The Exchange setting that lets anyone impersonate your CEO
2026-05-06
Someone sends your accountant an email that looks exactly like it came from the CEO. Same display name, similar address. It says: “Please wire €45,000 to this new supplier — urgent, I’m in a meeting.”
Without impersonation protection, nothing flags it. The accountant pays. The money goes to a criminal’s account.
This is Business Email Compromise (BEC) — the #1 way small businesses lose money to email fraud. The FBI’s IC3 reports $2.9 billion in BEC losses in 2023 alone.
The setting that’s probably off
Microsoft Defender for Office 365 includes impersonation protection — but it’s not enabled by default. You need to activate either the Standard or Strict preset security policy and assign it to all users.
If you’re running on Exchange Online Protection (EOP) only — the version included with Business Basic/Standard — impersonation protection isn’t even available. You need Defender for Office 365 Plan 1, which adds $2/user/month.
What PosturIQ checks
PosturIQ’s Email Impersonation Protection check verifies this automatically:
- No MDO license → Fail, with a recommendation to add Plan 1
- MDO present but no preset policy → Fail, because Built-in Protection doesn’t cover impersonation detection
- Standard or Strict preset active → Pass
This is one of 10 email security checks PosturIQ runs on every scan — including forwarding rules, spam filter bypasses, DKIM/DMARC, and attachment filtering.
Fix it in 5 minutes
- Go to Microsoft 365 security portal → Preset security policies
- Enable the Standard preset (or Strict for maximum protection)
- Assign it to all users
- Done — impersonation protection, Safe Links, Safe Attachments, and anti-phishing are all activated
That’s one setting protecting against the most common email attack vector.
Check your tenant
Want to know if your tenant is protected? Start a free PosturIQ trial — 30 checks across identity, email, and endpoints. 30 days free, no credit card.