Effectiveness of “Impersonation Protection” within the Standard Protection security policy
Recently we began trying to improve the overall posture of our O365 Exchange. One step of that was enabling both the Preset Security Policies.
These have been enabled and I’ve set up Impersonation Protection on both with pretty much the same list of internal stakeholders to protect. What we appear to be seeing is that impersonation protection doesn’t work for those users on Standard Protection. Support is telling me that’s how it works and that I should move all of our users to Strict Protection if we want to take advantage of the Impersonation Protection.
My limited tests seem to back this up, but the fact that Impersonation Protection is an available option in the Standard preset policy is baffling if it’s as ineffective as it seems to be.
As a test I setup a new outlook.com account with the name of the a protected user. I then sent an email to my personal Gmail account and two internal employees. The email was delivered to the Gmail account (expected) and to the ‘Standard’ employee. The email to the ‘Strict’ employee was quarantined with a note about impersonation. For the ‘Standard’ employee it was allowed with the note “Allowed by user policy : Trusted recipient address list”. I verified the external address is not in the ‘Standard’ user’s Safe Sender list.
Are others seeing this behavior as well?
Recently we began trying to improve the overall posture of our O365 Exchange. One step of that was enabling both the Preset Security Policies. These have been enabled and I’ve set up Impersonation Protection on both with pretty much the same list of internal stakeholders to protect. What we appear to be seeing is that impersonation protection doesn’t work for those users on Standard Protection. Support is telling me that’s how it works and that I should move all of our users to Strict Protection if we want to take advantage of the Impersonation Protection. My limited tests seem to back this up, but the fact that Impersonation Protection is an available option in the Standard preset policy is baffling if it’s as ineffective as it seems to be. As a test I setup a new outlook.com account with the name of the a protected user. I then sent an email to my personal Gmail account and two internal employees. The email was delivered to the Gmail account (expected) and to the ‘Standard’ employee. The email to the ‘Strict’ employee was quarantined with a note about impersonation. For the ‘Standard’ employee it was allowed with the note “Allowed by user policy : Trusted recipient address list”. I verified the external address is not in the ‘Standard’ user’s Safe Sender list. Are others seeing this behavior as well? Read More
