Configure Anti-Phishing & Zero-Hour Auto Purge

📋 Overview

About This Lab

Microsoft Defender for Office 365 Plan 2 provides three layers of anti-phishing protection: spoof intelligence (built-in to EOP), standard anti-phishing (EOP), and advanced anti-phishing (Plan 2 exclusive features including impersonation protection and mailbox intelligence). Impersonation protection detects emails that impersonate specific VIP users (CEO, CFO) or your organisation’s domains using lookalike names and addresses.

Mailbox intelligence uses machine learning to understand each user’s communication patterns and detects anomalous sender behaviours that may indicate account compromise. Zero-Hour Auto Purge (ZAP) retroactively removes malicious emails from user mailboxes after delivery, when updated threat intelligence identifies a previously unknown threat. This lab covers end-to-end configuration of all four protection layers, testing each one, and establishing operational monitoring procedures.

🏢 Enterprise Use Case

Woodgrove Bank, a financial services company with 8,000 employees, has experienced three successful CEO impersonation attacks in the past year, resulting in $1.2M in fraudulent wire transfers. Attackers register lookalike domains and send emails appearing to be from the CEO requesting urgent wire transfers to the finance team. Existing EOP anti-spam filters do not catch these attacks because the emails are well-crafted and pass SPF/DKIM for the attacker’s own domain.

The CISO requires impersonation protection for all executives, domain protection for primary and partner domains, mailbox intelligence for all users, and ZAP for retroactive threat removal. Success criteria: zero successful impersonation attacks, all phishing quarantined within 30 minutes, priority account monitoring for C-suite.

🎯 What You Will Learn

Understand the three layers of anti-phishing protection and when each applies
Create anti-phishing policies with user impersonation protection
Add domain impersonation protection for your organisation and partner domains
Enable mailbox intelligence for anomaly-based detection
Set advanced phishing thresholds appropriate for your risk profile
Configure spoof intelligence and the Tenant Allow/Block List
Verify and configure Zero-Hour Auto Purge across all policy types
Set up priority account protection for VIP users
Test and validate anti-phishing detections
Establish ongoing monitoring, false positive management, and documentation

🔑 Why This Matters

The FBI reported $2.9 billion in BEC losses. more than any other cybercrime category. Spoofed sender names and lookalike domains pass traditional authentication because attackers use their own infrastructure. ZAP addresses the gap between delivery and threat identification by retroactively removing threats.

C-suite accounts are 12x more likely to be targeted by phishing attacks, making executive protection a critical priority for any organisation.

⚙️ Prerequisites

Completed Labs 01 and 02
Microsoft Defender for Office 365 Plan 2
Exchange Online Administrator or Security Administrator role
A list of VIP users for impersonation protection (CEO, CFO, CTO, etc.)
Your organisation’s primary and accepted domains
Top partner/vendor domains for domain impersonation protection
Test mailboxes for policy validation

Step 1 · Review Anti-Phishing Protection Layers

Navigate to security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Anti-phishing. Review the three protection layers:

Layer 1 · Spoof Intelligence (EOP): Detects mismatched From address domains and sending infrastructure using SPF, DKIM, DMARC, and composite authentication
Layer 2 · Standard Anti-Phishing (EOP): Machine learning evaluating content, reputation, URLs, and attachments
Layer 3 · Advanced Anti-Phishing (Plan 2): User impersonation, domain impersonation, mailbox intelligence, and configurable thresholds

# Connect and review existing anti-phishing policies
Connect-ExchangeOnline

Get-AntiPhishPolicy | Select-Object Name, Enabled, IsDefault,
    EnableMailboxIntelligence, EnableMailboxIntelligenceProtection,
    EnableOrganizationDomainsProtection, EnableTargetedDomainsProtection,
    EnableTargetedUserProtection, PhishThresholdLevel |
    Format-List

Get-AntiPhishRule | Select-Object Name, Priority, State,
    SentTo, SentToMemberOf, RecipientDomainIs | Format-List

Step 2 · Configure User Impersonation Protection

Create a custom anti-phishing policy for VIP protection. Add C-suite executives, finance leaders, and anyone with financial signing authority:

