Customers that are using a signature service with M365 may notice that their internal emails are being flagged/remediated by Impersonation Protection.
Normally, internal emails are not analyzed by our classifiers for inbound mail and only analyzed by our ATO (Account Takeover) classifier, which is looking for very specific type of threat (i.e., phishing). Since internal communications may use language that is not common in external communications, the emails are more likely to be seen as frauds/scams.
Because the internal email is being routed out of M365 first, and then back in, the message properties now indicate that this is an “External” email, and therefore our external email classifiers will be applied.
There are a couple of ways to solve for this:
Update your mail flow rule for the signature service to not route internal emails and have a signature applied. This will keep message properties as “Internal” and would no longer be analyzed as external messages.
Create an exemption policy within Impersonation Protection.
Update the Signature Service Rule
This should be as simple as modifying the existing rule for the signature service and putting an exception in place or making it only apply if the sender is internal and the recipient is external.
Make exemption within Impersonation Protection
Within Impersonation Protection, you can create an exemption for domains, which will skip any sort of classifier analysis.
Creating an exemption for your own domain here is a relatively low risk solution as long as the following two criteria are met:
Your domain has a DMARC policy in
p=rejectmode andDMARC checking is enabled and enforced at the gateway.
With the above two conditions being true, the only emails that would be reaching a users inbox from your own domain would be those that are either a) internal mails or b) a legitimate third party that is spoofing your domain. If either of these conditions are false, it is not advisable to make an exemption for your own domain.