft Defender for Office 365These policies provide additional layers of protection against phishing attacks. They include features such as Safe Links, which checks and prevents malicious URLs in emails, and Safe Attachments, which scans for malware attachments in emails.
Campaign ViewsMicrosoft 365 provides campaign views that allow admins to see detailed information about phishing campaigns targeting their organization. This visibility helps to understand attacks and take appropriate action.
Attack Simulation TrainingMicrosoft 365 offers attack simulation training to educate users about phishing threats.

Overall, Microsoft 365 uses a combination of technology, policies, and training to provide robust protection against phishing attacks. Admins should use these key features as part of their Office 365 security best practices.

How to configure anti-phishing policies in Microsoft 365?

Microsoft 365 Defender allows you to customize anti-phishing policies to match your organization's needs. This flexibility ensures security without compromising productivity. Let's see how to create these anti-phishing policies.

Login to your Microsoft 365 Defender portal.
Navigate to 'Policies & Rules' under 'Email and collaboration'.
Select Threat policies»Anti-phishing policies available under 'Policies' section.
Click the ‘+Create’ button.
Policy Name:
- Enter a name and description for your policy.
- Click ‘Next’.
Users, Groups, and Domains:
- Specify the users, groups, and domains to include or exclude from the policy.
- Then, select ‘Next’.
Phishing Threshold & Protection:
- Define phishing thresholds for identifying phishing emails.
- Configure desired protection settings against impersonation and spoofing
- Then, choose ‘Next’.
Actions:
- Specify the actions the policy should take on emails and messages that meet the policy criteria.
- Click ‘Next’.
Review the configured settings and click 'Submit' to create the anti-phishing policy.

Managing multiple anti-phishing policies in Microsoft 365 can be time-consuming as you need to check each policy individually to view its configurations. While creating policies is straightforward with the Microsoft 365 Defender portal, there is no direct way to explicitly see changes made to an anti-phishing policy.

Tired of searching for anti-phishing policy changes in Microsoft 365? AdminDroid has you covered!

AdminDroid provides detailed tracking of any changes to anti-phishing policies and rules, documenting every event in the Anti-Phish Policy/Rule Changes report.

To access this report, navigate to Audit»Exchange»Advanced Threat Protection»Anti-Phishing.
With this report, Microsoft 365 admins can access details, such as configured time, UPN, respective anti-phish policy, involved tenant, operation, modified properties, and more. This proactive approach ensures that your organization's defenses against phishing attacks remain strong and adaptive.

Quick tip: Easily email the report directly from AdminDroid by clicking the Email 📧 button located in the top right corner.

How to set the phishing email threshold in Microsoft 365?

The phishing email threshold in Microsoft 365 Defender is a setting that determines the sensitivity level at which emails are classified as phishing attempts. By setting this threshold, you can control how aggressively Microsoft 365 Defender filters out potential phishing emails.

Phishing Threshold Values

1 - Standard: This is the default setting. It means the severity of the action taken on a suspicious email depends on the confidence level (low, medium, or high) in identifying it as a phishing attempt. For example, if it's very high, it takes strong action, but if it's low, the action is less severe.
2 - Aggressive: With this setting, if an email is flagged as phishing with a high level of confidence, it's treated as a very clear phishing attempt, and strong measures are taken.
3 - More aggressive: If an email is flagged as phishing with medium or high confidence, it's treated as a very clear phishing attempt, and strong action is taken.
4 - Most aggressive: All emails flagged with low, medium, or high confidence are treated as clear phishing attempts, and strong action is taken with this setting.

Here's how to set the phishing email threshold in Office 365:

Sign in to the Microsoft 365 Defender portal.
Go to Email & collaboration > Policies & rules > Threat policies > Policies > Anti-phishing.
Select the 'Office365 AntiPhish Default (Default)' policy.
Under 'Phishing & threshold protection', choose 'Edit protection settings'.
Adjust the 'Phishing email threshold' slider to set the value.

Set Phishing Threshold Value using PowerShell

To set the phishing threshold value using PowerShell, you can use the following cmdlet. This approach can help avoid the manual navigation of multiple admin portals.

Set-AntiPhishPolicy -Identity "Office365 AntiPhish Default" -PhishThresholdLevel "ThresholdValue"

Replace with your desired threshold value between 1 and 4. This command will update the phishing threshold level of the default anti-phishing policy.

IMPORTANT: The threshold value is 1 for the default policy, 3 for the standard policy, and 4 for the strict preset security policy. Keep in mind that increasing this value raises the chances of false positives (good mail marked as phishing). Set the phishing email level threshold at 2 or higher based on your organization's requirements.

What is attack simulation training in Microsoft 365?

Attack simulation training is a cybersecurity training method used within Microsoft 365 organizations to improve security awareness and readiness among employees. It involves creating controlled, realistic cyber-attack scenarios that mimic various tactics used by attackers. These simulations train staff to recognize, respond to, and report potential security threats, such as phishing emails, malware attacks, or suspicious activities.

Here are key aspects of attack simulation training in Office 365:

Realism: Hackers often raise the trust level of a phishing message in Microsoft 365. Therefore, simulations are designed to be as realistic as possible, challenging participants to distinguish them from real attacks. This includes techniques like spoofed emails, creating fake web pages, and even social engineering calls.
Training and Awareness: The primary goal is to train employees on how to react properly to different types of cyber threats. This increases their level of security awareness and teaches them the best practices to minimize risks.
Evaluation and Feedback: After each simulation, Microsoft 365 users receive feedback on their actions. This helps them to learn from their mistakes and improve their response strategies. Organizations also gain insights into the overall security awareness of their workforce.
Continuous Improvement: Microsoft 365 attack simulation training is typically not a one-time event. It is conducted regularly to cover different types of cyber threats and to keep security on top of mind as part of an ongoing security education program.

