M365 DO365-AAP-E5 Mappings

The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails detected that may be part of Impersonation using email communications. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected. Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Minimal for the Respond category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to suspicious email communications resulting from Impersonation. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don’t get messages from that sender. This scores Minimal for the Detect category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures. However, against specific email-based implementations, coverage will be near real-time and high for the criteria covered. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect in the event of business email compromise and email fraud campaigns, which may help protect against some methods of Impersonation. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Minimal in the Protect category given the ability to flag potentially malicious emails provides relatively low or no coverage against the scope of the Impersonation technique and its example procedures. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes features that can be used to Respond to unusual communication patterns that may indicate Internal Spearphishing. AAP for Defender for O365 supports impersonation protection, which provides multiple options in reaction to a detected impersonation attempt. For example, the ability to redirect the email to specified recipients, add new recipients as Bcc, send it to the Junk Email folder, place the message in quarantine, or even automatically delete it. This scores Partial in the Respond category for its ability to potentially contain the impact of or alert others to the need to remediate internal spearphishing attempts. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes features that can be used to detect and warn users against unusual communication patterns that may indicate Internal Spearphishing. The first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don’t get messages from that sender may alert users to suspicious communications from legitimate, but unexpected users in their organization. This scores Partial in the Detect category for its near real-time processing and indication of unexpected email communications. Detection of suspicious communication will not be equally accurate, depending on the accounts in question. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Links. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected. Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user clicks on, interacts with, and falls victim to the result of a malicious link. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Links. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don’t get messages from that sender. This scores Significant for the Detect category, for its high coverage against email coming emails, near real-time processing of new emails, and fairly accurate detection rates. Note that AAP is focused on detecting suspicious emails, not the processing and detection of potentially malicious email links. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect users by filtering out and even blocking suspicious emails, and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Links. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Partial in the Protect category for its ability to minimize, filter, and flag potentially malicious emails end users receive. However, it should be noted that the AAP control on its own may not further protect against a user proceeding to click on a malicious link in a flagged email, depending on how an organization configures follow up Actions and how a user may interact with the message. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Attachments. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected. Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user interacts with and executes the malicious Spearphishing attachment. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don’t get messages from that sender. This scores Significant for the Detect category, for its high coverage against email coming emails, near real-time processing of new emails, and fairly accurate detection rates. Note that AAP is focused on detecting malicious emails, not the processing and analysis of attachments. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect users by filtering out and even blocking suspicious emails, and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Partial in the Protect category for its ability to minimize, filter, and flag potentially malicious emails end users receive. However, it should be noted that the AAP control on its own may not further protect against a user proceeding to interact with malicious attachments in a flagged email, depending on how an organization configures follow up Actions and how a user may interact with the message. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes respond mechanisms that can be used to quarantine and limit user interaction with phishing messages, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. This covers responses to some, but not all of this technique’s sub-techniques, resulting in an overall score of Partial for the Respond category. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes features that may detect phishing messages, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. In particular, AAP may identify and isolate spoofing attempts and warn of unusual communication patterns for the sender’s email. This covers detection of some, but not all of this technique’s sub-techniques, resulting in an overall score of Partial for the Detect category. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)

The Advanced Anti-phishing control includes configurable policies that protect against methods of phishing, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. This covers protection against some, but not all of this technique’s sub-techniques, resulting in an overall score of Partial for the Protect category. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)