Anti-Phishing settings

Support

Support for business applications

Kaspersky Security for Microsoft Office 365

Protection settings

Exchange Online security policies

Creating a custom security policy

Anti-Phishing settings

April 22, 2024

ID 177810

Expand all | Collapse all

With the help of the Anti-Phishing protection module, you can protect your company mailboxes against phishing, spoofing, conversation hijacking, BEC attacks and malicious links that can be sent in email messages.

Phishing links lead to fraudulent websites designed to steal the personal data of users, such as bank account details. A phishing attack can be disguised, for example, as a message from your bank with a link to its official website. If you click the link, you are redirected to an exact copy of the bank's website, and the browser might even display the bank website's address. However, you are actually on a spoofed (fake) website. All of your actions on the website are tracked and can be used to steal your personal data.

In spoofing and conversation hijacking attacks, malicious senders forge email addresses and content of the messages to be considered trustworthy by the recipients.

By means of email address spoofing or conversation hijacking, BEC attackers hold themselves out as persons the email recipients should trust to gain illegal advantages.

Malicious links lead to web resources designed to spread malware.

The application detects phishing, spoofing and malicious links according to the detection rules developed by the Kaspersky experts. Kaspersky regularly updates rules and methods of detecting phishing and malicious links.

While scanning messages for phishing, spoofing, BEC attacks and malicious links, the application analyzes not only links, but also the message subject, contents, design features, and other message attributes. The scan makes use of Kaspersky Security Network (KSN) cloud services. With the help of KSN, the application receives the latest information about phishing links and malicious links before they appear in the Kaspersky databases.

When creating a security policy, you can specify the Anti-Phishing settings.

Anti-Phishing mode

You can enable one of the following operation modes:

Recommended mode: regular detection procedure
Messages containing phishing and malicious links along with spoofing, conversation hijacking and BEC attacks will be detected.
Enforced mode: supplementary detection of unclear content similar to phishing
Messages containing phishing and malicious links along with unclear content similar to phishing will be detected.

If you enable this mode, it becomes enabled in all active security policies.

Actions to be taken by the application

In the Action area, specify what the application must do with messages in which it detects phishing and malicious links along with unclear content similar to phishing:

Delete and quarantine message
The whole message is deleted from the user mailbox and moved to Quarantine.
Move to Junk Email folder
The message is moved from its original folder to the Junk Email folder.
Allow through
The message remains unchanged in the user mailbox.
Tag the subject
You can add a custom tag to the subjects of affected messages. If necessary, change the tag in the entry field under the Tag the subject check box.

This option is available for the Allow through and Move to Junk Email folder actions.
Delete permanently: deleted messages cannot be recovered
To view this option, you must open the Other options drop-down list. The whole message is deleted from the user mailbox beyond recovery.

Note that if you select Enforced mode: supplementary detection of unclear content similar to phishing, messages containing only unclear content similar to phishing will not be deleted permanently, but moved to Quarantine.

Notifications

In the Notifications area, configure notifications that will be sent automatically:

Notify administrators about detections
This option allows you to enable and configure notifications about detected items. By default, notifications are disabled.

To enable and configure notifications:
1. Select the Notify administrators about detections check box.
2. Click the Select button to add recipients.
  The Notification for administrators window appears.
3. Enter the email addresses of the notification recipients.
  You can specify up to 25 email addresses.
4. Click the Plus () button.
  The selected email addresses will be displayed under the Specify email address field.
5. To delete an email address from the list, click the Delete () button in the row.
6. Click Save.
  The list of addresses is saved. The notifications will be sent to the specified addresses.
Notify mailbox owner about deleted messages
This option allows you to notify the user from whose mailbox an entire message was deleted. By default, notifications are disabled.

To enable and configure notifications:
1. Select the Notify mailbox owner about deleted messages check box.
2. If necessary, adapt the notification template to comply with the requirements of your corporate security policy:
  1. Click the Edit notification template button.
    The Notification template window opens.
  2. Edit the Subject and/or Body fields.
  3. If you want to restore the default template, click the Reset button.
  4. Click Save.
  In your custom template, you can keep using the variables included in the default template to provide the user with detailed information about the deleted message.
  
  Notifications to mailbox owners are sent on behalf of the Security Service, which will be indicated in the From field of the corresponding email message. You cannot send a reply to this sender.
  
  %FROM%. Message sender.
  
  %TO%. Message recipients, including carbon copy ones.
  
  %SUBJECT%. Message subject.
  
  %FOLDER%. Mailbox folder where the message was detected.
  
  %MSG_TIME%. The receipt date and time for incoming messages, the date and time when the message was sent for outgoing messages, and the draft creation date and time for drafts. The time zone specified in the application settings is applied.
  
  %DETECTED_FILES%. List of files detected in the message attachment.
This option is available for the Delete and quarantine message and Delete permanently: deleted messages cannot be recovered actions only.

Allowlist

In the Allowlist area, configure allowed senders:

Allow messages from the following senders
This option allows you to configure allowed senders. These senders are considered trusted and messages from them are skipped from processing.

To configure allowed senders:
1. Select the Allow messages from the following senders check box.
2. Click the Select button.
  The Sender allowlist window opens.
3. Click the Add sender button.
  The Add a sender to the allowlist window opens.
4. In the Specify a complete email address or a mask entry field, provide an email address or several email addresses that should be added to the allowlist separated by semicolons or line breaks.
  If you want to allow several senders at once, you can use masks. For instance, if you specify the *@example.com mask, the allowlist contains all email addresses from the @example.com domain. You can also copy and paste a list of email addresses / masks separated by semicolons or line breaks in the entry field.
  
  Representation of a file name using wildcards. The standard wildcards used in file masks are * and ?, where * represents any number of any characters and ? stands for any single character.
5. Click Validate.
  The provided email addresses / masks are displayed in the list.
  
  If the email addresses / masks are entered incorrectly, they are displayed in the list in a red font, and you must introduce changes to save them.
6. Click Save to save the list of provided addresses / masks.
7. If you want to delete an email address / mask from the list:
  1. Click the Delete () button next to the email address / mask.
  2. Click Save.
Do not check allowed senders' SPF
This option allows you not to consider results of Sender Policy Framework (SPF) check for allowed senders.

New messages with the Phishing status from an allowed sender remain in the original folder, but only if the SPF check verifies the sender's authenticity.

An SPF check is a verification that an email message received from a domain comes from a host authorized by that domain's administrators. During an SPF check, the IP address of the message sender is compared with the list of host names and IP addresses of possible message sources for the domain.

If the result of the SPF check is "pass" and the message sender is in the allowlist, this message remains unchanged in the user mailbox.

Otherwise, it is considered that the SPF check has revealed violations of the message sender's authenticity. Therefore, this message is processed according to the policy settings for phishing.

To disable checking of allowed senders' SPF:
1. Select the Do not check allowed senders' SPF check box.
2. Click Save.

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.