-2. Select **Recipients** \> **Shared**.

-> [!TIP]

-> If you're new to cybersecurity, or if a term is unclear, see the [glossary of terms](m365bp-glossary.yml).

-> [!TIP]

-> To learn more security concepts, see our [Glossary of terms](m365bp-glossary.yml).

-If you don't have an existing Office 365 Enterprise E5 plan and want to try communication compliance, you can [add Microsoft 365](/office365/admin/try-or-buy-microsoft-365) to your existing subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Office 365 Enterprise E5.

-eDiscovery of messages and files in [private channels](/microsoftteams/private-channels.md) works differently than in standard channels. To learn more, see [eDiscovery of private channels](#ediscovery-of-private-and-shared-channels).

-Before you perform these steps, make sure you have the [latest version of the Teams PowerShell module](/microsoftteams/teams-powershell-overview.md) installed.

-Microsoft Endpoint DLP allows you to monitor [onboarded Windows 10, and Windows 11](device-onboarding-overview.md) and [onboarded macOS devices](device-onboarding-macos-overview.md) running three latest released versions. Once a device is onboarded, DLP will detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they're used and protected properly, and to help prevent risky behavior that might compromise them.

-You can onboard virtual machines as monitored devices in Microsoft Purview compliance portal. There is no change to the onboarding procedures listed above.

-|Virtualization </br> platform|Windows 10|Windows 11|

-||||

-|Azure virtual desktop (AVD)|<ul><li>Single session supported for 20H2, 21H1, 21H2</li><li>Multi session supported for 20H2, 21H1, 21H2</li></ul>|<ul><li>Single session supported for 22H2</li><li>Multi session supported for 22H2</li></ul>|

-|Citrix Virtual Apps and Desktops 7 (2209)|<ul><li>Single session supported for 20H2, 21H1, 21H2</li><li>Multi session supported for 20H2, 21H1, 21H2|<ul><li>Single session supported for 21H2 (Gen2)</li><li>Multi session supported for 21H2 (Gen 2)</li></ul>|

-|Hyper-V|<ul><li>Single session supported for 20H2, 21H1, 21H2</li><li>Multi session with Hybrid AD join supported for 20H2, 21H1, 21H2</li></ul>|<ul><li>Single session supported for 22H2</li><li>Multi session with Hybrid AD join supported for 22H2</li></ul>|

-<!--|Amazon workspaces|<ul><li>Single session supported for 20H2, 21H1, 21H2|N/A|-->

-1. You cannot monitor Copy to Clipboard and Enforcing Endpoint DLP on Azure Virtual Desktop environments via browsers. However the same egress operation will be monitored by Endpoint DLP for actions via Remote Desktop Session (RDP) today.

-1. Handling of USBs in virtualized environments: USB storage devices are treated as network shares. You need to include the **Copy to network share** activity to monitor **Copy to a USB device**. All activity explorer events for virtual devices and incident alerts will show the **Copy to a network share** activity for all copy to USB events.

-If you don't have an existing Microsoft 365 Enterprise E5 plan and want to try insider risk management, you can [add Microsoft 365](/office365/admin/try-or-buy-microsoft-365) to your existing subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Microsoft 365 Enterprise E5.

-If you don't have an existing Microsoft 365 Enterprise E5 plan and want to try insider risk management, you can [add Microsoft 365](/office365/admin/try-or-buy-microsoft-365) to your existing subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Microsoft 365 Enterprise E5.

-Alert information contains information from the Security and Compliance Alerts schema and the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-schema.md#security-and-compliance-alerts-schema) common schema.

-52.120.0.0/14

-keywords: advanced features, settings, block file, automated investigation, auto resolve, skype, microsoft defender for identity, office 365, azure information protection, intune

-ms.sitesec: library

-ms.pagetype: security

-## Automated investigation

-Turn on this feature to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).