# WHAT: Create an anti-phishing policy with user impersonation protection for VIP accounts
# WHY:  BEC (Business Email Compromise) attacks impersonate executives using lookalike display names.
#       User impersonation protection detects when an inbound email’s sender name closely matches
#       a protected user (e.g., "CEO Display Name" vs "CE0 Display Name") and quarantines it.
# OUTPUT: Anti-phishing policy with 5 protected VIP users, mailbox intelligence enabled,
#         and quarantine action for all impersonation detections
# KEY PARAMETERS:
#   - TargetedUsersToProtect: Format is "Display Name;email@domain.com" (up to 350 users per policy)
#   - TargetedUserProtectionAction Quarantine: Impersonating emails go to quarantine (not junk)
#   - PhishThresholdLevel 2: Aggressive filtering (Level 1=Standard, 2=Aggressive, 3=More, 4=Most)
#   - EnableMailboxIntelligence: ML learns each user’s communication patterns over 30 days
#   - MailboxIntelligenceProtectionAction: Takes action on ML-detected anomalies
#   - EnableSimilarUsersSafetyTips: Shows a yellow banner warning when sender name is similar to a VIP

$vipUsers = @(
    "CEO Display Name;ceo@contoso.com",
    "CFO Display Name;cfo@contoso.com",
    "CTO Display Name;cto@contoso.com",
    "CISO Display Name;ciso@contoso.com",
    "VP Finance;vpfinance@contoso.com"
)

New-AntiPhishPolicy -Name "VIP Impersonation Protection" `
    -Enabled $true `
    -EnableTargetedUserProtection $true `
    -TargetedUsersToProtect $vipUsers `
    -TargetedUserProtectionAction Quarantine `
    -EnableSimilarUsersSafetyTips $true `
    -PhishThresholdLevel 2 `
    -EnableMailboxIntelligence $true `
    -EnableMailboxIntelligenceProtection $true `
    -MailboxIntelligenceProtectionAction Quarantine

# Create the rule that scopes this policy to all recipients in contoso.com
New-AntiPhishRule -Name "VIP Impersonation Protection Rule" `
    -AntiPhishPolicy "VIP Impersonation Protection" `
    -RecipientDomainIs "contoso.com" `
    -Priority 0

Write-Host "VIP anti-phishing policy created" -ForegroundColor Green

Pro Tip: You can protect up to 350 users per policy. Prioritise executives, finance leads, and anyone with financial signing authority.

Step 3 · Set Up Domain Impersonation Protection

Domain impersonation detects emails from lookalike domains (e.g., cont0so.com). Enable organisation and targeted domain protection:

# Add domain impersonation protection
$partnerDomains = @(
    "fabrikam.com", "northwindtraders.com",
    "adatum.com", "tailspintoys.com", "wingtiptoys.com"
)

Set-AntiPhishPolicy -Identity "VIP Impersonation Protection" `
    -EnableOrganizationDomainsProtection $true `
    -EnableTargetedDomainsProtection $true `
    -TargetedDomainsToProtect $partnerDomains `
    -TargetedDomainProtectionAction Quarantine `
    -EnableSimilarDomainsSafetyTips $true

Write-Host "Domain impersonation protection configured" -ForegroundColor Green

Step 4 · Enable Mailbox Intelligence

Mailbox intelligence builds user-specific communication profiles using ML. It learns typical correspondents and flags anomalous sender behaviours indicating account compromise:

Mailbox Intelligence: Must be enabled as prerequisite (on by default)
Mailbox Intelligence Protection: Takes action on detections. must be explicitly enabled
Requires ~30 days of email data to build accurate profiles

# Enable mailbox intelligence with protection action
Set-AntiPhishPolicy -Identity "VIP Impersonation Protection" `
    -EnableMailboxIntelligence $true `
    -EnableMailboxIntelligenceProtection $true `
    -MailboxIntelligenceProtectionAction MoveToJmf

Get-AntiPhishPolicy -Identity "VIP Impersonation Protection" |
    Select-Object EnableMailboxIntelligence,
        EnableMailboxIntelligenceProtection,
        MailboxIntelligenceProtectionAction | Format-List

Pro Tip: Start with Move to Junk during the 30-day learning period. After profiles stabilise, escalate to Quarantine.

