Data/AuditChecks/M365ExchangeChecks.json
|
{
"categoryId": "m365exo", "categoryName": "Exchange Online Security", "categoryDescription": "Evaluates Exchange Online security configurations including anti-spam, anti-phishing, anti-malware policies, email authentication, transport rules, and mailbox auditing to protect against email-based threats and data exfiltration.", "checks": [ { "id": "M365EXO-001", "name": "Anti-spam policy audit", "description": "Anti-spam policies in Exchange Online Protection filter inbound and outbound email to block unsolicited messages and spam-based phishing campaigns. Misconfigured or default anti-spam settings may not provide adequate protection, allowing malicious emails to reach user inboxes. Customized spam filter policies with appropriate thresholds and actions are essential for reducing the volume of threats delivered to end users.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Custom anti-spam policy with high confidence spam quarantined; bulk email threshold set to 6 or lower; outbound spam alerts enabled", "remediationSteps": "Review all anti-spam policies in Exchange Online and ensure that high confidence spam and high confidence phishing are set to quarantine rather than deliver to junk folder. Configure the bulk email threshold to 6 or lower to catch aggressive bulk senders and enable notifications for outbound spam detection. Apply the custom policy to all recipient domains and verify that no user-level overrides are weakening the organizational policy.", "compliance": { "nistSp80053": ["SI-8"], "cisM365": ["2.1.1"] } }, { "id": "M365EXO-002", "name": "Anti-phishing policy audit", "description": "Anti-phishing policies use mailbox intelligence and impersonation detection to identify emails that spoof trusted senders or domains. Without properly configured anti-phishing policies, attackers can impersonate executives, partners, or trusted domains to conduct business email compromise and credential harvesting attacks. Advanced anti-phishing settings including user and domain impersonation protection are critical for defending against targeted phishing campaigns.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "User impersonation protection enabled for executives and VIPs; domain impersonation protection enabled for all organizational domains; mailbox intelligence enabled", "remediationSteps": "Configure anti-phishing policies with impersonation protection for high-value targets including executives, finance team members, and IT administrators. Enable domain impersonation protection for all organizational domains and key partner domains, setting the action to quarantine impersonated messages. Enable mailbox intelligence and spoof intelligence with appropriate safety tips to warn users about potentially impersonated senders.", "compliance": { "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"], "cisM365": ["2.1.2"] } }, { "id": "M365EXO-003", "name": "Anti-malware policy audit", "description": "Anti-malware policies in Exchange Online scan email attachments for known malware, viruses, and malicious content before delivery. Default anti-malware settings may not block all dangerous file types, and certain attachment types commonly used in attacks such as executables and scripts may pass through without filtering. A comprehensive anti-malware policy with common attachment type filtering is essential to prevent malware delivery via email.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Common attachment types filter enabled blocking executable and script file types; zero-hour auto purge enabled; admin notifications enabled for malware detection", "remediationSteps": "Review the anti-malware policy and enable the common attachments filter to block dangerous file types including exe, vbs, js, ps1, bat, cmd, and other executable formats. Enable zero-hour auto purge (ZAP) to retroactively remove malware detected in already-delivered messages. Configure administrator notifications to alert the security team when malware is detected and verify that the policy is applied to all recipients in the organization.", "compliance": { "nistSp80053": ["SI-3"], "mitreAttack": ["T1204"], "cisM365": ["2.1.3"] } }, { "id": "M365EXO-004", "name": "Safe Attachments policy", "description": "Safe Attachments in Microsoft Defender for Office 365 detonates email attachments in a sandbox environment to detect zero-day malware and advanced threats that signature-based scanning cannot identify. Without Safe Attachments enabled, novel malware variants delivered as email attachments may bypass traditional anti-malware filters. This defense layer is critical for organizations targeted by sophisticated adversaries using custom or polymorphic malware.", "severity": "High", "subcategory": "Advanced Threat Protection", "recommendedValue": "Safe Attachments enabled in Dynamic Delivery mode for all users; global settings enabled for SharePoint, OneDrive, and Teams", "remediationSteps": "Create or update the Safe Attachments policy to use Dynamic Delivery mode, which delivers the email body immediately while attachments are scanned, minimizing user impact while maintaining protection. Enable Safe Attachments for SharePoint, OneDrive, and Teams in the global settings to extend file detonation protection beyond email. Assign the policy