Microsoft 365 is the most widely used business productivity platform in the UK, and that makes it one of the most actively targeted. Attackers don’t go where defences are strongest — they go where the largest concentration of targets is. For phishing specifically, Microsoft 365 environments are the primary focus of a significant proportion of credential theft campaigns, business email compromise attacks, and account takeover attempts.
The good news is that Microsoft 365 includes a substantial set of anti-phishing tools within its security stack. The less good news is that many businesses have these tools available but not properly configured — leaving significant protection on the table while assuming their Microsoft 365 environment is adequately defended simply because they’re paying for it.
This article covers the practical configuration steps that make the most difference, what the common gaps are, and how to think about Microsoft 365 anti-phishing as part of a broader protection framework.
Why Default Microsoft 365 Settings Aren’t Enough
When you set up a Microsoft 365 tenant, you get a baseline level of security configuration. For many of the most impactful protections, however, the defaults are either not enabled at all or set to a level that’s less protective than it could be.
Microsoft structures its security features across different licence tiers — with Microsoft Defender for Office 365 Plan 1 and Plan 2 providing more advanced capabilities than are available in basic Microsoft 365 Business Basic or Business Standard licences. Understanding which features you have access to and which require a licence upgrade is the first step in any configuration review.
Even within the features available to you, the default settings often represent a conservative baseline rather than a recommended configuration. Microsoft’s own documentation frequently recommends moving beyond defaults for businesses that want meaningful protection. If you’d like a grounding in the fundamentals before getting into configuration specifics, our article on anti-phishing basics covers the core concepts clearly.
Key Configuration Areas to Review
Anti-Phishing Policies in Microsoft Defender
Microsoft 365 includes dedicated anti-phishing policies within Microsoft Defender for Office 365. These policies control how the platform handles suspected phishing attempts, impersonation attacks, and spoofing.
The key settings worth reviewing and tightening within your anti-phishing policy include:
Impersonation protection — this protects against emails that impersonate specific users (such as your CEO or finance director) or specific domains (such as your own company domain or those of key partners). You can add specific users and domains to your impersonation protection list, and set actions for when impersonation is detected — from moving to junk to quarantine to outright rejection.
For many businesses, the impersonation protection list isn’t populated at all, which means the feature is technically enabled but doing nothing useful. At minimum, add your senior leadership, finance team, and any external parties who regularly send authoritative communications to your organisation.
Mailbox intelligence — when enabled, this uses machine learning to build a model of each user’s normal communication patterns. Emails that deviate significantly from those patterns — particularly those impersonating known contacts — are flagged. This is one of the more sophisticated protections available and is worth enabling if your licence supports it.
Spoof intelligence — this identifies emails where the sender’s domain has been forged to appear as a trusted source. The spoof intelligence dashboard in the Defender portal shows you which senders have been identified as potentially spoofing, letting you make explicit allow or block decisions rather than relying entirely on automated detection.
Safe Links and Safe Attachments
These two features — both part of Microsoft Defender for Office 365 — address two of the most common phishing delivery mechanisms: malicious links and malicious attachments.
Safe Links rewrites URLs in emails and documents so that when a user clicks them, the link is checked in real time against Microsoft’s threat intelligence before the user is allowed through. If the destination has been identified as malicious, the user is blocked and shown a warning. The key configuration point here is making sure Safe Links is applied to both email and Office documents, and that users cannot bypass the protection by clicking through warnings.
Safe Attachments detonates attachments in a sandboxed environment before delivering them to the user, checking for malicious behaviour before the file ever reaches the recipient’s inbox. The delay this introduces is typically small, but it can be set to Dynamic Delivery — which delivers the email body immediately and holds the attachment while it’s being scanned, reducing the perceived latency for users.
Both features need to be explicitly configured through policies — they’re not active by default for most licence configurations. Our article on anti-phishing controls goes into more depth on the technical layer of defence and how these tools sit within a broader framework.
SPF, DKIM, and DMARC — The Authentication Foundation
Before any of the more sophisticated detection capabilities can function properly, your email authentication foundations need to be solid. SPF, DKIM, and DMARC are the three standards that together verify whether email claiming to come from your domain is genuinely sent from an authorised source.
SPF (Sender Policy Framework) specifies which mail servers are authorised to send email on behalf of your domain. If an email arrives claiming to be from your domain but originates from a server not listed in your SPF record, receiving mail servers know something is wrong.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails that allows receiving servers to verify the email hasn’t been tampered with in transit and genuinely came from your domain.
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM to give you control over what happens when authentication fails — and critically, it provides reporting on authentication failures so you can see attempts to spoof your domain even when they’re being blocked.
