Secure U of T advanced threat protections: Anti-phishing protection


Introduction

Secure U of T anti-phishing protection offers you advanced threat protection from spoofing and impersonation threats.  

Spoofing is when the From address in an email message (the sender address that's shown in email clients) doesn't match the domain of the email source. Impersonation is where the sender or the sender's email domain in a message looks similar to a real sender or domain. The intent is to deceive recipients. 

You will benefit from important features that increase your protections from malicious impersonation-based phishing attacks and other types of phishing attacks. Please review this knowledge article to understand: 

  • The features that are included with anti-phishing policies. 
  • What these anti-phishing features will look like when applied to your Microsoft account in phases. 
  • What you should do if an email you receive is marked as malicious. 
  • What you should do if a non-malicious email is marked as malicious. 

If you are unfamiliar with phishing and what it is, please review this online resource. 

Advanced anti-phishing policies 

Advanced anti-phishing policies add an additional layer of security to your University of Toronto email account. These policies use machine learning models to identify and protect you from phishing attempts by notifying you when an email you receive seems suspicious.  

Mailbox intelligence analyzes your UTmail+ mail flow patterns to determine which contacts you communicate with most often. This helps the system to more easily identify when an email message might be from an attacker who is impersonating one of your contacts. It also helps to reduce the number of false positives in your inbox by helping to ensure that legitimate messages are not inappropriately marked as spam. 

The implementation of these features will be in three phases. Users may be in different phases at different times, and not all phases will apply to all users.

Phase 1: Tuning 

Phishing and spoofed email alerts for identified M365 accounts will be reviewed by IT staff to tune the service by identifying legitimate senders who could have a similar domain or display name to the accounts the University is protecting. This first phase is ‘invisible’ and will not impact your email experience. 

Phase 2: Notification 

Anti-phishing protection will alert you to possible phishing attempts by displaying safety tips in the body of suspicious emails that you receive. This will help you to determine if you should not trust the sender of an email. 

There are different safety tips that could be displayed on suspicious emails that you receive. The tip that is displayed will depend on the nature of the suspicious email. You will see a safety tip when:

  • You receive an email from someone for the first time, or from someone who doesn’t send you email often. This capability adds an extra layer of security protection against potential impersonation attacks. 
    • Example:
  • The From address contains the name of someone at the University who the email sender could potentially be impersonating. 
    • Example:
  • The From address contains a protected domain (e.g. @utoronto.ca) that the email sender might be trying to impersonate (e.g. @utorronto.ca). 
  • The From address contains unusual character sets in a protected sender or domain. This tip will appear when the sender’s name or email contains character sets that aren’t usually used together. For example, if an email address has a combination of mathematical symbols and normal text, or a mix of capital and lowercase letters (e.g. J0HNsmith@UToronT0.ca). 
    • Example: “The email address J0HNsmith@UToronT0.ca includes unexpected letters or numbers. We recommend you don’t interact with this message.” 

Phase 3: Action

Identified impersonation emails (where the From address contains the name of someone at the University who the email sender could potentially be impersonating) will be automatically moved to your Junk Email folder.    

Frequently asked questions

Will my U of T email automatically send these suspicious emails to my junk folder? 

Currently, all emails identified as spoofing messages (where the From address in an email message doesn't match the domain of the email source) by Microsoft will automatically go to your Junk Email folder.  

Anti-impersonation emails (where the sender or the sender's email domain in a message looks similar to a real sender or domain) are not currently automatically sent to Junk Email. However, these emails could still sometimes end up in your Junk Email folder for other reasons. 

What should I do if I get an email that advanced threat protection marks as suspicious? 

If you get a suspicious email, we ask that you report it to Information Security using the ‘Report Message’ add-in or by forwarding the email to report.phishing@utoronto.ca. 

What should I do if advanced threat protection incorrectly marks an email as suspicious? 

If you receive an email that you believe has been incorrectly marked as suspicious, please submit a ticket to the Enterprise Service Center at uoft.me/m365help. Our Microsoft 365 team can mark the email so that it is no longer deemed malicious. 

Does Microsoft read my emails? 

Microsoft uses machine learning to scan your emails for malicious content, but no person will ever view them. 

Where can I learn more about spotting phishing emails and other safety tips? 

To learn more about phishing emails and how to spot them, please review this online resource from the Government of Canada. 

You can also learn more about information security and phishing at the University of Toronto from our Phishing 101 website. 

Learn more

For information about other Secure U of T features and frequently asked questions, please see the Secure U of T overview article.