The Microsoft KillPhish add-in will score an email if the Advanced Threat Protection (ATP) feature is turned on. Based on the score, the email will be marked as "Low Risk" for scores >= 95, "Medium Risk" for scores between 60 and 95, and "High Risk" for scores <= 60.
This table shows how the email score is calculated.
|SPF||If the SPF record fails for email.||40|
|DKIM||If the DKIM record fails for the email.||15|
|DMARC||If the DMARC record fails for the email.||15|
|Attachments||Certain attachments are considered risky. Example: html and xslm files are considered high risk.||
Score deduction based on the file attachment.
10 for high risk file types
5 for medium risk file types
|Links||Links are scanned using the Google Safe Browsing API. If Safe Browsing has marked a link as dangerous, the KillPhish add-in will mark the link as dangerous.||50|
|Words/phrases||Certain words/phrases will cause the score to be reduced. Example: "reset your password" is a high risk phrase.||
Score deduction based on the word/phrase.
2 for very suspicious words/phrases
0.5 for moderately suspicious words/phrases
0.25 for slightly suspicious words/phrases
If you own the Security Inbox feature, you can connect it to the KillPhish add-in and create your own blocklists and safelists for links and senders. These blocklists can help make ATP more accurate for the add-in.
Note: KillPhish's Advanced Threat Protection (ATP) scoring is not capable of detecting every social engineering/phishing threat in emails. You should use the other tools that Portal provides to educate your users about the various threats posed by phishing and social engineering, and how to detect these attacks. It is capable of detecting if an email passes SPF check, scores based on certain words/phrases that are considered high risk, and decreases an email's score if it contains certain high risk file attachments (such as .exe or .html files). Portal gives users the ability to turn off ATP on the Reporting Settings page.