Step 5 · Configure Advanced Phishing Thresholds

Set differentiated thresholds. stricter for executives, standard for general users:

Level 1 · Standard: Default. Minimal false positives but may miss sophisticated phishing
Level 2 · Aggressive: Recommended for most organisations
Level 3 · More Aggressive: For high-risk industries (finance, government)
Level 4 · Most Aggressive: Maximum sensitivity. Only for dedicated executive groups

# Create a strict executive-only policy
New-AntiPhishPolicy -Name "Executive Maximum Protection" `
    -Enabled $true -PhishThresholdLevel 4 `
    -EnableTargetedUserProtection $true `
    -EnableMailboxIntelligence $true `
    -EnableMailboxIntelligenceProtection $true

New-AntiPhishRule -Name "Executive Protection Rule" `
    -AntiPhishPolicy "Executive Maximum Protection" `
    -SentToMemberOf "C-Suite-Executives" -Priority 0

Step 6 · Configure Spoof Intelligence

Navigate to Tenant Allow/Block Lists → Spoofing. Review automatically detected spoofed senders and allow legitimate spoofing pairs:

# Review spoof intelligence detections
Get-SpoofIntelligenceInsight |
    Select-Object SpoofedUser, SendingInfrastructure,
        SpoofType, Action, LastSeen, MessageCount |
    Sort-Object MessageCount -Descending | Format-Table -AutoSize

# Allow legitimate marketing/notification spoofing
New-TenantAllowBlockListSpoofItems `
    -SpoofedUser "contoso.com" `
    -SendingInfrastructure "mailchimp.com" `
    -SpoofType External -Action Allow

New-TenantAllowBlockListSpoofItems `
    -SpoofedUser "contoso.com" `
    -SendingInfrastructure "sendgrid.net" `
    -SpoofType External -Action Allow

Step 7 · Verify and Configure Zero-Hour Auto Purge (ZAP)

ZAP retroactively detects and removes malicious emails delivered before threat identification. Verify it is enabled across all policy types:

Anti-malware ZAP: Moves newly-identified malware attachments to quarantine
Anti-spam ZAP: Moves reclassified high-confidence spam/phishing to Junk or quarantine
Anti-phishing ZAP: Moves emails reclassified as phishing to quarantine

# WHAT: Verify and enable Zero-Hour Auto Purge (ZAP) across all mail protection policies
# WHY:  ZAP retroactively removes malicious emails from user mailboxes AFTER delivery when updated
#       threat intelligence reclassifies a previously-delivered message as malicious. This addresses
#       the gap between email delivery and threat identification (e.g., a URL that was benign at
#       delivery but weaponized 30 minutes later). ZAP must be enabled on ALL three policy types.
# OUTPUT: Tables showing ZAP status per policy. All values should be True.
#   - ZapEnabled (anti-malware): Removes messages with newly-identified malware attachments
#   - SpamZapEnabled: Removes messages reclassified as high-confidence spam
#   - PhishZapEnabled: Removes messages reclassified as phishing (highest priority)
# NOTE: ZAP only works for Exchange Online mailboxes. On-prem hybrid mailboxes are NOT covered.
#       ZAP does NOT act on messages in Deleted Items or messages the user has already moved.

Write-Host "=== Anti-Malware ZAP ===" -ForegroundColor Cyan
Get-MalwareFilterPolicy | Select-Object Name, ZapEnabled | Format-Table -AutoSize

Write-Host "=== Anti-Spam ZAP ===" -ForegroundColor Cyan
Get-HostedContentFilterPolicy |
    Select-Object Name, SpamZapEnabled, PhishZapEnabled | Format-Table -AutoSize