to all users and monitor the Threat Explorer for detections to validate policy effectiveness.", "compliance": { "nistSp80053": ["SI-3"], "cisM365": ["2.1.4"] } }, { "id": "M365EXO-005", "name": "Safe Links policy", "description": "Safe Links in Microsoft Defender for Office 365 provides time-of-click URL verification to protect users from malicious links in email messages and Office documents. Attackers commonly use deferred phishing techniques where a URL is benign at delivery time but is changed to point to a malicious site after the email passes initial scanning. Without Safe Links, users clicking on these weaponized URLs after delivery are unprotected.", "severity": "High", "subcategory": "Advanced Threat Protection", "recommendedValue": "Safe Links enabled for email and Office apps; URL rewriting enabled; do not allow click-through to malicious URLs; real-time scanning enabled", "remediationSteps": "Configure a Safe Links policy that applies to all users with URL scanning enabled for email messages and Microsoft Office applications. Enable the setting to block users from clicking through to detected malicious URLs and turn on real-time URL scanning for suspicious links. Do not add broad URL exceptions to the do-not-rewrite list and review any existing exceptions to ensure they are still necessary and do not create security gaps.", "compliance": { "nistSp80053": ["SI-3"], "mitreAttack": ["T1566.002"], "cisM365": ["2.1.5"] } }, { "id": "M365EXO-006", "name": "DKIM/DMARC/SPF validation", "description": "DKIM, DMARC, and SPF are email authentication protocols that verify sender identity and prevent domain spoofing. Without all three protocols properly configured, attackers can send emails that appear to originate from your organization's domain, enabling highly convincing phishing campaigns against employees, customers, and partners. Complete email authentication is a fundamental defense against business email compromise and domain impersonation.", "severity": "Critical", "subcategory": "Email Authentication", "recommendedValue": "SPF record with -all (hard fail); DKIM signing enabled for all domains; DMARC policy set to reject or quarantine with aggregate reporting enabled", "remediationSteps": "Verify that each organizational domain has a valid SPF record ending with -all (hard fail) that includes all authorized sending sources. Enable DKIM signing in Exchange Online for all custom domains and publish the DKIM CNAME records in DNS. Publish a DMARC record for each domain starting with a policy of none for monitoring, then progressively move to quarantine and finally reject once legitimate sending sources are confirmed, with aggregate reports configured for ongoing visibility.", "compliance": { "nistSp80053": ["SI-8"], "mitreAttack": ["T1566.001"], "cisM365": ["2.1.9"] } }, { "id": "M365EXO-007", "name": "Auto-forwarding policy", "description": "Automatic email forwarding to external addresses is a common data exfiltration technique used by attackers after compromising a mailbox. An attacker can set up auto-forwarding rules to silently copy all incoming email to an external address, maintaining persistent access to sensitive communications even after their access is revoked. Organizations should block external auto-forwarding by default and audit any existing forwarding rules.", "severity": "Critical", "subcategory": "Data Loss Prevention", "recommendedValue": "External auto-forwarding blocked via anti-spam outbound policy; existing forwarding rules audited and approved", "remediationSteps": "Configure the outbound spam filter policy to set automatic forwarding to 'Automatic - System-controlled' or 'Off' to block external auto-forwarding at the transport level. Audit all existing mailbox forwarding rules and SMTP forwarding configurations to identify any unauthorized external forwarding that may indicate compromise. Remove any unapproved forwarding rules and implement monitoring alerts to detect new forwarding rule creation using the unified audit log.", "compliance": { "nistSp80053": ["AC-4"], "mitreAttack": ["T1114.003"], "cisM365": ["2.1.6"] } }, { "id": "M365EXO-008", "name": "Transport rules inventory and analysis", "description": "Exchange Online transport rules (mail flow rules) process email messages in transit and can modify headers, redirect messages, add disclaimers, or bypass security controls. Malicious or misconfigured transport rules can silently redirect email, strip security headers, or bypass spam filtering for specific senders. A comprehensive audit of all transport rules is necessary to identify rules that may weaken security or facilitate data exfiltration.", "severity": "Medium", "subcategory": "Email Configuration", "recommendedValue": "All transport rules documented with business justification; no rules bypassing spam filtering or security controls without explicit approval", "remediationSteps": "Export and review all Exchange Online transport rules, paying particular attention to rules that bypass spam filtering, redirect email to external addresses, or modify message headers. Remove or disable any rules that lack a documented business justification or that were created by accounts that have since been compromised or deprovisioned. Implement a change management process for transport rule creation and modification, and