Checks/check-ORCA103.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
using module "..\ORCA.psm1"

class ORCA103 : ORCACheck
{
    <#
     
        CONSTRUCTOR with Check Header Data
     
    #>


    ORCA103()
    {
        $this.Control="ORCA-103"
        $this.Area="Anti-Spam Policies"
        $this.Name="Outbound spam filter policy settings"
        $this.PassText="Outbound spam filter policy settings configured"
        $this.FailRecommendation="Set RecipientLimitExternalPerHour to 500, RecipientLimitInternalPerHour to 1000, and ActionWhenThresholdReached to block."
        $this.Importance="Configure the maximum number of recipients that a user can send to, per hour for internal (RecipientLimitInternalPerHour) and external recipients (RecipientLimitExternalPerHour) and maximum number per day for outbound email. It is common, after an account compromise incident, for an attacker to use the account to generate spam and phish. Configuring the recommended values can reduce the impact, but also allows you to receive notifications when these thresholds have been reached."
        $this.ExpandResults=$True
        $this.CheckType=[CheckType]::ObjectPropertyValue
        $this.ObjectType="Outbound Spam Policy"
        $this.ItemName="Setting"
        $this.DataType="Current Value"
        $this.ChiValue=[ORCACHI]::Low
        $this.Links= @{
                "Security & Compliance Center - Anti-spam settings"="https://protection.office.com/antispam"
                "Recommended settings for EOP and Office 365 ATP security"="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp#anti-spam-anti-malware-and-anti-phishing-protection-in-eop"
            }
    }

    <#
     
        RESULTS
     
    #>


    GetResults($Config)
    {
        ForEach($Policy in $Config["HostedOutboundSpamFilterPolicy"])
        {

            <#
             
                RecipientLimitExternalPerHour
             
            #>

            
            $ConfigObject = [ORCACheckConfig]::new()
            $ConfigObject.Object=$Policy.Name
            $ConfigObject.ConfigItem="RecipientLimitExternalPerHour"
            $ConfigObject.ConfigData=$($Policy.RecipientLimitExternalPerHour)

            # Recipient per hour limit for standard is 500
            If($Policy.RecipientLimitExternalPerHour -eq 500)
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass")
            }
            Else
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")               
            }

            # Recipient per hour limit for strict is 400
            If($Policy.RecipientLimitExternalPerHour -eq 400)
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Strict,"Pass")
            }
            Else
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Strict,"Fail")              
            }

            # Add config to check
            $this.AddConfig($ConfigObject)

            <#
             
                RecipientLimitInternalPerHour
             
            #>

            
            $ConfigObject = [ORCACheckConfig]::new()
            $ConfigObject.Object=$Policy.Name
            $ConfigObject.ConfigItem="RecipientLimitInternalPerHour"
            $ConfigObject.ConfigData=$($Policy.RecipientLimitInternalPerHour)

            If($Policy.RecipientLimitInternalPerHour -eq 1000)
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass")
            }
            Else
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")               
            }

            If($Policy.RecipientLimitInternalPerHour -eq 800)
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Strict,"Pass")
            }
            Else
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Strict,"Fail")              
            }

            # Add config to check
            $this.AddConfig($ConfigObject)

            <#
             
                RecipientLimitPerDay
             
            #>

            
            $ConfigObject = [ORCACheckConfig]::new()
            $ConfigObject.Object=$Policy.Name
            $ConfigObject.ConfigItem="RecipientLimitPerDay"
            $ConfigObject.ConfigData=$($Policy.RecipientLimitPerDay)

            If($Policy.RecipientLimitPerDay -eq 1000)
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass")
            }
            Else
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")               
            }

            If($Policy.RecipientLimitPerDay -eq 800)
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Strict,"Pass")
            }
            Else
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Strict,"Fail")              
            }

            # Add config to check
            $this.AddConfig($ConfigObject)

            $ConfigObject = [ORCACheckConfig]::new()
            $ConfigObject.Object=$Policy.Name
            $ConfigObject.ConfigItem="ActionWhenThresholdReached"
            $ConfigObject.ConfigData=$($Policy.ActionWhenThresholdReached)

            If($Policy.ActionWhenThresholdReached -like "BlockUser")
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Pass")
            }
            Else
            {
                $ConfigObject.SetResult([ORCAConfigLevel]::Standard,"Fail")               
            }

            # Add config to check
            $this.AddConfig($ConfigObject)

        }
    }

}