# Auto-fix: Enable ZAP on any policy where it's disabled
Get-HostedContentFilterPolicy | Where-Object {
    $_.SpamZapEnabled -eq $false -or $_.PhishZapEnabled -eq $false
} | ForEach-Object {
    Set-HostedContentFilterPolicy -Identity $_.Name `
        -SpamZapEnabled $true -PhishZapEnabled $true
    Write-Host "ZAP enabled on: $($_.Name)" -ForegroundColor Yellow
}

Get-MalwareFilterPolicy | Where-Object { $_.ZapEnabled -eq $false } |
    ForEach-Object {
    Set-MalwareFilterPolicy -Identity $_.Name -ZapEnabled $true
    Write-Host "Malware ZAP enabled on: $($_.Name)" -ForegroundColor Yellow
}

Write-Host "`nAll ZAP settings verified" -ForegroundColor Green

Pro Tip: ZAP only works on Exchange Online mailboxes. On-premises mailboxes in hybrid mode are not covered. ZAP also does not act on messages in Deleted Items.

Step 8 · Set Up Priority Account Protection

Navigate to Settings → Email & collaboration → User tags. Add VIP users to the built-in Priority account tag for enhanced monitoring, dedicated alerts, and separate reporting filters.

# List priority users that should be tagged in the portal
$priorityUsers = @(
    "ceo@contoso.com", "cfo@contoso.com",
    "cto@contoso.com", "ciso@contoso.com",
    "vpfinance@contoso.com", "generalcounsel@contoso.com"
)
Write-Host "Add these to Priority Account tag in Defender portal:" -ForegroundColor Yellow
$priorityUsers | ForEach-Object { Write-Host "  $_" }

Step 9 · Configure Quarantine Policies

Configure quarantine access levels for different threat types:

Phishing: AdminOnlyAccessPolicy. users cannot self-release phishing
Spam: DefaultFullAccessPolicy or custom policy allowing user release
Impersonation: Custom policy allowing request release (admin approval required)

# Create quarantine policy for impersonation detections
New-QuarantinePolicy -Name "Impersonation. Request Release" `
    -EndUserQuarantinePermissionsValue 27 -EsnEnabled $true

# Apply to anti-phishing policy
Set-AntiPhishPolicy -Identity "VIP Impersonation Protection" `
    -TargetedUserQuarantineTag "Impersonation. Request Release" `
    -TargetedDomainQuarantineTag "Impersonation. Request Release" `
    -MailboxIntelligenceQuarantineTag "Impersonation. Request Release"

Write-Host "Quarantine policies configured" -ForegroundColor Green

Step 10 · Test Anti-Phishing Detections

Validate each protection layer with realistic test scenarios:

Test user impersonation: Send from an external account using a VIP’s display name. Verify quarantine and safety tip
Test domain impersonation: Use a lookalike domain. Verify domain impersonation detection triggers
Test spoof intelligence: Send a spoofed email with mismatched From header. Verify composite authentication failure
Verify in Threat Explorer: Filter by detection technology to confirm the correct layer identified each threat

Step 11 · Configure Advanced Delivery for SecOps

Set up the SecOps mailbox to receive unfiltered phishing samples for security team analysis:

# Configure SecOps mailbox for Advanced Delivery
New-SecOpsOverridePolicy -Name "SecOps Override"
New-SecOpsOverrideRule -Name "SecOps Mailbox" `
    -Policy "SecOps Override" -SentTo "secops@contoso.com"

Get-SecOpsOverrideRule | Format-List Name, SentTo, State

Step 12 · Monitor Threat Protection Metrics

Navigate to Reports → Threat protection status. Establish a weekly monitoring routine:

Filter by detection technology: anti-phishing, anti-spoofing, impersonation, ZAP
Filter by Priority Accounts to track executive threat volumes separately
Review the Impersonation Insight page for most-impersonated users/domains
Check ZAP removal counts for retroactive threat remediation

# Weekly anti-phishing monitoring report
$startDate = (Get-Date).AddDays(-7); $endDate = Get-Date

$phish = Get-QuarantineMessage -StartReceivedDate $startDate `
    -EndReceivedDate $endDate -Type Phish
$spoof = Get-QuarantineMessage -StartReceivedDate $startDate `
    -EndReceivedDate $endDate -Type Spoof