-## Microsoft Defender for Identity integration

-The integration with Microsoft Defender for Identity allows you to pivot directly into another Microsoft Identity security product. Microsoft Defender for Identity augments an investigation with more insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.

-> [!NOTE]

-> You'll need to have the appropriate license to enable this feature.

-keywords: antivirus, troubleshoot, troubleshooting mode, tamper protection, compatibility

-ms.sitesec: library

-ms.pagetype: security

- Devices must be running one of the following versions of Windows

-keywords: Microsoft Defender performance analyzer, defender performance analyzer, Get-MpPerformanceRepor, New-MpPerformanceRecording, windows defender, microsoft defender, microsoft windows 10, microsoft defender antivirus, micro soft windows 11, windows antivirus, microsoft antivirus, windows defender antivirus, Windows 10 antivirus, microsoft windows defender, performance windows, ms defender, microsoft scan, windows performance

-ms.sitesec: library

-ms.pagetype: security

-## Requirements

-Microsoft Defender Antivirus performance analyzer has the following prerequisites:

-**Supported OS versions**:

-Windows Version 10 and later.

-> [!NOTE]

-> This feature is available starting with platform version 4.18.2108.X and later.

- - m365-security

- - m365solution-m365dsecops

- - tier2

- - m365-security

- - m365solution-m365dsecops

-

- - m365-security

- - m365solution-m365dsecops

- - tier2

- - m365-security

- - m365solution-m365dsecops

- - tier2

- - m365-security

- - m365solution-m365dsecops

- - tier2

- - m365-security

- - m365solution-m365dsecops

- - tier2

- - m365-security

- - m365solution-m365dsecops

- - m365solution-overview

- - tier2

-| Turn automated investigation on or off | *We recommend keeping automated investigation turned on. If you want to turn it off for some devices, we recommend [reviewing or changing the automation level for device groups](#review-or-change-the-automation-level-for-device-groups) instead of turning off automated investigation for your organization.* <ol><li>In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **Advanced features**. </li><li>Turn the **Automated Investigation** toggle to **On** (or **Off**). <br/>Keep in mind that if you turn off automated investigation here, it will affect automated investigation and response actions for all devices. It will also affect [manual response actions for emails](../office-365-security/air-remediation-actions.md) (such as deleting email messages manually after they have arrived on devices). Rather than turning automated investigation off, try [changing the automation level for device groups](#review-or-change-the-automation-level-for-device-groups).</li><li>Go to **Auto remediation** and review your automated remediation levels for your devices. See [Automation levels in automated investigation and remediation capabilities](../defender-endpoint/automation-levels.md). |

-By default, Windows uses [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview.md) to provide automatic, granular control of privilegesΓÇöit temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it's quite easy for an admin user to inadvertently allow malware to run.

-In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).

-Admins can view, edit, and configure (but not delete) the default anti-malware policy to meet the needs of their organizations. For greater granularity, you can also create custom anti-malware policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.

-> The default anti-malware policy applies to both outbound and inbound email. Custom anti-malware policies apply only to inbound email.

-Creating a custom anti-malware policy in the Microsoft 365 Defender portal creates the malware filter rule and the associated malware filter policy at the same time using the same name for both.

-2. On the **Anti-malware** page, click  **Create**.

-3. The policy wizard opens. On the **Name your policy** page, configure these settings:

- When you're finished, click **Next**.

- - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).

- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove  next to the value.

- For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.

- When you're finished, click **Next**.

- - **Enable the common attachments filter**: If you select this option, messages with the specified attachments are treated as malware and are automatically quarantined. You can modify the list by clicking **Customize file types** and selecting or deselecting values in the list.

- For the default and available values, see [Anti-malware policies](anti-malware-protection-about.md#anti-malware-policies).

- **When these types are found**: Select one of the following values:

- - **Reject the message with a non-delivery report (NDR)** (this is the default value)

- - **Quarantine the message**

- - **Enable zero-hour auto purge for malware**: If you select this option, ZAP quarantines malware messages that have already been delivered. For more information, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).