Many Microsoft 365 tenants have SPF configured but DKIM and DMARC either missing or set to a policy of “none” — meaning authentication failures are reported but no action is taken. Moving DMARC from “none” to “quarantine” or “reject” is a meaningful protective step, but it should be done carefully and incrementally to avoid blocking legitimate email that isn’t yet covered by your authentication records.
This is an area where getting specialist help from a microsoft 365 support services london provider makes a real difference — misconfigured email authentication can cause significant delivery problems, and the incremental approach to DMARC tightening benefits from experience.
Multi-Factor Authentication: The Non-Negotiable Layer
No anti-phishing configuration review is complete without addressing multi-factor authentication. Even if an attacker successfully harvests a user’s credentials through a phishing attack, MFA means those credentials alone aren’t enough to gain access.
Microsoft 365 supports several forms of MFA, with the Microsoft Authenticator app providing a strong combination of security and usability. Number matching — where users must confirm a number displayed on screen rather than simply approving a push notification — significantly reduces the effectiveness of MFA fatigue attacks, where attackers bombard users with approval requests hoping one will be accepted inadvertently.
Conditional Access policies, available with Azure AD Premium licences, allow you to enforce MFA based on context — requiring it for all sign-ins, or applying stricter requirements when users are signing in from unfamiliar locations or devices. This contextual enforcement is more effective than blanket MFA prompts alone.
Enforcing MFA consistently across your entire organisation — not just for administrators, but for all users — should be treated as a foundational requirement rather than an optional enhancement. Our post on how to spot a phishing email is also worth sharing with your wider team alongside any MFA rollout, as user awareness remains an important layer even with strong technical controls in place.
Attack Simulation Training in Microsoft 365
Microsoft 365 includes an Attack Simulation Training capability within Microsoft Defender for Office 365 Plan 2. This allows you to run controlled phishing simulations against your own users, measure click rates and credential submission, and automatically assign targeted training to users who fall for the simulated attack.
Simulation programmes are one of the most effective ways to change user behaviour over time — not because a single simulation teaches people to be more careful, but because repeated exposure to realistic scenarios, combined with immediate feedback and training, builds genuine awareness rather than theoretical knowledge.
The configuration decisions that matter most in running a good simulation programme are:
- Variety of techniques — using different phishing techniques across simulations (credential harvesting, malware links, voice phishing) rather than the same template repeatedly
- Realistic but fair difficulty — simulations that are too obvious don’t measure real-world susceptibility; simulations that are deliberately deceptive in ways real attackers wouldn’t use skew the results
- Proportionate follow-up training — targeted training for users who click, rather than blanket training for everyone, keeps the programme proportionate and the training relevant
Our article on how to run phishing simulations covers the design and execution of effective simulation programmes in detail and is a useful companion to this configuration guide.
Business Email Compromise: A Configuration Priority
Business email compromise — where attackers use compromised or spoofed accounts to conduct fraud, typically targeting finance teams with payment diversion requests — is one of the most financially damaging forms of phishing for UK businesses. Losses can run to tens or hundreds of thousands of pounds in a single incident.
Several of the configuration steps above directly reduce BEC risk — impersonation protection, DMARC enforcement, and MFA all address the techniques most commonly used in BEC attacks. But there are additional configuration steps worth taking specifically in this context:
- Ensuring that external email is visually flagged in the Outlook client, so users are reminded when an email has come from outside the organisation even when the display name looks familiar
- Reviewing and restricting mail forwarding rules, which attackers frequently configure after compromising an account to silently copy correspondence
- Enabling alerts for unusual sign-in activity and account changes within the Microsoft 365 security centre
Our article on business email compromise explained covers the tactics attackers use and how they connect to the technical controls described here.
Configuration Across International Teams
For businesses with offices in multiple countries, applying anti-phishing configuration consistently across your entire Microsoft 365 tenant is important — and not always as straightforward as it sounds.
Users in different offices may be covered by different policies if your tenant configuration isn’t properly structured. Regional IT teams may have made local changes that override or conflict with central policy. And users in some locations may be subject to specific compliance requirements that affect how certain controls can be applied.
If you have European offices, working with a provider of european support services that has experience managing Microsoft 365 security configuration across multi-region tenants will help you ensure that your protection is genuinely consistent rather than patchy.
For businesses managing Microsoft 365 across a wider international footprint, global it support services that include ongoing security configuration management — not just initial setup — are worth prioritising. Configuration drift over time, as user needs change and new features are released, means a one-time setup review isn’t sufficient. Your anti-phishing configuration needs to be actively maintained.
Connecting Anti-Phishing to Your Wider Security Posture
Microsoft 365 anti-phishing configuration is one layer of a broader security framework, and it works best when the surrounding layers are also functioning well.
