Data/AuditChecks/M365ExchangeChecks.json
|
{ "categoryId": "m365exo", "categoryName": "Exchange Online Security", "categoryDescription": "Evaluates Exchange Online security configurations including anti-spam, anti-phishing, anti-malware policies, email authentication, transport rules, and mailbox auditing to protect against email-based threats and data exfiltration.", "checks": [ { "id": "M365EXO-001", "name": "Anti-spam policy audit", "description": "Anti-spam policies in Exchange Online Protection filter inbound and outbound email to block unsolicited messages and spam-based phishing campaigns. Misconfigured or default anti-spam settings may not provide adequate protection, allowing malicious emails to reach user inboxes. Customized spam filter policies with appropriate thresholds and actions are essential for reducing the volume of threats delivered to end users.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Custom anti-spam policy with high confidence spam quarantined; bulk email threshold set to 6 or lower; outbound spam alerts enabled", "remediationSteps": "Review all anti-spam policies in Exchange Online and ensure that high confidence spam and high confidence phishing are set to quarantine rather than deliver to junk folder. Configure the bulk email threshold to 6 or lower to catch aggressive bulk senders and enable notifications for outbound spam detection. Apply the custom policy to all recipient domains and verify that no user-level overrides are weakening the organizational policy.", "compliance": { "nistSp80053": ["SI-8"], "cisM365": ["2.1.1"] } }, { "id": "M365EXO-002", "name": "Anti-phishing policy audit", "description": "Anti-phishing policies use mailbox intelligence and impersonation detection to identify emails that spoof trusted senders or domains. Without properly configured anti-phishing policies, attackers can impersonate executives, partners, or trusted domains to conduct business email compromise and credential harvesting attacks. Advanced anti-phishing settings including user and domain impersonation protection are critical for defending against targeted phishing campaigns.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "User impersonation protection enabled for executives and VIPs; domain impersonation protection enabled for all organizational domains; mailbox intelligence enabled", "remediationSteps": "Configure anti-phishing policies with impersonation protection for high-value targets including executives, finance team members, and IT administrators. Enable domain impersonation protection for all organizational domains and key partner domains, setting the action to quarantine impersonated messages. Enable mailbox intelligence and spoof intelligence with appropriate safety tips to warn users about potentially impersonated senders.", "compliance": { "scuba": ["MS.DEFENDER.2.1v1", "MS.DEFENDER.2.2v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"], "cisM365": ["2.1.2"] } }, { "id": "M365EXO-003", "name": "Anti-malware policy audit", "description": "Anti-malware policies in Exchange Online scan email attachments for known malware, viruses, and malicious content before delivery. Default anti-malware settings may not block all dangerous file types, and certain attachment types commonly used in attacks such as executables and scripts may pass through without filtering. A comprehensive anti-malware policy with common attachment type filtering is essential to prevent malware delivery via email.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Common attachment types filter enabled blocking executable and script file types; zero-hour auto purge enabled; admin notifications enabled for malware detection", "remediationSteps": "Review the anti-malware policy and enable the common attachments filter to block dangerous file types including exe, vbs, js, ps1, bat, cmd, and other executable formats. Enable zero-hour auto purge (ZAP) to retroactively remove malware detected in already-delivered messages. Configure administrator notifications to alert the security team when malware is detected and verify that the policy is applied to all recipients in the organization.", "compliance": { "nistSp80053": ["SI-3"], "mitreAttack": ["T1204"], "cisM365": ["2.1.3"] } }, { "id": "M365EXO-004", "name": "Safe Attachments policy", "description": "Safe Attachments in Microsoft Defender for Office 365 detonates email attachments in a sandbox environment to detect zero-day malware and advanced threats that signature-based scanning cannot identify. Without Safe Attachments enabled, novel malware variants delivered as email attachments may bypass traditional anti-malware filters. This defense layer is critical for organizations targeted by sophisticated adversaries using custom or polymorphic malware.", "severity": "High", "subcategory": "Advanced Threat Protection", "recommendedValue": "Safe Attachments enabled in Dynamic Delivery mode for all users; global settings enabled for SharePoint, OneDrive, and Teams", "remediationSteps": "Create or update the Safe Attachments policy to use Dynamic Delivery mode, which delivers the email body immediately while attachments are scanned, minimizing user impact while maintaining protection. Enable Safe Attachments for SharePoint, OneDrive, and Teams in the global settings to extend file detonation protection beyond email. Assign the policy to all users and monitor the Threat Explorer for detections to validate policy effectiveness.", "compliance": { "scuba": ["MS.DEFENDER.3.1v1"], "nistSp80053": ["SI-3"], "cisM365": ["2.1.4"] } }, { "id": "M365EXO-005", "name": "Safe Links policy", "description": "Safe Links in Microsoft Defender for Office 365 provides time-of-click URL verification to protect users from malicious links in email messages and Office documents. Attackers commonly use deferred phishing techniques where a URL is benign at delivery time but is changed to point to a malicious site after the email passes initial scanning. Without Safe Links, users clicking on these weaponized URLs after delivery are unprotected.", "severity": "High", "subcategory": "Advanced Threat Protection", "recommendedValue": "Safe Links enabled for email and Office apps; URL rewriting enabled; do not allow click-through to malicious URLs; real-time scanning enabled", "remediationSteps": "Configure a Safe Links policy that applies to all users with URL scanning enabled for email messages and Microsoft Office applications. Enable the setting to block users from clicking through to detected malicious URLs and turn on real-time URL scanning for suspicious links. Do not add broad URL exceptions to the do-not-rewrite list and review any existing exceptions to ensure they are still necessary and do not create security gaps.", "compliance": { "nistSp80053": ["SI-3"], "mitreAttack": ["T1566.002"], "cisM365": ["2.1.5"] } }, { "id": "M365EXO-006", "name": "DKIM/DMARC/SPF validation", "description": "DKIM, DMARC, and SPF are email authentication protocols that verify sender identity and