This proactive approach is effective in reducing the risk of security breaches by ensuring that employees are better equipped to handle real-life phishing incidents.

AdminDroid Exchange Online ReporterEffortless Monitoring of Microsoft 365 Phishing Reports

AdminDroid's Exchange Online auditing tool delivers granular details into phishing emails, making it easy to monitor and audit sent & received emails, and all phishing-related activities. This powerful tracking capability is essential for admins to enforce organizational policies, identify unauthorized access, and prevent data breaches.

Explore AdminDroid's Advanced Features for Combatting Phishing Attacks!

Going beyond the 'All Phish Emails' report, AdminDroid offers in-depth insights into phishing filter settings, policy changes, and mail flow. Microsoft 365 admins can swiftly detect unusual patterns and enhance security with AdminDroid, protecting your organization from advanced phishing attacks.

A Quick Summary

Discover Phish Filter Configurations to Maximize Protection

Optimize email security settings for effective phishing detection and prevention with AdminDroid's Phish Filter Configuration Changes report.

Keep Tabs on Highly Active Phishing Senders and Receivers

Identify the top phishing senders and receivers to pinpoint the users damaging your domain's reputation and the victims who have fallen for spear phishing.

Identify Incoming and Outgoing Phishing Emails

Keep a close watch on incoming and outgoing phishing emails to understand their impact on your email flow and to block suspicious users sending phishing emails.

Gain Insights into Phishing Detection Statistics

Watch phishing detection stats in Microsoft 365 for insights on failed DMARC, spoofed domains, and more. This helps to identify root causes and implement solutions to stop phishing.

Stay Alert to Phishing Policy Changes

Get instant alerts for anti-phishing policy changes or creations, along with default alert phishing policy, using AdminDroid's real-time alerting feature.

Ensure Compliance through Phishing Report Monitoring

Monitor Microsoft 365 compliance reports related to phishing to find vulnerable users, provide targeted training, and strengthen your overall security.

In conclusion, AdminDroid provides a sophisticated solution for monitoring phishing in your organization. With real-time insights, customizable reports, and engaging dashboards, it boosts your security by effectively identifying and tackling phishing threats in Microsoft 365 emails.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Download

Common Errors and Resolution Steps in Monitoring Phishing Reports in Microsoft 365

The following are possible errors and troubleshooting hints while exporting Microsoft 365 phishing reports.

Error: Exiting. Choose one report to generate. Please try again.

This error occurs when you don't specify the report to be generated when running the PowerShell script.

Troubleshooting hint :Specify the report you want to generate when executing the script to avoid this error as shown below.

./MailProtectionReport.ps1 -PhishEmailsReceived

Error: Couldn't find object "Research Department".

This error occurs when the ‘SentToMemberOf’ parameter of the new anti-phish rule is not correctly mentioned.

Troubleshooting hint :Please make sure that it was spelled correctly or specify a different object.

Error: The operation couldn't be performed because object 'Monitor Policy' couldn't be found on 'MA0P287A04DC003.INDP287A004.PROD.OUTLOOK.COM'.

This error occurs when you specify an incorrect anti-phish rule name or a rule name that doesn't exist.

Troubleshooting hint :Verify the existence of the specified anti-phish rule using the following cmdlet.

Get-AntiPhishRule

Error: The specified rule priority is invalid. Use a value between '0' (highest priority), and '1' (lowest priority).

This error occurs when the priority value is not properly set up while configuring the anti-phish rule in Microsoft 365.

Troubleshooting hint :When setting the priority value for an anti-phish rule, remember that the highest priority value is 0. The lowest value depends on the number of rules you have. For example, if you have five rules, set their priorities from 0 to 4. Changing a rule's priority affects others. For instance, if you change a rule to priority 2, the current rule with priority 2 shifts to 3, and so on.

Error: Cannot bind parameter 'PhishThresholdLevel' to the target. Exception setting "PhishThresholdLevel": The property (PhishThresholdLevel (System.Int32)) is out of range.

This error occurs when you mention the threshold value incorrectly while setting it in Exchange Online PowerShell.

Troubleshooting hint :Make sure to input the correct threshold value between 1 and 4.

Delivering Reports on Time

Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid’s Scheduling to your email anytime you need.

Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add intelligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.

Set It, Schedule It, See Results - Your Reports, Your Way, On Your Time!

Time Saving Automation Customization Intelligent Filtering

Give Just the Right Access to the Right People

Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.

Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.

Give Just the Right Access to the Right People

Align, Define, Simplify: AdminDroid's Granular Delegation

Smart Organizational Control Effortless M365 Management Simplified Access

Advanced Alerts at a Glance

Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.

Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.

AdminDroid Keeps You Always Vigilant, Never Vulnerable!

Proactive Protection Real-time Monitoring Security Intelligence Threat Detection

Merge the Required Data to One Place

Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.

This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.

Merge with Ease and Save as Views!

Custom Reporting Unique View Desired Columns Easy Data Interpretation

Insightful Charts and Exclusive Dashboards

Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.

With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.

Insightful Charts and Exclusive Dashboards

Explore Your Microsoft 365 Tenant in a Whole New Way!

Executive overviews Interactive insights Decision-making Data Visualization

Efficient Report Exporting for Microsoft 365

Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.

Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.

Efficient Report Exporting for Microsoft 365

Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!

Easy Export Seamless Downloading Data Control Manage Microsoft 365

How to Prevent Phishing Attacks in Microsoft 365