External IT Knowledge - Secure U of T advanced threat protections: Anti-phishing protection

Secure U of T anti-phishing protection provides features to protect you from spoofing and impersonation threats.

Spoofing is when the From address in an email message (the sender address that's shown in email clients) doesn't match the domain that the email was sent from.
Impersonation is where the sender or the sender's email domain in a message looks similar to a legitimate sender or domain. The intent is to deceive recipients.

Please review this knowledge article to understand:

The features that are included with anti-phishing policies.
What these anti-phishing features will look like when applied to your Microsoft account in phases.
What you should do if an email you receive is marked as malicious.
What you should do if a non-malicious email is marked as malicious.

If you are unfamiliar with phishing and what it is, please review this online resource.

Features to know

Advanced anti-phishing policies add an additional layer of security to your University of Toronto email account. These policies use machine learning models to identify and protect you from phishing attempts by notifying you when an email you receive seems suspicious.

Current features include:

Safety tips marking suspicious emails

Anti-phishing protection will alert you to possible phishing attempts by displaying safety tips in the body of suspicious emails that you receive. This will help you to determine if you should not trust the sender of an email.

There are different safety tips that could be displayed on suspicious emails that you receive. The tip that is displayed will depend on the nature of the suspicious email. You will see a safety tip when:

You receive an email from someone for the first time, or from someone who doesn’t send you email often. This capability adds an extra layer of security protection against potential impersonation attacks.
- Example:
The From address contains the name of someone at the University who the email sender could potentially be impersonating.
- Example:
The From address contains a protected domain (e.g. @utoronto.ca) that the email sender might be trying to impersonate (e.g. @utorronto.ca).
The From address contains unusual character sets in a protected sender or domain. This tip will appear when the sender’s name or email contains character sets that aren’t usually used together. For example, if an email address has a combination of mathematical symbols and normal text, or a mix of capital and lowercase letters (e.g. J0HNsmith@UToronT0.ca).
- Example: “The email address J0HNsmith@UToronT0.ca includes unexpected letters or numbers. We recommend you don’t interact with this message.”

Moving suspicious emails to Junk folder

Identified impersonation emails (where the From address contains the name of someone at the University who the email sender could potentially be impersonating) will be automatically moved to your Junk Email folder.

Report suspected phishing emails

If you receive a suspicious email, do not open it. Report it immediately.

There are two ways you can manually report suspected phishing emails to U of T.

UofT Report Phishing button: If you use Outlook, look for the "UofT Report Phishing" button within the email interface and click it to report the email.

Forward the email: This method is for people who don't use Outlook. Forward the suspicious email to report.phishing@utoronto.ca.

Learn more about how to report suspected phishing emails.

Frequently asked questions

Will my U of T email automatically send these suspicious emails to my junk folder?

Currently, all emails identified as spoofing messages (where the From address in an email message doesn't match the domain of the email source) by Microsoft will automatically go to your Junk Email folder.

Anti-impersonation emails (where the sender or the sender's email domain in a message looks similar to a real sender or domain) are not currently automatically sent to Junk Email. However, these emails could still sometimes end up in your Junk Email folder for other reasons.

What should I do if I get an email that advanced threat protection marks as suspicious?

If you get a suspicious email, we ask that you report it to Information Security using the ‘Report Message’ add-in button in Microsoft Outlook or by forwarding the email to report.phishing@utoronto.ca.

What should I do if advanced threat protection incorrectly marks an email as suspicious?

If you receive an email that you believe has been incorrectly marked as suspicious, please submit a ticket to the Enterprise Service Center at uoft.me/m365help. Our Microsoft 365 team can mark the email so that it is no longer deemed malicious.

Does Microsoft read my emails?

Microsoft uses machine learning to scan your emails for malicious content, but no person will ever view them.

Where can I learn more about spotting phishing emails and other safety tips?

To learn more about phishing emails and how to spot them, please review this online resource from the Government of Canada.

You can also learn more about information security and phishing at the University of Toronto from Information Security’s Phishing 101 webpage.

Learn more

For information about other Secure U of T features and frequently asked questions, please see the Secure U of T overview article.