prevent domain spoofing. Without all three protocols properly configured, attackers can send emails that appear to originate from your organization's domain, enabling highly convincing phishing campaigns against employees, customers, and partners. Complete email authentication is a fundamental defense against business email compromise and domain impersonation.", "severity": "Critical", "subcategory": "Email Authentication", "recommendedValue": "SPF record with -all (hard fail); DKIM signing enabled for all domains; DMARC policy set to reject or quarantine with aggregate reporting enabled", "remediationSteps": "Verify that each organizational domain has a valid SPF record ending with -all (hard fail) that includes all authorized sending sources. Enable DKIM signing in Exchange Online for all custom domains and publish the DKIM CNAME records in DNS. Publish a DMARC record for each domain starting with a policy of none for monitoring, then progressively move to quarantine and finally reject once legitimate sending sources are confirmed, with aggregate reports configured for ongoing visibility.", "compliance": { "scuba": ["MS.EXO.2.2v3", "MS.EXO.3.1v1", "MS.EXO.4.1v1", "MS.EXO.4.2v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566.001"], "cisM365": ["2.1.9"] } }, { "id": "M365EXO-007", "name": "Auto-forwarding policy", "description": "Automatic email forwarding to external addresses is a common data exfiltration technique used by attackers after compromising a mailbox. An attacker can set up auto-forwarding rules to silently copy all incoming email to an external address, maintaining persistent access to sensitive communications even after their access is revoked. Organizations should block external auto-forwarding by default and audit any existing forwarding rules.", "severity": "Critical", "subcategory": "Data Loss Prevention", "recommendedValue": "External auto-forwarding blocked via anti-spam outbound policy; existing forwarding rules audited and approved", "remediationSteps": "Configure the outbound spam filter policy to set automatic forwarding to 'Automatic - System-controlled' or 'Off' to block external auto-forwarding at the transport level. Audit all existing mailbox forwarding rules and SMTP forwarding configurations to identify any unauthorized external forwarding that may indicate compromise. Remove any unapproved forwarding rules and implement monitoring alerts to detect new forwarding rule creation using the unified audit log.", "compliance": { "scuba": ["MS.EXO.1.1v2"], "nistSp80053": ["AC-4"], "mitreAttack": ["T1114.003"], "cisM365": ["2.1.6"] } }, { "id": "M365EXO-008", "name": "Transport rules inventory and analysis", "description": "Exchange Online transport rules (mail flow rules) process email messages in transit and can modify headers, redirect messages, add disclaimers, or bypass security controls. Malicious or misconfigured transport rules can silently redirect email, strip security headers, or bypass spam filtering for specific senders. A comprehensive audit of all transport rules is necessary to identify rules that may weaken security or facilitate data exfiltration.", "severity": "Medium", "subcategory": "Email Configuration", "recommendedValue": "All transport rules documented with business justification; no rules bypassing spam filtering or security controls without explicit approval", "remediationSteps": "Export and review all Exchange Online transport rules, paying particular attention to rules that bypass spam filtering, redirect email to external addresses, or modify message headers. Remove or disable any rules that lack a documented business justification or that were created by accounts that have since been compromised or deprovisioned. Implement a change management process for transport rule creation and modification, and set up audit log alerts for transport rule changes.", "compliance": { "nistSp80053": ["AC-4"] } }, { "id": "M365EXO-009", "name": "Mailbox auditing enabled", "description": "Mailbox auditing records actions performed on mailbox contents by the mailbox owner, delegates, and administrators, providing critical forensic evidence during security investigations. Although mailbox auditing is enabled by default in Microsoft 365, organizations may have disabled it for specific mailboxes or may not have verified that the default audit actions are sufficient. Without mailbox auditing, unauthorized mailbox access and data exfiltration cannot be detected or investigated.", "severity": "High", "subcategory": "Audit & Logging", "recommendedValue": "Mailbox auditing enabled for all mailboxes; default audit actions include MailItemsAccessed, Send, and SoftDelete for all logon types", "remediationSteps": "Verify that mailbox auditing is enabled organization-wide by checking that the AuditDisabled parameter is set to False on all mailboxes. Review the audited actions for each logon type (Owner, Delegate, Admin) and ensure that critical actions such as MailItemsAccessed, Send, SoftDelete, HardDelete, and UpdateFolderPermissions are being recorded. For mailboxes that have audit disabled, re-enable auditing and investigate why it was disabled to rule out malicious tampering.", "compliance": { "scuba": ["MS.EXO.13.1v1"], "nistSp80053": ["AU-2", "AU-3"], "cisM365": ["3.1.1"] } }, { "id": "M365EXO-010", "name": "External sender warnings", "description": "External sender identification helps users recognize when an email originates from outside the organization, reducing the effectiveness of impersonation and social engineering attacks. Without visible external sender indicators, users may not distinguish between internal colleagues and external senders spoofing internal display names. Configuring external sender tags or mail tips provides a visual cue that prompts users to exercise additional caution.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "External sender tag or mail tip enabled to visually identify emails from external senders", "remediationSteps": "Enable the external sender identification feature in the Exchange Online anti-phishing policy to display a visual indicator on emails from external senders. Consider implementing a transport rule that prepends '[External]' to the subject line of inbound emails from outside the organization as an additional visual warning. Communicate the change to end users and provide guidance on how to identify and respond to suspicious external emails.", "compliance": { "scuba": ["MS.EXO.7.1v1"], "nistSp80053": ["SI-8"], "cisM365": ["2.1.7"] } }, { "id": "M365EXO-011", "name": "OAuth/SMTP AUTH per-mailbox audit", "description": "Legacy authentication protocols such as SMTP AUTH allow mailbox authentication using only username and password, bypassing multi-factor authentication and Conditional Access controls. Attackers who obtain mailbox credentials through phishing or password spraying can use SMTP AUTH to access email without triggering MFA challenges. Disabling SMTP AUTH and legacy OAuth flows on mailboxes that do not require them closes