- - **Quarantine policy**: Select the quarantine policy that applies to messages that are quarantined as malware. By default, the quarantine policy named AdminOnlyAccessPolicy is used for malware detections. For more information about this quarantine policy, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

- > [!NOTE]

- > Quarantine notifications are disabled in the policy named AdminOnlyAccessPolicy. To notify recipients that have messages quarantined as malware, create or use an existing quarantine policy where quarantine notifications are turned on. For instructions, see [Create quarantine policies in the Microsoft 365 Defender portal](quarantine-policies.md#step-1-create-quarantine-policies-in-the-microsoft-365-defender-portal).

- >

- > Users can't release their own messages that were quarantined as malware by anti-malware policies, regardless of how the quarantine policy is configured. If the policy allows users to release their own quarantined messages, users are instead allowed to _request_ the release of their quarantined malware messages.

- - **Admin notifications**: Select none, one, or both of the following options:

- - **Notify an admin about undelivered messages from internal senders**: If you select this option, enter a recipient email address in the **Admin email address** box that appears.

- > [!NOTE]

- > Admin notifications are sent only for _attachments_ that are classified as malware.

- - **Customize notifications**: Use the settings in this section to customize the message properties that are used for admin notifications.

- - **Use customized notification text**: If you select this option, use the **From name** and **From address** boxes to specify the sender's name and email address for admin notification messages.

- - **Customize notifications for messages from internal senders**: If you previously selected **Notify an admin about undelivered messages from internal senders**, use the **Subject** and **Message** boxes to specify the subject and message body of admin notification messages.

- - **Customize notifications for messages from external senders**: If you previously selected **Notify an admin about undelivered messages from external senders**, you need to use the **Subject** and **Message** boxes to specify the subject and message body of admin notification messages.

- When you're finished, click **Next**.

- When you're finished, click **Submit**.

-7. On the confirmation page that appears, click **Done**.

-## Use the Microsoft 365 Defender portal to view anti-malware policies

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.

-2. On the **Anti-malware** page, the following properties are displayed in the list of anti-malware policies:

- - **Name**

- - **Status**

- - **Priority**

-3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.

-## Use the Microsoft 365 Defender portal to modify anti-malware policies

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.

-2. On the **Anti-malware** page, select a policy from the list by clicking on the name.

-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the previous [Use the Microsoft 365 Defender portal to create anti-malware policies](#use-the-microsoft-365-defender-portal-to-create-anti-malware-policies) section in this article.

- For the default anti-malware policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.

-To enable or disable a policy or set the policy priority order, see the following sections.

-### Enable or disable custom anti-malware policies

-You can't disable the default anti-malware policy.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.

-2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, you'll see one of the following values:

- - **Policy off**: To turn on the policy, click  **Turn on** .

- - **Policy on**: To turn off the policy, click  **Turn off**.

-4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.

-5. Click **Close** in the policy details flyout.

-Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.

-### Set the priority of custom anti-malware policies

-By default, anti-malware policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.

-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.

- **Notes**:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.

-2. On the **Anti-malware** page, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:

- - The policy with the **Priority** value **0** has only the **Decrease priority** option available.

- - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.

- - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.

- Click  **Increase priority** or  **Decrease priority** to change the **Priority** value.

-4. When you're finished, click **Close** in the policy details flyout.

-## Use the Microsoft 365 Defender portal to remove custom anti-malware policies

-When you use the Microsoft 365 Defender portal to remove a custom anti-malware policy, the malware filter rule and the corresponding malware filter policy are both deleted. You can't remove the default anti-malware policy.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-Malware** in the **Policies** section. To go directly to the **Anti-malware** page, use <https://security.microsoft.com/antimalwarev2>.

-2. On the **Anti-malware page**, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, click  **More actions** \>  **Delete policy**.

-4. In the confirmation dialog that appears, click **Yes**.

