rules/findings/m365/microsoft_defender/antispam/ms-defender-connection-filter-ip-allow-list-enabled.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Defender", "serviceName": "Microsoft 365", "displayName": "Ensure the connection filter IP allow list is not used", "description": "In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are IP Allow List, IP Block List and Safe list. The recommended state is IP Allow List empty or undefined.", "rationale": "Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. Messages that are determined to be malware or high confidence phishing are filtered.", "impact": "This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust.", "remediation": { "text": "\r\n\t\t\t###### To remediate using the UI: \r\n\t\t\t1. Navigate to Microsoft 365 Defender https://security.microsoft.com. \r\n\t\t\t2. Click to expand Email \u0026 collaboration select Policies \u0026 rules\u003e Threat policies. \r\n\t\t\t3. Under Policies select Anti-spam. \r\n\t\t\t4. Click on the Connection filter policy (Default). \r\n\t\t\t5. Click Edit connection filter policy. \r\n\t\t\t6. Remove any IP entries from Always allow messages from the following IP addresses or address range\r\n\t\t\t7. Click Save. \r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure", "https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list", "https://learn.microsoft.com/en-us/defender-office-365/how-policies-and-protections-are-combined#user-and-tenant-settings-conflict" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.1.0", "reference": "2.1.12", "profile": [ "E3 Level 1", "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "o365_exo_connection_policy", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "IPAllowList.Count", "gt", "0" ] ] } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "Name": "Name", "IPAllowList": "IP Allow list" }, "expandObject": null }, "table": "default", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "", "defaultMessage": "Ensure the connection filter IP allow list is not used" }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "m365_exo_connection_filter_ip_enabled", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "microsoft365_2106" } |