rules/findings/m365/microsoft_defender/antispam/ms-defender-inbound-anti-spam-policies-allowed-domains.json

{
    "args": [
         
    ],
    "provider": "Microsoft365",
    "serviceType": "Defender",
    "serviceName": "Microsoft 365",
    "displayName": "Ensure inbound anti-spam policies do not contain allowed domains",
    "description": "\r\n\t\tAnti-spam protection is a feature of Exchange Online that utilizes policies to help to reduce the amount of junk email, bulk and phishing emails a mailbox receives. These policies contain lists to allow or block specific senders or domains. \r\n\t\t* The allowed senders list \r\n\t\t* The allowed domains list \r\n\t\t* The blocked senders list \r\n\t\t* The blocked domains list \r\n\r\n\t\tThe recommended state is: Do not define any Allowed domains\r\n ",
    "rationale": "Messages from entries in the allowed senders list or the allowed domains list bypass most email protection (except malware and high confidence phishing) and email authentication checks (SPF, DKIM and DMARC). Entries in the allowed senders list or the allowed domains list create a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. The risk is increased even more when allowing common domain names as these can be easily spoofed by attackers. Microsoft specifies in its documentation that allowed domains should be used for testing purposes only.",
    "impact": "This is the default behavior. Allowed domains may reduce false positives, however, this benefit is outweighed by the importance of having a policy which scans all messages regardless of the origin. As an alternative consider sender based lists. This supports the principle of zero trust.",
    "remediation": {
        "text": "\r\n\t\t\t###### To remediate using the UI: \r\n\t\t\t1. Navigate to Microsoft 365 Defender https://security.microsoft.com. \r\n\t\t\t2. Click to expand Email \u0026 collaboration select Policies \u0026 rules\u003e Threat policies. \r\n\t\t\t3. Under Policies select Anti-spam. \r\n\t\t\t4. Open each out of compliance inbound anti-spam policy by clicking on it. \r\n\t\t\t5. Click Edit allowed and blocked senders and domains. \r\n\t\t\t6. Select Allow domains. \r\n\t\t\t7. Delete each domain from the domains list. \r\n\t\t\t8. Click Done \u003e Save. \r\n\t\t\t9. Repeat as needed. \r\n\t",
        "code": {
            "powerShell": null,
            "iac": null,
            "terraform": null,
            "other": null
        }
    },
    "recommendation": null,
    "references": [
        "https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about#allow-and-block-lists-in-anti-spam-policies"
    ],
    "compliance": [
        {
            "name": "CIS Microsoft 365 Foundations Benchmark",
            "version": "6.1.0",
            "reference": "2.1.14",
            "profile": [
                "E3 Level 1",
                "E5 Level 1"
            ]
        }
    ],
    "level": "medium",
    "tags": [
         
    ],
    "rule": {
        "path": "o365_exo_content_filter_info",
        "subPath": null,
        "selectCondition": {
             
        },
        "query": [
            {
                "filter": [
                    {
                        "conditions": [
                            [
                                "isEnabled",
                                "eq",
                                "True"
                            ],
                            [
                                "Policy.AllowedSenderDomains.Count",
                                "gt",
                                "0"
                            ]
                        ],
                        "operator": "and"
                    }
                ]
            }
        ],
        "shouldExist": null,
        "returnObject": null,
        "removeIfNotExists": null
    },
    "output": {
        "html": {
            "data": {
                "properties": {
                    "policyId": "Policy Id",
                    "policyName": "Policy Name",
                    "isDefault": "Default",
                    "isEnabled": "Enabled",
                    "Policy.AllowedSenderDomains": "Allowed Sender Domains"
                },
                "expandObject": null
            },
            "table": "default",
            "decorate": [
                 
            ],
            "emphasis": [
                 
            ],
            "actions": {
                "objectData": {
                    "properties": [
                        "*"
                    ],
                    "expandObject": null,
                    "limit": null
                },
                "showGoToButton": "True",
                "showModalButton": "True",
                "directLink": null
            }
        },
        "text": {
            "data": {
                "properties": {
                    "policyId": "Policy Id",
                    "policyName": "Policy Name",
                    "isDefault": "Default",
                    "isEnabled": "Enabled",
                    "Policy.AllowedSenderDomains": "Allowed Sender Domains"
                },
                "expandObject": null
            },
            "status": {
                "keyName": [
                    "policyName"
                ],
                "message": "",
                "defaultMessage": "Ensure {policyName} anti-spam policy do not contain allowed domains"
            },
            "properties": {
                "resourceName": null,
                "resourceId": null,
                "resourceType": null
            },
            "onlyStatus": false
        }
    },
    "idSuffix": "m365_exo_inbound_anti_spam_policies_contain_allowed_domains",
    "notes": [
         
    ],
    "categories": [
         
    ],
    "immutable_properties": [
        "policyId",
        "ruleId"
    ],
    "id": "microsoft365_2109"
}