Write-Host "=== Weekly Anti-Phishing Report ===" -ForegroundColor Cyan
Write-Host "Period: $($startDate.ToString('yyyy-MM-dd')) to $($endDate.ToString('yyyy-MM-dd'))"
Write-Host "Phishing quarantined : $($phish.Count)"
Write-Host "Spoofed quarantined  : $($spoof.Count)"

$releases = $phish | Where-Object { $_.ReleaseStatus -eq "Requested" }
Write-Host "Release requests     : $($releases.Count)" -ForegroundColor Yellow

Step 13 · Manage False Positives and Fine-Tune

Fine-tune policies based on false positive patterns without reducing overall protection:

Recurring partner FPs: Add to trusted senders in the anti-phishing policy
Legitimate spoofing: Add allowed spoof pairs in the Tenant Allow/Block List
Mailbox intelligence FPs: Submit via Admin Submissions; the system self-corrects over time
Track FP rates: Rates above 5% indicate overly aggressive settings

# Add trusted sender exceptions for impersonation FPs
Set-AntiPhishPolicy -Identity "VIP Impersonation Protection" `
    -ExcludedSenders @{Add="trustedpartner@fabrikam.com"} `
    -ExcludedDomains @{Add="trustedpartner.com"}

Write-Host "Trusted sender exceptions updated" -ForegroundColor Green

Step 14 · Document and Operationalise

Create comprehensive operational documentation:

Policy inventory: All anti-phishing policies, priority order, threshold levels, and actions
Protected users list: All users in impersonation protection with review dates
Partner domain list: Domains in impersonation protection with justification
Spoof whitelist: Allowed spoof pairs with business justification
Change management: Test in audit mode, validate, and monitor 48 hours post-change
Quarterly review: Update VIP lists, adjust thresholds based on FP data

# Export complete anti-phishing configuration audit
Write-Host "=== ANTI-PHISHING CONFIG AUDIT ===" -ForegroundColor Cyan
Write-Host "Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm')`n"

Get-AntiPhishPolicy | ForEach-Object {
    Write-Host "Policy: $($_.Name)" -ForegroundColor Yellow
    Write-Host "  Enabled            : $($_.Enabled)"
    Write-Host "  Threshold          : $($_.PhishThresholdLevel)"
    Write-Host "  User Impersonation : $($_.EnableTargetedUserProtection)"
    Write-Host "  Org Domains        : $($_.EnableOrganizationDomainsProtection)"
    Write-Host "  Mailbox Intel      : $($_.EnableMailboxIntelligence)"
    Write-Host ""
}

Write-Host "=== ZAP STATUS ===" -ForegroundColor Cyan
Get-HostedContentFilterPolicy |
    Select-Object Name, SpamZapEnabled, PhishZapEnabled | Format-Table -AutoSize

Summary

What You Accomplished

Reviewed the three layers of anti-phishing protection and their capabilities
Configured user impersonation protection for VIP users with quarantine actions
Added domain impersonation protection for organisation and partner domains
Enabled mailbox intelligence with protection actions
Set differentiated phishing thresholds for executives vs general users
Verified and configured ZAP across all protection policy types
Set up priority account protection and SecOps advanced delivery
Established monitoring, false positive management, and documentation

Next Steps

Next Lab: Investigate a Business Email Compromise (BEC)
Configure DMARC with p=reject for your primary domain
Integrate anti-phishing alerts with Microsoft Sentinel
Monitor the Impersonation Insight page monthly

📚 Documentation Resources

Resource	Description
Anti-phishing policies in Microsoft 365	Overview of anti-phishing protection capabilities
Configure anti-phishing policies in MDO	Set up impersonation and advanced protection
Zero-hour auto purge (ZAP)	Retroactive threat detection and remediation
Spoof intelligence insight	Manage and configure spoof detection
Impersonation insight	Review and manage impersonation detections
Tenant Allow/Block List	Manage allowed and blocked senders, URLs, files
Quarantine policies	Configure end-user quarantine access
Priority account recommendations	Enhanced protection for VIP users

← Previous Lab Next Lab →