- Be sure that these are the only text characters in the file. The file size should be 68 bytes.

-In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, there's a default anti-phishing policy that contains a limited number of anti-spoofing features that are enabled by default. For more information, see [Spoof settings in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings).

-Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.

-Organizations with Exchange Online mailboxes can configure anti-phishing policies in the Microsoft 365 Defender portal or in Exchange Online PowerShell. Standalone EOP organizations can only use the Microsoft 365 Defender portal.

-For information about creating and modifying the more advanced anti-phishing policies that are available in Microsoft Defender for Office 365, see [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md).

-The basic elements of an anti-phishing policy are:

-The difference between these two elements isn't obvious when you manage anti-phishing policies in the Microsoft 365 Defender portal:

-In Exchange Online PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell to configure anti-phishing policies](#use-exchange-online-powershell-to-configure-anti-phishing-policies) section later in this article.

-Every organization has a built-in anti-phishing policy named Office365 AntiPhish Default that has these properties:

-To increase the effectiveness of anti-phishing protection, you can create custom anti-phishing policies with stricter settings that are applied to specific users or groups of users.

- You can't manage anti-phishing policies in standalone EOP PowerShell.

-Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.

-2. On the **Anti-phishing** page, click  **Create**.

-3. The policy wizard opens. On the **Policy name** page, configure these settings:

- When you're finished, click **Next**.

-4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):

- - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).

- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove  next to the value.

- For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.

- When you're finished, click **Next**.

-5. On the **Phishing threshold & protection** page that appears, use the **Enable spoof intelligence** check box to turn spoof intelligence on or off. The default value is on (selected), and we recommend that you leave it on. You configure the action to take on blocked spoofed messages on the next page.

- > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).

- When you're finished, click **Next**.

-6. On the **Actions** page that appears, configure the following settings:

- - **If message is detected as spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders:

- - **Move message to the recipients' Junk Email folders**

- - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

- If you don't select a quarantine policy, the default quarantine policy for spoof intelligence detections is used (DefaultFullAccessPolicy). When you later view or edit the anti-phishing policy settings, the quarantine policy name is shown. For more information about default quarantine policies that are used for spoof intelligence detections, see [EOP anti-phishing policy settings](recommended-settings-for-eop-and-office365.md#eop-anti-phishing-policy-settings).

- - **Safety tips & indicators**:

- - **Show (?) for unauthenticated senders for spoof**^\*: Adds a question mark (?) to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-authentication-about.md#composite-authentication).

- - **Show "via" tag**^\*: Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address.

- ^\* This setting is available only if you selected **Enable spoof intelligence** on the previous page. For more information, see [Unauthenticated sender indicators](anti-phishing-policies-about.md#unauthenticated-sender-indicators).

- When you're finished, click **Next**.

-7. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

- When you're finished, click **Submit**.

-8. On the confirmation page that appears, click **Done**.

-## Use the Microsoft 365 Defender portal to view anti-phishing policies

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, the following properties are displayed in the list of policies:

- - **Name**

- - **Status**

- - **Priority**

- - **Last modified**

-3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.

-## Use the Microsoft 365 Defender portal to modify anti-phishing policies

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.

-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.

- For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.

-To enable or disable a policy or set the policy priority order, see the following sections.

-You can't disable the default anti-phishing policy.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, you'll see one of the following values:

- - **Policy off**: To turn on the policy, click  **Turn on** .

- - **Policy on**: To turn off the policy, click  **Turn off**.

-4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.

-5. Click **Close** in the policy details flyout.

-Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.

-By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.

-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.

- **Notes**:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:

- - The policy with the **Priority** value **0** has only the **Decrease priority** option available.

- - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.

- - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.

- Click  **Increase priority** or  **Decrease priority** to change the **Priority** value.

-4. When you're finished, click **Close** in the policy details flyout.

-## Use the Microsoft 365 Defender portal to remove custom anti-phishing policies

-When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, click  **More actions** \>  **Delete policy**.