a significant authentication bypass vector.", "severity": "High", "subcategory": "Authentication", "recommendedValue": "SMTP AUTH disabled organization-wide with per-mailbox exceptions only for documented service accounts; legacy OAuth disabled", "remediationSteps": "Disable SMTP AUTH at the organization level using Set-TransportConfig and then selectively enable it only for specific service account mailboxes that require it for application integration. Audit all mailboxes with SMTP AUTH enabled to verify there is a documented business justification and that the credentials are managed securely. Monitor sign-in logs for SMTP AUTH usage to detect potential credential abuse and plan migration of legacy applications to modern authentication methods.", "compliance": { "scuba": ["MS.EXO.5.1v1"], "nistSp80053": ["IA-2"], "mitreAttack": ["T1078"], "cisM365": ["1.1.16"] } }, { "id": "M365EXO-012", "name": "Remote domains auto-forward setting", "description": "Remote domain settings in Exchange Online control message formatting and out-of-office delivery to external domains, including whether auto-forwarding is permitted per domain. The default remote domain (*) may be configured to allow auto-forwarding, which overrides the outbound spam policy and enables data exfiltration through mailbox forwarding rules. This setting must be audited independently from the outbound spam filter to ensure consistent external forwarding controls.", "severity": "High", "subcategory": "Data Loss Prevention", "recommendedValue": "Auto-forwarding disabled on the default remote domain (*) and all custom remote domains unless explicitly required", "remediationSteps": "Review the default remote domain (*) configuration and set AutoForwardEnabled to False to prevent automatic forwarding to all external domains. Audit any custom remote domain entries and disable auto-forwarding unless there is a documented business requirement for a specific partner domain. Verify that the remote domain settings align with the outbound spam policy auto-forwarding configuration to ensure consistent enforcement across both control layers.", "compliance": { "scuba": ["MS.EXO.1.1v2"], "nistSp80053": ["AC-4"], "mitreAttack": ["T1114.003"] } }, { "id": "M365EXO-013", "name": "Automatic forwarding to external domains disabled (MS.EXO.1.1)", "description": "SCuBA MS.EXO.1.1 requires that automatic forwarding to external domains be disabled. Remote domain configuration in Exchange Online governs whether mail can be auto-forwarded out of the tenant. When the default remote domain (*) permits auto-forwarding, a compromised mailbox can silently exfiltrate all inbound mail to an attacker-controlled external address, persisting access even after credentials are reset.", "severity": "High", "subcategory": "Data Loss Prevention", "recommendedValue": "AutoForwardEnabled set to False on the default remote domain (*) and on every custom remote domain unless a specific partner integration is documented", "remediationSteps": "In the Exchange admin center under Mail flow, open Remote domains and edit the Default (*) entry so that automatic forwarding is not allowed (AutoForwardEnabled = False). Repeat for every custom remote domain that does not have a documented business need for cross-tenant auto-forwarding. Confirm the outbound spam policy auto-forward setting is consistent so that both control layers enforce the same restriction.", "compliance": { "scuba": ["MS.EXO.1.1v2"], "nistSp80053": ["AC-4"], "mitreAttack": ["T1114.003"] } }, { "id": "M365EXO-014", "name": "Approved sending IP list maintained (MS.EXO.2.1)", "description": "SCuBA MS.EXO.2.1 requires that a list of approved IP addresses for sending mail be maintained, which forms the basis of an accurate SPF record. The approved sender list is the authoritative input that determines which hosts may legitimately send mail for each domain. Without a maintained list, an SPF policy cannot be scoped correctly and either fails to block spoofers or blocks legitimate senders.", "severity": "Medium", "subcategory": "Email Authentication", "recommendedValue": "A documented, current list of all approved sending sources per domain (Exchange Online include plus any third-party senders), reflected in the published SPF record", "remediationSteps": "Inventory every system that legitimately sends email on behalf of each accepted domain, including Exchange Online (spf.protection.outlook.com), marketing platforms, ticketing systems, and on-premises relays. Record this approved sender list as the source of truth and ensure the published SPF record references exactly those sources. Review the list whenever a new sending service is onboarded or retired so the SPF record stays accurate.", "compliance": { "scuba": ["MS.EXO.2.1v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-015", "name": "SPF policy published for each domain (MS.EXO.2.2)", "description": "SCuBA MS.EXO.2.2 requires that an SPF policy be published for each domain, designating only approved addresses as senders and failing all others. SPF is published as a DNS TXT record rather than an Exchange Online setting. A missing SPF record, or one ending in +all or ?all, allows adversaries to spoof the FROM field of mail appearing to originate from the organization, enabling convincing phishing.", "severity": "Critical", "subcategory": "Email Authentication", "recommendedValue": "A single SPF TXT record per domain that lists all approved senders and ends with -all (hard fail)", "remediationSteps": "Publish a single SPF TXT record for each accepted domain that enumerates all approved sending sources and ends with -all to hard-fail unauthorized senders. Remove any duplicate SPF records, which violate RFC 7208 and cause validation to fail. Avoid +all and ?all, which neutralize SPF enforcement, and validate the record with a DNS lookup after publishing.", "compliance": { "scuba": ["MS.EXO.2.2v1", "MS.EXO.2.2v3"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-016", "name": "DKIM enabled for all domains (MS.EXO.3.1)", "description": "SCuBA MS.EXO.3.1 recommends that DKIM be enabled for all domains. DKIM adds a cryptographic signature to the message header so recipients can verify message integrity and authenticity. Without DKIM, recipients have one fewer signal to detect spoofed mail and DMARC alignment cannot rely on DKIM, weakening overall email authentication.", "severity": "High", "subcategory": "Email Authentication", "recommendedValue": "DKIM signing enabled for every custom domain with the corresponding selector CNAME records published in DNS", "remediationSteps": "Enable DKIM signing in Exchange Online for every custom domain and publish the two selector CNAME records that the service generates in the domain's DNS. Verify that the signing configuration reports an Enabled state once the CNAME records propagate. Rotate keys periodically and confirm that newly added domains have DKIM enabled as part of domain onboarding.", "compliance": { "scuba": ["MS.EXO.3.1v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-017", "name": "DMARC policy published for each domain (MS.EXO.4.1)", "description": "SCuBA MS.EXO.4.1 requires that a DMARC policy be published for every second-level domain. DMARC is a DNS TXT record at _dmarc.