Microsoft 365 Has an Impersonation Problem

No, It’s Not You. It’s Microsoft. Microsoft 365’s impersonation and spoofing controls are frustratingly bad. But you’re not alone in this struggle.

If you can relate to that Reddit post, at some point in time you’ve probably found yourself saying, “There has to be a better way,” you’re not alone.

Let’s break down the most common ways MDO falls short:

1.  Communication History Weakness
   Microsoft 365’s biggest blind spot is its reliance on past communication as a signal of trust. If your employees or VIPs have ever replied to an attacker (intentionally or not), Microsoft’s impersonation protection will stop applying to emails from that sender.
   
   This flaw is easy for attackers to exploit. A simple “wrong address” email or a harmless request for clarification could prompt a user to reply with “Not today” or “Go away,” giving attackers the green light to bypass impersonation rules in future attempts. It’s a silent backdoor, and your defenses won’t see it coming.
2. The 350-User and 50-Domain Limit

Microsoft Defender’s impersonation protection caps out at 350 users and 50 domains per policy. For small organizations, this might work. But if you’re managing a mid-sized business or a growing enterprise, you’ll quickly hit this ceiling.

And when every VIP and external partner can’t fit into a single policy, you’re forced to make tough (and risky) decisions about who gets covered.

2. Manual Discovery of Domains and Users

Here’s the kicker: Microsoft doesn’t proactively suggest domains or users to add to your protection policies. It’s on you to manually identify and include them. Have a new vendor? You’d better remember to update your list.

Did a phishing attempt slip through because you didn’t know to add a specific partner domain? That’s on you too. This creates a game of constant catch-up that most admins don’t have time to play.

4. Persistent Display Name Spoofing

Even with everything configured “correctly,” attackers can still slip through by mimicking display names. For example, an email might appear to come from your CEO, even though the actual email address is a random Gmail account. This basic (and maddening) loophole remains one of the most exploited vulnerabilities.

With these limitations in mind, let’s focus on how to make the most of what Microsoft offers, because if you’re stuck with these tools, giving up isn’t an option.

How to Make the Most of Microsoft 365’s Built-In Tools

If you’ve ever found yourself scrolling through Microsoft’s endless help documentation on configuring anti-phishing policies (this one is a 20-minute read—if you don’t get distracted), you already know what you’re up against.

I can‘t imagine doing some of these steps regularly—just to keep up with evolving threats.

For example:

1. Configuring user and domain impersonation protection requires toggling through layers of menus, manually adding users and domains, and running PowerShell scripts to handle common errors (like “The email address already exists” when trying to add users).
2. Troubleshooting why a phishing email got through? That might mean running another PowerShell command or checking four different reporting tools, none of which give you the full picture.

[Wait. It’s 2024. Are we seriously running PowerShell scripts just to stop spoofed emails landing in our executives’ inboxes?]

Okay, if you’re stuck with Microsoft’s tools, here’s how to make them slightly less frustrating.

1. Be Ruthless with Policy Prioritization
   With a 350-user limit, you need to prioritize. Start with your high-risk users: C-suite executives, finance teams, and anyone who routinely handles sensitive information.
   
   For domains, focus on critical vendors, partners, and external services you use frequently.
   
   Microsoft’s anti-phishing policies limit protection to 350 users and 50 domains per policy, forcing admins to constantly update and manage these lists manually, a tedious task for even mid-sized organizations.
2. Create a Regular Update Process
   Schedule time every month (or week, if possible) to review and update your policies. Check for new vendors, recently added team members, or shifts in communication patterns. Use your email logs to identify domains or addresses that might warrant protection.
3. Leverage Quarantine Reports
   Microsoft’s quarantine feature can help identify missed threats and false positives. Train your users to review these reports and escalate anything suspicious. Their feedback can guide you in refining your anti-phishing policies.
4. User Education is Your Secret Weapon
   Impersonation protection isn’t foolproof, so your users need to be your first line of defense. Train them to spot red flags, like display name mismatches or requests for sensitive information. Equip them with a clear escalation process for reporting suspicious emails.

When You’ve Done All You Can

Even with perfect configuration, MDO impersonation controls leave gaps. If you’re spending more time managing policies than protecting users, it's time to look beyond built-in tools.

Third-party solutions, (ahem, like IRONSCALES), don’t just fill the gaps, they remove all the hassle entirely:

• AI-Driven Detection: Continuously learns and continuously stops advanced and new threats that Microsoft’s static rules miss
• Continuous Updates: Automatically adapts to new domains, users, and attack vectors without manual input
• Comprehensive Coverage: No user or domain limits, ever

Microsoft 365’s impersonation protection isn’t perfect (it’s actually really…bad), but it’s what you’ve got. With the right strategies, you can make it work better and minimize your risk.

That said, if you’re ready to eliminate the headaches entirely, it’s worth exploring solutions that let you focus on what matters: protecting your users, not managing your tools.

Stay alert. Stay informed. Keep your inbox clean.