Exam MS-500 All Questions

View all questions & answers for the MS-500 exam

Exam MS-500 topic 2 question 13 discussion

Actual exam question from Microsoft's MS-500

Question #: 13
Topic #: 2

SIMULATION -
You need to protect against phishing attacks. The solution must meet the following requirements:
✑ Phishing email messages must be quarantined if the messages are sent from a spoofed domain.
✑ As many phishing email messages as possible must be identified.
The solution must apply to the current SMTP domain names and any domain names added later.
To complete this task, sign in to the Microsoft 365 admin center.

Show Suggested Answer

Suggested Answer: See explanation below.
1. After signing in to the Microsoft 365 admin center, select Security, Threat Management, Policy, then ATP Anti-phishing.
2. Select Default Policy to refine it.
3. In the Impersonation section, select Edit.
4. Go to Add domains to protect and select the toggle to automatically include the domains you own.
5. Go to Actions, open the drop-down If email is sent by an impersonated user, and choose the Quarantine message action.
Open the drop-down If email is sent by an impersonated domain and choose the Quarantine message action.
6. Select Turn on impersonation safety tips. Choose whether tips should be provided to users when the system detects impersonated users, domains, or unusual characters. Select Save.
7. Select Mailbox intelligence and verify that it's turned on. This allows your email to be more efficient by learning usage patterns.
8. Choose Add trusted senders and domains. Here you can add email addresses or domains that shouldn't be classified as an impersonation.
9. Choose Review your settings, make sure everything is correct, select Save, then Close.
Reference:
https://support.office.com/en-us/article/protect-against-phishing-attempts-in-microsoft-365-86c425e1-1686-430a-9151-f7176cce4f2c#ID0EAABAAA=Try_it
!
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide#example-anti-phishing-policy-to- protect-a-user-and-a-domain

by Oz at Aug. 20, 2020, 5:37 p.m.

Comments

Submit Cancel

Oz

Highly Voted 4 years, 10 months ago

To meet the second requirement, it is necessary in Default Antiphishing policy settings to scroll down and find Advanced settings. Edit it and set Advanced phishing threshold to "Most Aggressive" instead of "Standard"

upvoted 16 times

...

w00t

Highly Voted 4 years, 2 months ago

* Phishing email messages must be quarantined if the messages are sent from a spoofed domain. * AS MANY phishing email messages AS POSSIBLE must be identified. Default Policy * Impersonation -> Edit * Add domains to protect -> Automatically Include the Domains I own -> ON * Actions -> If email is sent by an impersonated user: QUARANTINE * Actions -> If email is sent by an impersonated domain: QUARANTINE * Mailbox Intelligence -> If email is sent by an impersonated user: QUARANTINE * Advanced Settings -> Edit * Advanced phishing thresholds -> MOST AGGRESSIVE

upvoted 16 times

...

BigDazza_111

Most Recent 2 years, 7 months ago

couldn't edit default phishing policy --> work around ? Go to Security admin --> policy and rules --> phishing policy --> new policy , add name /description, add users and select your own domain --> phishing email threshold ...max 4--> enable domains to protect , select your own --> enable mailox intelligence, enable intelligence for impersonaion, enable spoof intelligence, under ACTIONS if messge detected as spoof select quarantine, save policy, and then move it up as priority against other policies...would this work??

upvoted 2 times

...

Nail

3 years, 10 months ago

From the M365 admin center: Go to Security admin center > Policies & rules (under Email & collaboration) > Threat policies > Anti-phishing

upvoted 10 times

...

ThBEST

4 years ago

I agree with Toyo on this one, although Oz is being more cautious, the increased number of false positives is not a good for production or accuracy. However here is the new reference link as of 06/04/2021: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies?view=o365-worldwide

upvoted 2 times

WMG

3 years, 10 months ago

The question does not state anything about production or accuracy. Just that "as many as possible be identified." This means raising the threshold to max. In reality you would then review the quarantine and see if legit emails are being caught and why. If you have a lower setting, emails go through to your users and we all know how that goes. Oz is correct, change to Most Aggressive.

upvoted 2 times

...

andreiiar

4 years, 1 month ago

What about Spoof settings? Default here is move to junk. === Editing Spoofing filter settings Editing Actions If the person spoofing your domain isn't an allowed sender, we'll apply the action you choose here. ===

upvoted 1 times

...

DrMe

4 years, 5 months ago

Walk though with video... https://support.microsoft.com/en-us/office/protect-against-phishing-attempts-in-microsoft-365-86c425e1-1686-430a-9151-f7176cce4f2c Make sure you also also complete Oz's recommendation to change the threshold too.

upvoted 4 times

AJ2021

4 years, 4 months ago

I agree with Toyo, leave APT asis, also left unchanged in your video link too

upvoted 2 times

...

Toyo1

4 years, 9 months ago

I don't think the Advanced Phishing Threshold should be raised because the question did not request the threshold be raised. Raising the threshold to "Most Aggressive" may result in high number of false positives.

upvoted 4 times

njeske

4 years, 9 months ago

The problem states "As many phishing email messages as possible must be identified." It doesn't say anything at all about the organizations tolerance level for false positives. Therefore, I'd completely agree with Oz, and would raise the Advanced Phishing Threshold to "Most Agressive."

upvoted 10 times

...