<domain> that tells receivers how to handle mail failing SPF and DKIM and where to send reports. Without a DMARC record, receivers handle authentication failures inconsistently, allowing spoofed mail to reach inboxes.", "severity": "Critical", "subcategory": "Email Authentication", "recommendedValue": "A DMARC TXT record published at _dmarc for every second-level domain", "remediationSteps": "Publish a DMARC TXT record at _dmarc.<domain> for every second-level domain; a record at the second-level domain protects its subdomains. Begin with p=none to gather aggregate reports without affecting delivery, validate that legitimate sources align under SPF or DKIM, then progress the enforcement level. Confirm the record resolves correctly using a DNS lookup.", "compliance": { "scuba": ["MS.EXO.4.1v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-018", "name": "DMARC enforcement set to p=reject (MS.EXO.4.2)", "description": "SCuBA MS.EXO.4.2 requires that the DMARC message rejection option be set to p=reject. Of the three policy values (none, quarantine, reject), reject provides the strongest protection by instructing receivers to drop unauthenticated mail outright. A policy of none or quarantine leaves a window for spoofed mail to reach or land near user inboxes.", "severity": "High", "subcategory": "Email Authentication", "recommendedValue": "DMARC record for each domain contains p=reject", "remediationSteps": "After confirming that all legitimate senders pass SPF or DKIM alignment under monitoring, update each domain's DMARC record to p=reject so receivers discard mail that fails authentication. Move through p=none and p=quarantine first to avoid disrupting legitimate mail. Continue monitoring aggregate reports after enforcing reject to catch any newly onboarded sender that is not yet aligned.", "compliance": { "scuba": ["MS.EXO.4.2v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-019", "name": "DMARC aggregate report contact configured (MS.EXO.4.3)", "description": "SCuBA MS.EXO.4.3 requires that the DMARC aggregate report contact (RUA) include reports@dmarc.cyber.dhs.gov for federal executive-branch agencies, and more generally that an aggregate report destination be configured. Aggregate reports give domain owners visibility into who is sending mail as their domain, which is essential for safely advancing to p=reject and detecting spoofing campaigns.", "severity": "Medium", "subcategory": "Email Authentication", "recommendedValue": "DMARC record includes an rua= aggregate report destination; federal executive-branch agencies include reports@dmarc.cyber.dhs.gov", "remediationSteps": "Add an rua= tag to each DMARC record pointing to a monitored mailbox or report-processing service so aggregate reports are collected and reviewed. Federal executive-branch departments and agencies must include reports@dmarc.cyber.dhs.gov in the RUA field per BOD 18-01. Ensure the receiving mailbox or service is actively monitored so spoofing trends are acted upon.", "compliance": { "scuba": ["MS.EXO.4.3v1"], "nistSp80053": ["SI-8", "AU-6"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-020", "name": "SMTP AUTH disabled organization-wide (MS.EXO.5.1)", "description": "SCuBA MS.EXO.5.1 requires that SMTP AUTH be disabled. SMTP AUTH is a legacy submission protocol that authenticates with username and password and cannot enforce multi-factor authentication. Leaving it enabled as the tenant default gives attackers a path to send mail using stolen credentials while bypassing MFA and Conditional Access.", "severity": "High", "subcategory": "Authentication", "recommendedValue": "SMTP AUTH disabled as the organization default (SmtpClientAuthenticationDisabled = True), with per-mailbox exceptions only for documented service accounts", "remediationSteps": "Disable SMTP AUTH as the global default by setting SmtpClientAuthenticationDisabled to True on the transport configuration. Where a specific service account genuinely requires SMTP AUTH, enable it only on that individual mailbox and document the justification. Monitor sign-in telemetry for SMTP AUTH usage and migrate legacy applications to modern authentication.", "compliance": { "scuba": ["MS.EXO.5.1v1"], "nistSp80053": ["IA-2"], "mitreAttack": ["T1078", "T1110"] } }, { "id": "M365EXO-021", "name": "Contact folder sharing not open to all domains (MS.EXO.6.1)", "description": "SCuBA MS.EXO.6.1 requires that contact folders not be shared with all domains. Exchange Online sharing policies can relax the default restriction on outbound contact sharing. A policy that shares contacts with all domains (a '*' domain entry) exposes directory and contact data broadly, creating a data exfiltration avenue and aiding reconnaissance for social engineering.", "severity": "Medium", "subcategory": "Data Loss Prevention", "recommendedValue": "No sharing policy rule grants contact sharing to the wildcard domain (*); sharing limited to specific approved domains only", "remediationSteps": "Review every Exchange Online sharing policy and remove any rule that shares contact folders with the wildcard domain (*). Where external contact sharing is genuinely required, scope it to specific named partner domains rather than all domains. Validate that the default sharing policy does not silently re-enable all-domain contact sharing.", "compliance": { "scuba": ["MS.EXO.6.1v1"], "nistSp80053": ["AC-4", "AC-21"], "mitreAttack": ["T1087"] } }, { "id": "M365EXO-022", "name": "Calendar detail sharing not open to all domains (MS.EXO.6.2)", "description": "SCuBA MS.EXO.6.2 requires that calendar details not be shared with all domains. Sharing policies can permit external calendar detail sharing; a rule covering the wildcard domain (*) exposes meeting subjects, locations, and attendee information to any external party. This leaks organizational activity that supports targeted phishing and physical reconnaissance.", "severity": "Medium", "subcategory": "Data Loss Prevention", "recommendedValue": "No sharing policy rule grants calendar detail sharing (CalendarSharing*) to the wildcard domain (*); sharing limited to specific approved domains, ideally free/busy only", "remediationSteps": "Review every Exchange Online sharing policy and remove any rule that shares calendar details with the wildcard domain (*). If external calendar sharing is required, restrict it to specific named domains and prefer free/busy-only levels over full detail. Confirm the default sharing policy does not expose calendar details to all domains.", "compliance": { "scuba": ["MS.EXO.6.2v1"], "nistSp80053": ["AC-4", "AC-21"], "mitreAttack": ["T1087"] } }, { "id": "M365EXO-023", "name": "External sender warning implemented (MS.EXO.7.1)", "description": "SCuBA MS.EXO.7.1 requires that external sender warnings be implemented. Marking mail that originates outside the organization helps users recognize impersonation and social engineering attempts. This can be delivered via the native external sender tag (Set-ExternalInOutlook) or a mail flow rule that prepends an indicator such as [External] to the subject of inbound external mail.