-4. In the confirmation dialog that appears, click **Yes**.

-## Use Exchange Online PowerShell to configure anti-phishing policies

-As previously described, an anti-phishing policy consists of an anti-phish policy and an anti-phish rule.

-> [!NOTE]

-> The following PowerShell procedures aren't available in standalone EOP organizations using Exchange Online Protection PowerShell.

-Anti-phishing policies in [Microsoft Defender for Office 365](defender-for-office-365.md) can help protect your organization from malicious impersonation-based phishing attacks and other types of phishing attacks. For more information about the differences between anti-phishing policies in Exchange Online Protection (EOP) and anti-phishing policies in Microsoft Defender for Office 365, see [Anti-phishing protection](anti-phishing-protection-about.md).

-Admins can view, edit, and configure (but not delete) the default anti-phishing policy. For greater granularity, you can also create custom anti-phishing policies that apply to specific users, groups, or domains in your organization. Custom policies always take precedence over the default policy, but you can change the priority (running order) of your custom policies.

-You can configure anti-phishing policies in Defender for Office 365 in the Microsoft 365 Defender portal or in Exchange Online PowerShell.

-For information about configuring the more limited in anti-phishing policies that are available in Exchange Online Protection (that is, organizations without Defender for Office 365), see [Configure anti-phishing policies in EOP](anti-phishing-policies-eop-configure.md).

-The basic elements of an anti-phishing policy are:

-The difference between these two elements isn't obvious when you manage anti-phishing policies in the Microsoft 365 Defender portal:

-In Exchange Online PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell to configure anti-phishing policies](#use-exchange-online-powershell-to-configure-anti-phishing-policies) section later in this article.

-Every Defender for Office 365 organization has a built-in anti-phishing policy named Office 365 AntiPhish Default that has these properties:

-To increase the effectiveness of anti-phishing protection in Defender for Office 365, you can create custom anti-phishing policies with stricter settings that are applied to specific users or groups of users.

-Creating a custom anti-phishing policy in the Microsoft 365 Defender portal creates the anti-phish rule and the associated anti-phish policy at the same time using the same name for both.

-2. On the **Anti-phishing** page, click  **Create**.

-3. The policy wizard opens. On the **Policy name** page, configure these settings:

- When you're finished, click **Next**.

-4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):

- - Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups are not supported).

- Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove  next to the value.

- For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values.

- When you're finished, click **Next**.

-5. On the **Phishing threshold & protection** page that appears, configure the following settings:

- For more information, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-about.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365).

- - **Impersonation**: These settings are a condition for the policy that identifies specific senders to look for (individually or by domain) in the From address of inbound messages. For more information, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).

- - **Enable users to protect**: The default value is off (not selected). To turn it on, select the check box, and then click the **Manage (nn) sender(s)** link that appears.

- In the **Manage senders for impersonation protection** flyout that appears, do the following steps:

- - **Internal senders**: Click  **Select internal**. In the **Add internal senders** flyout that appears, click in the box and select an internal user from the list. You can filter the list by typing the user, and then selecting the user from the results. You can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results.

- Repeat this step as many times as necessary. To remove an existing value, click remove  next to the value.

- When you're finished, click **Add**

- - **External senders**: Click  **Select external**. In the **Add external senders** flyout that appears, enter a display name in the **Add a name** box and an email address in the **Add a vaild email** box, and then click **Add**.

- Repeat this step as many times as necessary. To remove an existing value, click remove  next to the value.

- When you're finished, click **Add**

- Back on the **Manage senders for impersonation** flyout, you can remove entries by selecting one or more entries from the list. You can search for entries using the  **Search** box.

- After you select at least one entry, the  **Remove selected users** icon appears, which you can use to remove the selected entries.

- When you're finished, click **Done**.

