rules/findings/m365/microsoft_defender/atp/ms-defender-atp-safe-links-office-disabled.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Defender", "serviceName": "Microsoft 365", "displayName": "Ensure Safe Links for Office Applications is Enabled", "description": "Enabling the Advanced Threat Protection (ATP) Safe Links policy for Office applications allows URL\u0027s that existing inside of Office documents opened by Office, Office Online and Office mobile to be processed against ATP time-of-click verification.", "rationale": "Safe Links for Office applications extends phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", "impact": "User impact associated with this change is minor - users may experience a very short delay when clicking on URLs in Office documents before being directed to the requested site.", "remediation": { "text": "###### To enable the ATP Safe Links policy for Office, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Select `Admin Center` and Click to expand `Security`.\r\n\t\t\t\t\t2. Navigate to `Threat management` and select `Policy`.\r\n\t\t\t\t\t3. Select `Safe Links` followed by `Global Settings`.\r\n\t\t\t\t\t4. Select `Use Safe Links in Office 365 apps and Do not let users click through to the original URL in Office 365 apps`.\r\n\t\t\t\t\t5. Click `Save`.\t\t\r\n\t\t\t\t\t\r\n\t\t\t\t\t###### To enable the ATP Safe Links policy for Office 365, use the Exchange Online PowerShell Module\r\n\t\t\t\t\t1. Connect to Exchange Online using `Connect-ExchangeOnline`\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tSet-AtpPolicyForO365 -AllowClickThrough $False -EnableSafeLinksForClients $true\r\n\t\t\t\t\t```", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.1.0", "reference": "2.1.1", "profile": [ "E5 Level 2" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "o365_exo_safelinks_info", "subPath": null, "selectCondition": { }, "query": [ { "filter": [ { "conditions": [ [ "isBuiltin", "eq", "false" ] ] } ] }, { "connectOperator": "and", "filter": [ { "conditions": [ [ "policy.EnableSafeLinksForEmail", "eq", "True" ], [ "policy.EnableSafeLinksForTeams", "eq", "True" ], [ "policy.EnableSafeLinksForOffice", "eq", "True" ], [ "policy.TrackClicks", "eq", "True" ], [ "policy.AllowClickThrough", "eq", "false" ], [ "policy.ScanUrls", "eq", "True" ], [ "policy.EnableForInternalSenders", "eq", "True" ], [ "policy.DeliverMessageAfterScan", "eq", "True" ], [ "policy.DisableUrlRewrite", "eq", "false" ] ], "operator": "and" } ] } ], "shouldExist": true, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "policy.Name": "Name", "policy.EnableSafeLinksForEmail": "EnableSafeLinksForEmail", "policy.EnableSafeLinksForTeams": "EnableSafeLinksForTeams", "policy.EnableSafeLinksForOffice": "EnableSafeLinksForOffice", "policy.TrackClicks": "TrackClicks", "policy.AllowClickThrough": "AllowClickThrough", "policy.ScanUrls": "ScanUrls", "policy.EnableForInternalSenders": "EnableForInternalSenders", "policy.DeliverMessageAfterScan": "DeliverMessageAfterScan", "policy.DisableUrlRewrite": "DisableUrlRewrite" }, "expandObject": null }, "table": "default", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Check if ATP SafeLinks for Office Applications is enabled", "defaultMessage": null }, "properties": { "resourceName": "policy.Name", "resourceId": "policy.ExchangeObjectId", "resourceType": "ExchangeATPSafeLinkPolicy" }, "onlyStatus": false } }, "idSuffix": "m365_exo_safe_links_office_disabled", "notes": [ ], "categories": [ ], "immutable_properties": [ "policy.DistinguishedName", "policy.ExchangeObjectId.Guid" ], "id": "microsoft365_2104" } |