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "Native external sender identification enabled (Get-ExternalInOutlook Enabled = True) or a mail flow rule that prepends an external marker to inbound external mail", "remediationSteps": "Enable the native external sender identification feature so Outlook displays an External tag on mail from outside the organization. Alternatively, or in addition, create an enabled mail flow rule that prepends a marker such as [External] to the subject of mail received from outside the organization. Communicate the change to users so they understand what the indicator means.", "compliance": { "scuba": ["MS.EXO.7.1v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"] } }, { "id": "M365EXO-024", "name": "Data loss prevention solution in use (MS.EXO.8.1)", "description": "SCuBA MS.EXO.8.1 requires that a DLP solution be used, offering services comparable to the native Microsoft solution. DLP detects sensitive information in Exchange Online mail and prevents unauthorized disclosure. Without DLP, users may inadvertently or maliciously send sensitive data outside the organization with no automated detection or blocking.", "severity": "High", "subcategory": "Data Loss Prevention", "recommendedValue": "At least one active DLP policy scoped to the Exchange Online workload", "remediationSteps": "Deploy a DLP solution that covers the Exchange Online mail workload and confirm at least one policy is enabled and applied. If using the native Microsoft DLP capability, create a policy in the compliance portal scoped to Exchange email. Validate that the policy is in enforce mode rather than test-only so disclosures are actually blocked.", "compliance": { "scuba": ["MS.EXO.8.1v1"], "nistSp80053": ["SI-4", "SC-7"], "mitreAttack": ["T1048"] } }, { "id": "M365EXO-025", "name": "DLP protects PII and sensitive data types (MS.EXO.8.2)", "description": "SCuBA MS.EXO.8.2 requires that the DLP solution protect PII and sensitive information, restricting at minimum the sharing of credit card numbers, Taxpayer Identification Numbers, and Social Security numbers via email. A DLP solution that exists but does not detect these high-value identifiers fails to prevent the most damaging classes of inadvertent disclosure.", "severity": "High", "subcategory": "Data Loss Prevention", "recommendedValue": "DLP policy includes sensitive information types covering credit card numbers, TIN, and SSN with a restrict/block action for email", "remediationSteps": "Configure the DLP policy that covers Exchange Online to detect the sensitive information types for credit card numbers, Taxpayer Identification Numbers, and Social Security numbers, plus any additional agency-defined PII. Set the rule action to block or restrict outbound mail containing these identifiers. Test with sample data to confirm detection and that user notifications and incident reports are generated.", "compliance": { "scuba": ["MS.EXO.8.2v1"], "nistSp80053": ["SI-4", "SC-7", "MP-6"], "mitreAttack": ["T1048"] } }, { "id": "M365EXO-026", "name": "Email filtered by attachment file type (MS.EXO.9.1)", "description": "SCuBA MS.EXO.9.1 requires that emails be filtered by attachment file type, comparable to the Common Attachment Filter. Many malware payloads arrive as click-to-run attachments. Filtering inbound mail by attachment type blocks dangerous file classes before they reach users, reducing the chance of accidental execution.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "A malware/anti-malware policy with the common attachment type filter enabled (EnableFileFilter = True)", "remediationSteps": "Enable the common attachments filter on the anti-malware policy so inbound mail is filtered by attachment file type. Confirm the policy is applied to all recipients and not limited to a subset. Where a comparable third-party gateway provides this filtering, verify it is enabled and covers the same dangerous file classes.", "compliance": { "scuba": ["MS.EXO.9.1v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1204.002"] } }, { "id": "M365EXO-027", "name": "Attachment filter assesses true file type (MS.EXO.9.2)", "description": "SCuBA MS.EXO.9.2 recommends that the attachment filter attempt to determine the true file type and assess the file extension. Attackers rename files to disguise dangerous types (for example, renaming an executable to a .txt). True-type detection catches mismatches where the extension does not match the actual file content, closing a common evasion technique.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "Attachment filtering configured to inspect true file type rather than relying on the file extension alone", "remediationSteps": "Ensure the attachment filtering solution inspects the actual file content to determine the true type rather than trusting the file extension. In the native solution this is provided by the common attachment filter's type detection; verify it is enabled. For third-party gateways, confirm true-type or content-based inspection is configured so renamed dangerous files are still caught.", "compliance": { "scuba": ["MS.EXO.9.2v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1036.008"] } }, { "id": "M365EXO-028", "name": "Disallowed attachment file types set (MS.EXO.9.3)", "description": "SCuBA MS.EXO.9.3 requires that disallowed file types be determined and set, blocking at minimum click-to-run files such as .exe, .cmd, and .vbe. An attachment filter that is enabled but has an empty or insufficient block list provides no real protection. The organization must define and maintain the list of blocked extensions in line with its risk tolerance.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Attachment filter block list populated with executable/click-to-run types including at least exe, cmd, vbe, vbs, js, ps1, bat", "remediationSteps": "Populate the attachment filter block list with the file types the organization will not accept over email, ensuring click-to-run executables such as exe, cmd, vbe, vbs, js, ps1, and bat are included at minimum. Review the list against current threat trends and the organization's risk tolerance. Verify the list is non-empty and applied to all recipients.", "compliance": { "scuba": ["MS.EXO.9.3v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1204.002"] } }, { "id": "M365EXO-029", "name": "Emails scanned for malware (MS.EXO.10.1)", "description": "SCuBA MS.EXO.10.1 requires that emails be scanned for malware. Email is a primary malware delivery channel; scanning inbound mail detects known malicious content before it reaches users. An organization with no active anti-malware policy leaves users directly exposed to malware-laden attachments.