- - **Enable domains to protect**: The default value is off (not selected). To turn it on, select the check box, and then configure one or both of the following settings that appear:

- - **Include the domains I own**: To turn this setting on, select the check box. To view the domains that you own, click **View my domains**.

- - **Include custom domains**: To turn this setting on, select the check box, and then click the **Manage (nn) custom domain(s)** link that appears. In the **Manage custom domains for impersonation protection** flyout that appears, click  **Add domains**.

- In the **Add custom domains** flyout that appears, click in the **Domain** box, enter a value, and then press Enter or select the value that's displayed below the box. Repeat this step as many times as necessary. To remove an existing value, click remove  next to the value.

- When you're finished, click **Add domains**

- > [!NOTE]

- > You can specify a maximum of 50 custom domains for domain impersonation protection in each anti-phishing policy.

- Back on the **Manage custom domains for impersonation** flyout, you can remove entries by selecting one or more entries from the list. You can search for entries using the  **Search** box.

- After you select at least one entry, the  **Delete** icon appears, which you can use to remove the selected entries.

- - **Add trusted senders and domains**: Specify impersonation protection exceptions for the policy by clicking on **Manage (nn) trusted sender(s) and domain(s)**. In the **Manage custom domains for impersonation protection** flyout that appears, configure the following settings:

- - **Senders**: Verify the **Sender** tab is selected and click . In the **Add trusted senders** flyout that appears, enter an email address in the box and then click **Add**. Repeat this step as many times as necessary. To remove an existing entry, click  for the entry.

- When you're finished, click **Add**.

- - **Domains**: Select the **Domain** tab and click .

- In the **Add trusted domains** flyout that appears, click in the **Domain** box, enter a value, and then press Enter or select the value that's displayed below the box. Repeat this step as many times as necessary. To remove an existing value, click remove  next to the value.

- When you're finished, click **Add**.

- > [!NOTE]

- > Trusted domain entries don't include subdomains of the specified domain. You need to add an entry for each subdomain.

- >

- > If Microsoft 365 system messages from the following senders are identified as impersonation attempts, you can add the senders to the trusted senders list:

- >

- > - `noreply@email.teams.microsoft.com`

- > - `noreply@emeaemail.teams.microsoft.com`

- > - `no-reply@sharepointonline.com`

- Back on the **Manage custom domains for impersonation** flyout, you can remove entries from the **Sender** and **Domain** tabs by selecting one or more entries from the list. You can search for entries using the  **Search** box.

- After you select at least one entry, the **Delete** icon appears, which you can use to remove the selected entries.

- When you're finished, click **Done**.

- > [!NOTE]

- > The maximum number of sender and domain entries is 1024.

- - **Enable mailbox intelligence**: The default value is on (selected), and we recommend that you leave it on. To turn it off, clear the check box.

- - **Enable intelligence based impersonation protection**: This setting is available only if **Enable mailbox intelligence** is on (selected). This setting allows mailbox intelligence to take action on messages that are identified as impersonation attempts. You specify the action to take in the **If mailbox intelligence detects an impersonated user** setting on the next page.

- We recommend that you turn this setting on by selecting the check box. To turn this setting off, clear the check box.

- > Mailbox intelligence protection does not work if the sender and recipient have previously communicated via email. If the sender and recipient have never communicated via email, the message will be identified as an impersonation attempt by mailbox intelligence.

- - **Spoof**: In this section, use the **Enable spoof intelligence** check box to turn spoof intelligence on or off. The default value is on (selected), and we recommend that you leave it on. You specify the action to take on messages from blocked spoofed senders in the **If message is detected as spoof** setting on the next page.

- > You don't need to turn off anti-spoofing protection if your MX record doesn't point to Microsoft 365; you enable Enhanced Filtering for Connectors instead. For instructions, see [Enhanced Filtering for Connectors in Exchange Online](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors).

- When you're finished, click **Next**.

