This guide outlines the criteria, description, and score reduction calculated for the KillPhish reporting tool.
The Microsoft KillPhish add-in will score an email if the Advanced Threat Protection (ATP) feature is turned on. Based on the score, the email will be marked as "Low Risk" for scores >= 95, "Medium Risk" for scores between 60 and 95, and "High Risk" for scores <= 60.
This table shows how the email score is calculated.
If you own the Security Inbox feature, you can connect it to the KillPhish add-in and create your own blocklists and safelists for links and senders. These blocklists can help make ATP more accurate for the add-in.
Note: KillPhish's Advanced Threat Protection (ATP) scoring is not capable of detecting every social engineering/phishing threat in emails. You should use the other tools that Portal provides to educate your users about the various threats posed by phishing and social engineering, and how to detect these attacks. It is capable of detecting if an email passes SPF check, scores based on certain words/phrases that are considered high risk, and decreases an email's score if it contains certain high risk file attachments (such as .exe or .html files). Portal gives users the ability to turn off ATP on the Reporting Settings page.