set up audit log alerts for transport rule changes.", "compliance": { "nistSp80053": ["AC-4"] } }, { "id": "M365EXO-009", "name": "Mailbox auditing enabled", "description": "Mailbox auditing records actions performed on mailbox contents by the mailbox owner, delegates, and administrators, providing critical forensic evidence during security investigations. Although mailbox auditing is enabled by default in Microsoft 365, organizations may have disabled it for specific mailboxes or may not have verified that the default audit actions are sufficient. Without mailbox auditing, unauthorized mailbox access and data exfiltration cannot be detected or investigated.", "severity": "High", "subcategory": "Audit & Logging", "recommendedValue": "Mailbox auditing enabled for all mailboxes; default audit actions include MailItemsAccessed, Send, and SoftDelete for all logon types", "remediationSteps": "Verify that mailbox auditing is enabled organization-wide by checking that the AuditDisabled parameter is set to False on all mailboxes. Review the audited actions for each logon type (Owner, Delegate, Admin) and ensure that critical actions such as MailItemsAccessed, Send, SoftDelete, HardDelete, and UpdateFolderPermissions are being recorded. For mailboxes that have audit disabled, re-enable auditing and investigate why it was disabled to rule out malicious tampering.", "compliance": { "nistSp80053": ["AU-2", "AU-3"], "cisM365": ["3.1.1"] } }, { "id": "M365EXO-010", "name": "External sender warnings", "description": "External sender identification helps users recognize when an email originates from outside the organization, reducing the effectiveness of impersonation and social engineering attacks. Without visible external sender indicators, users may not distinguish between internal colleagues and external senders spoofing internal display names. Configuring external sender tags or mail tips provides a visual cue that prompts users to exercise additional caution.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "External sender tag or mail tip enabled to visually identify emails from external senders", "remediationSteps": "Enable the external sender identification feature in the Exchange Online anti-phishing policy to display a visual indicator on emails from external senders. Consider implementing a transport rule that prepends '[External]' to the subject line of inbound emails from outside the organization as an additional visual warning. Communicate the change to end users and provide guidance on how to identify and respond to suspicious external emails.", "compliance": { "nistSp80053": ["SI-8"], "cisM365": ["2.1.7"] } }, { "id": "M365EXO-011", "name": "OAuth/SMTP AUTH per-mailbox audit", "description": "Legacy authentication protocols such as SMTP AUTH allow mailbox authentication using only username and password, bypassing multi-factor authentication and Conditional Access controls. Attackers who obtain mailbox credentials through phishing or password spraying can use SMTP AUTH to access email without triggering MFA challenges. Disabling SMTP AUTH and legacy OAuth flows on mailboxes that do not require them closes a significant authentication bypass vector.", "severity": "High", "subcategory": "Authentication", "recommendedValue": "SMTP AUTH disabled organization-wide with per-mailbox exceptions only for documented service accounts; legacy OAuth disabled", "remediationSteps": "Disable SMTP AUTH at the organization level using Set-TransportConfig and then selectively enable it only for specific service account mailboxes that require it for application integration. Audit all mailboxes with SMTP AUTH enabled to verify there is a documented business justification and that the credentials are managed securely. Monitor sign-in logs for SMTP AUTH usage to detect potential credential abuse and plan migration of legacy applications to modern authentication methods.", "compliance": { "nistSp80053": ["IA-2"], "mitreAttack": ["T1078"], "cisM365": ["1.1.16"] } }, { "id": "M365EXO-012", "name": "Remote domains auto-forward setting", "description": "Remote domain settings in Exchange Online control message formatting and out-of-office delivery to external domains, including whether auto-forwarding is permitted per domain. The default remote domain (*) may be configured to allow auto-forwarding, which overrides the outbound spam policy and enables data exfiltration through mailbox forwarding rules. This setting must be audited independently from the outbound spam filter to ensure consistent external forwarding controls.", "severity": "High", "subcategory": "Data Loss Prevention", "recommendedValue": "Auto-forwarding disabled on the default remote domain (*) and all custom remote domains unless explicitly required", "remediationSteps": "Review the default remote domain (*) configuration and set AutoForwardEnabled to False to prevent automatic forwarding to all external domains. Audit any custom remote domain entries and disable auto-forwarding unless there is a documented business requirement for a specific partner domain. Verify that the remote domain settings align with the outbound spam policy auto-forwarding configuration to ensure consistent enforcement across both control layers.", "compliance": { "nistSp80053": ["AC-4"], "mitreAttack": ["T1114.003"] } } ] } |