-6. On the **Actions** page that appears, configure the following settings:

- - **Message actions**: Configure the following actions in this section:

- - **If message is detected as an impersonated user**: This setting is available only if you selected **Enable users to protect** on the previous page. Select one of the following actions in the drop down list for messages where the sender is one of the protected users that you specified on the previous page:

- - **Don't apply any action**

- - **Redirect message to other email addresses**

- - **Move message to the recipients' Junk Email folders**

- - **If the message is detected as an impersonated domain**: This setting is available only if you selected **Enable domains to protect** on the previous page. Select one of the following actions in the drop down list for messages where the sender's email address is in one of the protected domains that you specified on the previous page:

- - **Don't apply any action**

- - **Redirect message to other email addresses**

- - **Move message to the recipients' Junk Email folders**

- - **If mailbox intelligence detects an impersonated user**: This setting is available only if you selected **Enable intelligence for impersonation protection** on the previous page. Select one of the following actions in the drop down list for messages that were identified as impersonation attempts by mailbox intelligence:

- - **Don't apply any action**

- - **Redirect message to other email addresses**

- - **Move message to the recipients' Junk Email folders**

- - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by mailbox intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information about quarantine policies, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

- - **If message is detected as spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Select one of the following actions in the drop down list for messages from blocked spoofed senders:

- - **Move message to the recipients' Junk Email folders**

- - **Quarantine the message**: If you select this action, an **Apply quarantine policy** box appears where you select the quarantine policy that applies to messages that are quarantined by spoof intelligence protection. Quarantine policies define what users are able to do to quarantined messages, and whether users receive quarantine notifications. For more information about quarantine policies, see [Anatomy of a quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy).

- - **Safety tips & indicators**: Configure the following settings:

- - **Show (?) for unauthenticated senders for spoof**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds a question mark (?) to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-authentication-about.md#composite-authentication).

- - **Show "via" tag**: This setting is available only if you selected **Enable spoof intelligence** on the previous page. Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address. The default value is on (selected). To turn it off, clear the check box.

- When you're finished, click **Next**.

-7. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

- When you're finished, click **Submit**.

-8. On the confirmation page that appears, click **Done**.

-## Use the Microsoft 365 Defender portal to view anti-phishing policies

-1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section.

-2. On the **Anti-phishing** page, the following properties are displayed in the list of anti-phishing policies:

- - **Name**

- - **Status**

- - **Priority**

- - **Last modified**

-3. When you select a policy by clicking on the name, the policy settings are displayed in a flyout.

-## Use the Microsoft 365 Defender portal to modify anti-phishing policies

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a policy from the list by clicking on the name.

-3. In the policy details flyout that appears, select **Edit** in each section to modify the settings within the section. For more information about the settings, see the [Use the Microsoft 365 Defender portal to create anti-phishing policies](#use-the-microsoft-365-defender-portal-to-create-anti-phishing-policies) section earlier in this article.

- For the default anti-phishing policy, the **Users, groups, and domains** section isn't available (the policy applies to everyone), and you can't rename the policy.

-To enable or disable a policy or set the policy priority order, see the following sections.

-You can't disable the default anti-phishing policy.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, you'll see one of the following values:

- - **Policy off**: To turn on the policy, click  **Turn on** .

- - **Policy on**: To turn off the policy, click  **Turn off**.

-4. In the confirmation dialog that appears, click **Turn on** or **Turn off**.

-5. Click **Close** in the policy details flyout.

-Back on the main policy page, the **Status** value of the policy will be **On** or **Off**.

-By default, anti-phishing policies are given a priority that's based on the order they were created in (newer policies are lower priority than older policies). A lower priority number indicates a higher priority for the policy (0 is the highest), and policies are processed in priority order (higher priority policies are processed before lower priority policies). No two policies can have the same priority, and policy processing stops after the first policy is applied.

-To change the priority of a policy, you click **Increase priority** or **Decrease priority** in the properties of the policy (you can't directly modify the **Priority** number in the Microsoft 365 Defender portal). Changing the priority of a policy only makes sense if you have multiple policies.