Dark web monitoring addresses the credential side of the equation. If a user’s Microsoft 365 password has been exposed in a third-party breach and is circulating on the dark web, your anti-phishing controls protect against one attack vector — but a dark web monitoring company service alerts you to the credential exposure so you can force a reset before the credential is used.
Endpoint security matters because phishing attacks increasingly target devices directly — malware delivered through a phishing email can harvest credentials even when the email itself doesn’t contain a link. Our article on endpoint security for remote teams covers how endpoint protection connects to email security in environments where users are working from multiple locations and devices.
Backup matters because even with good anti-phishing controls, some attacks get through. Having reliable Microsoft 365 backup means that if an account is compromised and data is modified or deleted, you have a recovery path. Our Microsoft 365 backup article is worth reading alongside this one for that reason.
For businesses considering formal anti-phishing support beyond configuration — including testing, training programme design, and ongoing management — working with an anti phishing company london that can handle both the technical and human-side elements gives you a more complete picture of your exposure and a structured approach to reducing it.
And if your business is in the process of moving between platforms or consolidating your Microsoft 365 environment across merged entities, make sure your platform migration services provider addresses anti-phishing configuration as part of the migration scope — not as an afterthought once the technical cutover is complete.
For businesses looking at global it support london based providers to manage their Microsoft 365 environment across UK and international operations, the right question to ask is whether ongoing security configuration management — including anti-phishing policy reviews — is included in scope or treated as a separate engagement every time a review is needed.
Creating a Written Anti-Phishing Policy
Technical configuration is only part of the picture. A written anti-phishing policy — setting out what your controls are, what users are expected to do when they suspect a phishing attempt, and how incidents are reported and handled — is the governance layer that holds everything together.
Our article on how to create an anti-phishing policy walks through what a well-structured policy should include and how to make it practical rather than something that sits in a compliance folder and gets ignored.
Frequently Asked Questions
Does Microsoft 365 include anti-phishing tools in all licence tiers?
Some anti-phishing capability is included across most Microsoft 365 business licences, but the most advanced features — including Safe Links, Safe Attachments, impersonation protection, and Attack Simulation Training — require Microsoft Defender for Office 365, which is included in Business Premium and higher tiers, or can be added to lower tiers as an add-on. Understanding which features your current licence includes is the first step in any configuration review.
What’s the most important anti-phishing configuration step for Microsoft 365?
Enforcing multi-factor authentication across all accounts is arguably the single highest-impact step, because it limits the damage even when a phishing attack successfully harvests credentials. Among the Defender-specific configurations, enabling and properly populating impersonation protection and configuring DMARC to enforce rather than just report are the two steps that make the most practical difference.
How often should anti-phishing configuration be reviewed?
At minimum, annually — but ideally every six months, or whenever there’s a significant change to your environment such as a new domain, an acquisition, or a change in your licence tier that unlocks new features. Microsoft regularly updates its security tools, and configuration that was current 18 months ago may no longer represent best practice.
Can phishing attacks succeed even with good Microsoft 365 configuration?
Yes. No technical control provides complete protection. Sophisticated attacks — particularly those involving real-time phishing proxies that bypass MFA, or highly targeted spear phishing that isn’t caught by automated detection — can still reach users. This is why the human awareness layer, delivered through training and simulations, remains important alongside technical controls.
What should a user do if they suspect they’ve clicked a phishing link?
Report it immediately to your IT team or helpdesk, disconnect from the network if the risk appears significant, and don’t attempt to undo actions themselves in a way that might complicate the investigation. Your incident response process should define exactly what users do in this situation — and that process should be communicated clearly, not buried in a policy document nobody has read.
Is DMARC difficult to configure correctly?
The initial setup of DMARC is straightforward, but moving from a policy of “none” to “quarantine” or “reject” needs to be done incrementally and carefully. Legitimate email that isn’t properly authenticated will be quarantined or rejected once you tighten the policy, so you need to identify and fix any authentication gaps before enforcing. Working with a specialist provider makes this process significantly smoother and reduces the risk of inadvertently blocking legitimate mail.
Ready to Strengthen Your Microsoft 365 Anti-Phishing Configuration?
If you haven’t reviewed your Microsoft 365 anti-phishing configuration recently — or if you’re not sure which protections are currently active and whether they’re set up correctly — it’s worth getting a proper assessment done before an attack makes the gaps visible.
Northern Star works with businesses across the UK and internationally to configure, maintain, and continuously improve Microsoft 365 security environments as part of a fully managed IT service.
Get in touch with our team today and let’s have a practical conversation about where your current Microsoft 365 security configuration stands and what would make it stronger.