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "At least one active anti-malware policy applied to all recipients", "remediationSteps": "Confirm at least one anti-malware policy is active and applied to all recipients so inbound mail is scanned for malware. If using a comparable third-party solution, verify it is enabled and covers all inbound mail. Periodically review detection telemetry to confirm scanning is functioning.", "compliance": { "scuba": ["MS.EXO.10.1v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-030", "name": "Malware emails quarantined or dropped (MS.EXO.10.2)", "description": "SCuBA MS.EXO.10.2 requires that emails identified as containing malware be quarantined or dropped. Detection alone is insufficient if the malicious message is still delivered. The anti-malware policy must take a removal action so users cannot interact with messages found to contain malware.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Anti-malware policy action quarantines or drops messages identified as malware (no deliver-with-warning action)", "remediationSteps": "Configure the anti-malware policy so messages identified as containing malware are quarantined or dropped rather than delivered. Verify no policy is set to deliver malware-positive messages with only a warning. Confirm administrator notifications are enabled so the security team is alerted on detections.", "compliance": { "scuba": ["MS.EXO.10.2v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-031", "name": "Post-delivery malware scanning enabled (MS.EXO.10.3)", "description": "SCuBA MS.EXO.10.3 requires that email scanning be capable of reviewing emails after delivery. Malware signatures update continuously, so a message benign at delivery may later be recognized as malicious. Zero-hour auto purge (ZAP) retroactively removes such messages from mailboxes, reducing the window of exposure.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Zero-hour auto purge (ZAP) enabled on all anti-malware policies (ZapEnabled = True)", "remediationSteps": "Enable zero-hour auto purge (ZAP) on every anti-malware policy so messages later identified as malware are removed from mailboxes after delivery. Confirm ZAP is enabled across all policies, not just the default. Where a comparable third-party solution is used, verify it provides equivalent post-delivery remediation.", "compliance": { "scuba": ["MS.EXO.10.3v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-032", "name": "Impersonation protection checks enabled (MS.EXO.11.1)", "description": "SCuBA MS.EXO.11.1 recommends that impersonation protection checks be used. Impersonation protection compares sender addresses against known users and domains to flag look-alike addresses (for example, exmple.com versus example.com). Without it, users must manually distinguish near-identical sender addresses, which is unreliable and increases phishing success.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "Anti-phish policy with user and/or domain impersonation protection enabled and applied to high-value targets", "remediationSteps": "Enable user and domain impersonation protection in an anti-phish policy and apply it to high-value targets such as executives, finance, and IT, plus organizational and key partner domains. Set the action for impersonated messages to quarantine. Note that impersonation protection requires a Defender for Office 365 plan; if unavailable, evaluate a comparable third-party capability.", "compliance": { "scuba": ["MS.EXO.11.1v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1656", "T1566"] } }, { "id": "M365EXO-033", "name": "User safety tips/warnings displayed (MS.EXO.11.2)", "description": "SCuBA MS.EXO.11.2 recommends that user warnings comparable to EOP safety tips be displayed. Safety tips surface automated signals (unusual characters in the FROM address, first-contact senders) directly in the client, prompting caution at the moment of risk. This offloads detection work from users and reduces successful phishing.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "Anti-phish policy with first-contact safety tips and spoof/impersonation safety tips enabled", "remediationSteps": "Enable the safety tip options in the anti-phish policy, including first-contact safety tips and spoof and impersonation safety tips, so users receive in-client warnings. Apply the policy to all users. Where a comparable third-party solution is used, confirm it presents equivalent recipient-facing warnings.", "compliance": { "scuba": ["MS.EXO.11.2v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"] } }, { "id": "M365EXO-034", "name": "AI-based phishing detection in use (MS.EXO.11.3)", "description": "SCuBA MS.EXO.11.3 recommends an AI-based phishing detection tool comparable to EOP Mailbox Intelligence. Mailbox intelligence builds a model of a user's normal correspondents to detect anomalous senders that rule-based filters miss. Without an AI-based layer, novel or highly targeted phishing is more likely to evade detection.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "Anti-phish policy with mailbox intelligence enabled (EnableMailboxIntelligence = True) and protection action configured", "remediationSteps": "Enable mailbox intelligence in the anti-phish policy and configure the mailbox intelligence protection action to handle detected impersonations. Apply the policy to all users. Mailbox intelligence requires a Defender for Office 365 plan; where unavailable, evaluate a comparable AI-based third-party phishing detection capability.", "compliance": { "scuba": ["MS.EXO.11.3v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"] } }, { "id": "M365EXO-035", "name": "No IP allow list in connection filter (MS.EXO.12.1)", "description": "SCuBA MS.EXO.12.1 recommends that IP allow lists not be created. Addresses on the connection filter allow list bypass spam filtering, SPF, DKIM, DMARC, and FROM-address enforcement. Any entry on this list is a hole through which an attacker who can send from that address can deliver mail that skips all inbound security controls.", "severity": "High", "subcategory": "Email Configuration", "recommendedValue": "Connection filter policy IPAllowList empty for all policies", "remediationSteps": "Edit the connection filter policy and remove all entries from the allowed IP address list so no senders bypass spam filtering and authentication checks. If a sender must be allowed to avoid false positives, prefer a narrowly scoped allowed-sender entry over an IP allow list. Verify no custom connection filter policy reintroduces allow-list entries.", "compliance": { "scuba": ["MS.EXO.12.1v1"], "nistSp80053": ["SC-7", "SI-8"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-036", "name": "Connection filter safe list disabled (MS.EXO.12.2)", "description": "SCuBA MS.EXO.12.2 recommends that safe lists not be enabled. The connection filter safe list is a dynamic, third-party-sourced list of 'known good' senders whose mail bypasses spam filtering and sender authentication. Because the list