I'm looking for solutions to enhance impersonation protection for our Office 365 setup. Currently, we have Mimecast layered on top, but I find it a hassle that we have to manually update the monitoring list. With around 500 users, it's manageable, but I'm curious about how larger companies, especially those with over 10,000 users, handle impersonation protection. How are they dealing with email spoofing that pretends to come from internal users?
3 Answers
Our default policy is set to cover everyone with a user hold, while VIP users have an admin hold. We just remind HR to check their portal regularly, and our IT team reviews admin holds every day.
We're using Mimecast Impersonation Protection as well, and like TechSavvyTom mentioned, we have it enabled for all internal users. This takes away the need for managing the list manually, which is definitely a win. For most companies, having it turned on for everyone is a best practice.
We put our whole domain under the impersonation protection policy in Office 365. It really simplifies the process since you don't have to update the list manually for each user.
We did run into a problem when including everyone in the policy. After an employee leaves, we keep their mailbox in a shared state to retain the email. This caused issues when their email would get caught by the filters when they tried to reach out to HR.