User impersonation action is set to move to Quarantine.

Why This Matters

User impersonation attacks are a common vector for phishing and credential theft. If an attacker impersonates a legitimate user, they can bypass security controls and gain unauthorized access. Moving impersonated messages to quarantine reduces the risk of users interacting with malicious content.

What Aether365 Checks

This check verifies that your Microsoft 365 anti-phishing policy has the user impersonation action set to "Move message to quarantine." It appears in the Aether365 dashboard under microsoft-365 checks.