is externally curated, enabling it cedes a security bypass decision to a source the organization does not control.", "severity": "Medium", "subcategory": "Email Configuration", "recommendedValue": "Connection filter policy EnableSafeList set to False for all policies", "remediationSteps": "Edit the connection filter policy and ensure the safe list option is turned off (EnableSafeList = False) so externally sourced 'known good' senders do not bypass spam and authentication checks. Verify the setting on the default and any custom connection filter policies. A connection filter IP block list may still be used to block known malicious senders.", "compliance": { "scuba": ["MS.EXO.12.2v1"], "nistSp80053": ["SC-7", "SI-8"], "mitreAttack": ["T1566.001"] } }, { "id": "M365EXO-037", "name": "Mailbox auditing enabled organization-wide (MS.EXO.13.1)", "description": "SCuBA MS.EXO.13.1 requires that mailbox auditing be enabled. Mailbox auditing records actions taken on mailbox contents by owners, delegates, and administrators, providing essential forensic evidence for investigating compromise. Although enabled by default, this control guards against inadvertent or malicious disabling at the organization level.", "severity": "High", "subcategory": "Audit & Logging", "recommendedValue": "Organization AuditDisabled = False so mailbox auditing is enabled tenant-wide", "remediationSteps": "Verify that mailbox auditing is enabled organization-wide by confirming AuditDisabled is False on the organization configuration. If auditing is disabled, re-enable it and investigate why it was turned off to rule out tampering. Confirm the default audited actions cover MailItemsAccessed, Send, SoftDelete, and HardDelete across logon types.", "compliance": { "scuba": ["MS.EXO.13.1v1"], "nistSp80053": ["AU-2", "AU-3"], "mitreAttack": ["T1114"] } }, { "id": "M365EXO-038", "name": "Inbound spam filter enabled (MS.EXO.14.1)", "description": "SCuBA MS.EXO.14.1 requires that a spam filter be enabled, comparable to the native spam filtering. Spam clutters mailboxes, reduces productivity, and often carries malicious links or attachments. An organization with no active inbound spam policy leaves users exposed to the full volume of unsolicited and potentially malicious mail.", "severity": "High", "subcategory": "Email Protection", "recommendedValue": "At least one active hosted content (anti-spam) filter policy applied to all recipients", "remediationSteps": "Confirm at least one inbound anti-spam (hosted content filter) policy is active and applied to all recipients. If using a comparable third-party gateway, verify it is enabled for all inbound mail. Review spam action thresholds to ensure aggressive bulk and spam senders are filtered.", "compliance": { "scuba": ["MS.EXO.14.1v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"] } }, { "id": "M365EXO-039", "name": "Spam routed to junk or quarantine (MS.EXO.14.2)", "description": "SCuBA MS.EXO.14.2 requires that spam and high confidence spam be moved to either the junk email folder or quarantine. Delivering spam to the inbox defeats the purpose of filtering and increases exposure to malicious content. The anti-spam policy actions must route detected spam away from the inbox while preserving user review of false positives.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "SpamAction and HighConfidenceSpamAction set to MoveToJmf (junk) or Quarantine; never set to deliver to inbox", "remediationSteps": "Configure the anti-spam policy so the spam and high confidence spam actions move messages to the junk email folder or quarantine rather than delivering them to the inbox. Verify neither action is set to add a header and deliver. Confirm the policy applies to all recipients so spam routing is consistent.", "compliance": { "scuba": ["MS.EXO.14.2v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"] } }, { "id": "M365EXO-040", "name": "No allowed domains in anti-spam policy (MS.EXO.14.3)", "description": "SCuBA MS.EXO.14.3 requires that allowed domains not be added to inbound anti-spam policies. Allowing an entire domain lets every sender at that domain bypass spam protections, and common domains can be spoofed to abuse the exception. Allowed individual senders are acceptable, but domain-wide allow entries create a broad bypass.", "severity": "Medium", "subcategory": "Email Protection", "recommendedValue": "AllowedSenderDomains empty on all anti-spam (hosted content filter) policies", "remediationSteps": "Review every anti-spam policy and remove all entries from the allowed sender domains list. Where false positives must be addressed, add specific allowed senders rather than whole domains. Confirm no custom anti-spam policy reintroduces an allowed-domain entry, especially for common domains.", "compliance": { "scuba": ["MS.EXO.14.3v1"], "nistSp80053": ["SI-8"], "mitreAttack": ["T1566"] } }, { "id": "M365EXO-041", "name": "URL block-list comparison enabled (MS.EXO.15.1)", "description": "SCuBA MS.EXO.15.1 recommends that URL comparison with a block list be enabled. Time-of-click URL protection compares links against block lists and known-malicious site lists so users are stopped before reaching dangerous destinations. Without it, links that are weaponized after delivery remain clickable and unprotected.", "severity": "High", "subcategory": "Advanced Threat Protection", "recommendedValue": "Safe Links (or comparable) policy enabled for email with URL scanning active (EnableSafeLinksForEmail = True)", "remediationSteps": "Enable a Safe Links or comparable URL protection policy for email so links are scanned against block lists and known-malicious site lists at time of click. Apply the policy to all users and avoid broad do-not-rewrite URL exceptions. Safe Links requires a Defender for Office 365 plan; where unavailable, evaluate a comparable third-party link protection capability.", "compliance": { "scuba": ["MS.EXO.15.1v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1566.002"] } }, { "id": "M365EXO-042", "name": "Direct download links scanned for malware (MS.EXO.15.2)", "description": "SCuBA MS.EXO.15.2 recommends that direct download links be scanned for malware. Links in mail may point directly to malware downloads. Real-time scanning of the destination file when a user clicks a direct download link blocks the download if malware is detected, preventing device infection.", "severity": "High", "subcategory": "Advanced Threat Protection", "recommendedValue": "Safe Links (or comparable) policy with real-time URL/file scanning enabled (ScanUrls = True)", "remediationSteps": "Enable real-time scanning of URLs and direct-download destinations in the Safe Links or comparable policy so files behind links are scanned for malware at click time. Apply the policy to all users. Verify the option to deliver only after scanning completes is configured where appropriate to maximize protection.", "compliance": { "scuba": ["MS.EXO.15.2v1"], "nistSp80053": ["SI-3"], "mitreAttack": ["T1566.002"] } }, { "id": "M365EXO-043", "name": "User