- **Notes**:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name.

-3. At the top of the policy details flyout that appears, you'll see **Increase priority** or **Decrease priority** based on the current priority value and the number of custom policies:

- - The policy with the **Priority** value **0** has only the **Decrease priority** option available.

- - The policy with the lowest **Priority** value (for example, **3**) has only the **Increase priority** option available.

- - If you have three or more policies, the policies between the highest and lowest priority values have both the **Increase priority** and **Decrease priority** options available.

- Click  **Increase priority** or  **Decrease priority** to change the **Priority** value.

-4. When you're finished, click **Close** in the policy details flyout.

-## Use the Microsoft 365 Defender portal to remove custom anti-phishing policies

-When you use the Microsoft 365 Defender portal to remove a custom anti-phishing policy, the anti-phish rule and the corresponding anti-phish policy are both deleted. You can't remove the default anti-phishing policy.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-phishing** in the **Policies** section. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>.

-2. On the **Anti-phishing** page, select a custom policy from the list by clicking on the name of the policy.

-3. At the top of the policy details flyout that appears, click  **More actions** \>  **Delete policy**.

-4. In the confirmation dialog that appears, click **Yes**.

-## Use Exchange Online PowerShell to configure anti-phishing policies

-As previously described, an anti-spam policy consists of an anti-phish policy and an anti-phish rule.

- - m365-security

- - tier1

-In both of your anti-phishing policies based on Standard and Strict settings, change the value of **If message is detected as an impersonated user** to **Quarantine the message**.

-In both of your anti-phishing policies based on Standard and Strict settings, change the value of **If message is detected as an impersonated domain** to **Quarantine the message**.

-For spoof detections, the recommended Standard action is **Move message to the recipients' Junk Email folders**, and the recommended Strict action is **Quarantine the message**. Use the spoof intelligence insight to observe the results. Overrides are explained in the next section. For more information, see [Spoof intelligence insight in EOP](anti-spoofing-spoof-intelligence.md).

- - **If message is detected as an impersonated user**^\*: Select **Quarantine the message**. Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by user impersonation protection.

- - **If message is detected as an impersonated domain**^\*: Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by user domain impersonation protection.

- - **If mailbox intelligence detects an impersonated user**^\*: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by mailbox intelligence protection.

- - **If message is detected as spoof**: Select **Move message to the recipients' Junk Email folders** (Standard) or **Quarantine the message** (Strict). Select nothing in the **Apply quarantine policy** box that appears to use the default [quarantine policy](quarantine-policies.md#anatomy-of-a-quarantine-policy) that applies to messages that are quarantined by spoof intelligence protection.

-|**If message is detected as spoof** <br><br> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`|This setting applies to spoofed senders that were automatically blocked as shown in the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md) or manually blocked in the [Tenant Allow/Block List](tenant-allow-block-list-about.md). <br><br> If you select **Quarantine the message** as the action for the spoof verdict, an **Apply quarantine policy** box is available.|

-|**If message is detected as an impersonated user** <br><br> _TargetedUserProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`||

-|**If message is detected as an impersonated domain** <br><br> _TargetedDomainProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Quarantine the message** <br><br> `Quarantine`|**Quarantine the message** <br><br> `Quarantine`||

-|**If mailbox intelligence detects an impersonated user** <br><br> _MailboxIntelligenceProtectionAction_|**Don't apply any action** <br><br> `NoAction`|**Move message to the recipients' Junk Email folders** <br><br> `MoveToJmf`|**Quarantine the message** <br><br> `Quarantine`||

-> Allow entries of this pattern will be supported only from [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md).

-> Allow entries of this pattern will be supported only from [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md).

-> Allow entries of this pattern will be supported only from [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md).

-> Allow entries of this pattern will be supported only from [advanced delivery configuration](skip-filtering-phishing-simulations-sec-ops-mailboxes.md).