click tracking enabled (MS.EXO.15.3)", "description": "SCuBA MS.EXO.15.3 recommends that user click tracking be enabled. Click tracking records when users click links in mail, providing after-the-fact visibility into whether a malicious link may have been visited. This is essential for scoping and responding to incidents involving phishing links.", "severity": "Medium", "subcategory": "Advanced Threat Protection", "recommendedValue": "Safe Links (or comparable) policy with click tracking enabled (DoNotTrackUserClicks = False)", "remediationSteps": "Ensure user click tracking is enabled in the Safe Links or comparable policy so that clicks on links in mail are recorded (the do-not-track option should be off). Apply the policy to all users. Confirm click telemetry is available in the relevant reporting surface for incident investigation.", "compliance": { "scuba": ["MS.EXO.15.3v1"], "nistSp80053": ["AU-2", "SI-4"], "mitreAttack": ["T1566.002"] } }, { "id": "M365EXO-044", "name": "Required Exchange Online alerts enabled (MS.EXO.16.1)", "description": "SCuBA MS.EXO.16.1 requires that a minimum set of alerts be enabled, including suspicious email sending patterns, suspicious connector activity, suspicious email forwarding activity, messages delayed, tenant restricted from sending unprovisioned email, tenant restricted from sending email, and a potentially malicious URL click detected. These alerts give administrators real-time insight into likely security incidents.", "severity": "High", "subcategory": "Audit & Logging", "recommendedValue": "The seven required alert policies enabled: suspicious sending patterns, suspicious connector activity, suspicious forwarding, messages delayed, tenant restricted from sending unprovisioned email, tenant restricted from sending email, malicious URL click", "remediationSteps": "Verify each of the seven required alert policies is enabled: suspicious email sending patterns, suspicious connector activity, suspicious email forwarding activity, messages have been delayed, tenant restricted from sending unprovisioned email, tenant restricted from sending email, and a potentially malicious URL click was detected. Enable any that are disabled. Where a comparable third-party alerting solution is used, confirm it covers equivalent conditions.", "compliance": { "scuba": ["MS.EXO.16.1v1"], "nistSp80053": ["SI-4", "IR-4", "AU-6"], "mitreAttack": ["T1114.003"] } }, { "id": "M365EXO-045", "name": "Alerts routed to monitored destination (MS.EXO.16.2)", "description": "SCuBA MS.EXO.16.2 recommends that alerts be sent to a monitored address or incorporated into a SIEM. An alert that fires but is delivered nowhere monitored is not actionable, allowing suspicious events to go unaddressed and increasing incident impact. Each required alert policy should notify a monitored recipient or feed a SIEM.", "severity": "Medium", "subcategory": "Audit & Logging", "recommendedValue": "Each enabled alert policy has notification recipients set to a monitored mailbox or is ingested by a SIEM", "remediationSteps": "Configure each enabled alert policy with one or more notification recipients that point to a monitored mailbox or distribution list, or forward alerts into a SIEM. Confirm the destination is actively monitored so alerts are triaged promptly. Where a third-party alerting solution is used, verify its alerts reach the same monitored destination or SIEM.", "compliance": { "scuba": ["MS.EXO.16.2v1"], "nistSp80053": ["SI-4", "IR-4", "AU-6"], "mitreAttack": ["T1114.003"] } }, { "id": "M365EXO-046", "name": "Purview Audit (Standard) logging enabled (MS.EXO.17.1)", "description": "SCuBA MS.EXO.17.1 requires that Microsoft Purview Audit (Standard) logging, the unified audit log, be enabled. The unified audit log captures user and admin activity across Microsoft 365 and is foundational for incident response and threat detection. If unified audit log ingestion is disabled, activity evidence is not collected and investigations are severely hampered.", "severity": "High", "subcategory": "Audit & Logging", "recommendedValue": "Unified audit log ingestion enabled (UnifiedAuditLogIngestionEnabled = True)", "remediationSteps": "Verify that unified audit log ingestion is enabled (UnifiedAuditLogIngestionEnabled = True) so user and admin activity is captured in the Microsoft 365 audit log. If disabled, enable it via the audit log configuration. Confirm logging is active by querying for recent events after enabling.", "compliance": { "scuba": ["MS.EXO.17.1v1"], "nistSp80053": ["AU-2", "AU-3", "AU-12"], "mitreAttack": ["T1562.008"] } }, { "id": "M365EXO-047", "name": "Purview Audit (Premium) logging enabled (MS.EXO.17.2)", "description": "SCuBA MS.EXO.17.2 requires that Microsoft Purview Audit (Premium) logging be enabled. Premium auditing adds high-value event types (such as MailItemsAccessed) and longer default retention that Standard does not include, materially improving visibility during an investigation. Premium auditing requires E5/G5 or equivalent add-on licensing.", "severity": "Medium", "subcategory": "Audit & Logging", "recommendedValue": "Premium audit event types (e.g., MailItemsAccessed) and audit retention features enabled, subject to E5/G5 or add-on licensing", "remediationSteps": "Enable Microsoft Purview Audit (Premium) features so additional event types such as MailItemsAccessed are captured. Confirm the tenant carries the required E5/G5 licensing or compliance add-on; where not licensed, this control cannot be met and should be tracked as not assessed rather than passed. Validate that high-value audit events are being recorded after enabling.", "compliance": { "scuba": ["MS.EXO.17.2v1"], "nistSp80053": ["AU-2", "AU-3", "AU-12"], "mitreAttack": ["T1114"] } }, { "id": "M365EXO-048", "name": "Audit log retention meets minimum (MS.EXO.17.3)", "description": "SCuBA MS.EXO.17.3 requires that audit logs be retained for at least the minimum duration dictated by OMB M-21-31 (Appendix C), which calls for at least twelve months in active storage. Default retention may be shorter than required, and logs unavailable when needed prevent investigation of older incidents. An explicit audit log retention policy enforces the required duration.", "severity": "Medium", "subcategory": "Audit & Logging", "recommendedValue": "An audit log retention policy retaining unified audit logs for at least 12 months in active storage (per OMB M-21-31 Appendix C)", "remediationSteps": "Create an audit log retention policy that retains unified audit logs for at least twelve months in active storage as required by OMB M-21-31 Appendix C, with additional cold storage retention as applicable. Confirm the tenant licensing supports custom audit retention (E5/G5 or add-on); where not licensed, track this as not assessed rather than passed. Validate the policy scope covers the relevant Exchange and unified audit log record types.", "compliance": { "scuba": ["MS.EXO.17.3v1"], "nistSp80053": ["AU-11"], "mitreAttack": ["T1070"] } } ] } |