rules/findings/m365/microsoft_defender/malware/ms-defender-notifications-for-internal-users-sending-malware-disabled.json

{
    "args": [
         
    ],
    "provider": "Microsoft365",
    "serviceType": "Defender",
    "serviceName": "Microsoft 365",
    "displayName": "Ensure notifications for internal users sending malware is Enabled",
    "description": "Consider to setup the Exchange Online Protection malware filter to notify administrators if internal senders are blocked for sending malware.",
    "rationale": "This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise, that would need to be investigated.",
    "impact": "Notification of account with potential issues should not cause an impact to the user.",
    "remediation": {
        "text": "###### To enable notifications for internal users sending malware, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Select Security.\r\n\t\t\t\t\t2. Expand `Threat Management`then select `Policy`.\r\n\t\t\t\t\t3. Select `Anti-Malware`.\r\n\t\t\t\t\t4. Change the setting `Notify administrator about undelivered messages from internal senders` to `Always On` and enter the email address of the administrator who should be notified under `Administrator email address`.\r\n\t\t\t\t\t###### To check the setting from PowerShell, use the Exchange Online Module for PowerShell\r\n\t\t\t\t\t1. Connect to Exchange Online using `Connect-ExchangeOnline`\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tset-MalwareFilterPolicy -Identity \u0027{Identity Name}\u0027 -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {admin@domain1.com}\r\n\t\t\t\t\t```",
        "code": {
            "powerShell": null,
            "iac": null,
            "terraform": null,
            "other": null
        }
    },
    "recommendation": null,
    "references": [
        "https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-protection-service-description/anti-spam-and-anti-malware-protection-eop"
    ],
    "compliance": [
        {
            "name": "CIS Microsoft 365 Foundations Benchmark",
            "version": "6.1.0",
            "reference": "2.1.3",
            "profile": [
                "E3 Level 1",
                "E5 Level 1"
            ]
        }
    ],
    "level": "medium",
    "tags": [
         
    ],
    "rule": {
        "path": "o365_exo_malware_policy",
        "subPath": null,
        "selectCondition": {
             
        },
        "query": [
            {
                "operator": "and",
                "filter": [
                    {
                        "conditions": [
                            [
                                "isEnabled",
                                "eq",
                                "True"
                            ]
                        ]
                    },
                    {
                        "conditions": [
                            [
                                "Policy.EnableInternalSenderAdminNotifications",
                                "eq",
                                "false"
                            ],
                            [
                                "Policy.InternalSenderAdminAddress.Length",
                                "eq",
                                "0"
                            ]
                        ],
                        "operator": "or"
                    }
                ]
            }
        ],
        "shouldExist": null,
        "returnObject": null,
        "removeIfNotExists": null
    },
    "output": {
        "html": {
            "data": {
                "properties": {
                    "policyName": "Name",
                    "IsEnabled": "Enabled",
                    "Policy.EnableInternalSenderAdminNotifications": "Internal Senders Admin Notify",
                    "Policy.InternalSenderAdminAddress": "Internal Senders Admin Address"
                },
                "expandObject": null
            },
            "table": "default",
            "decorate": [
                 
            ],
            "emphasis": [
                 
            ],
            "actions": {
                "objectData": {
                    "properties": [
                        "*"
                    ],
                    "expandObject": null,
                    "limit": null
                },
                "showGoToButton": "True",
                "showModalButton": "True",
                "directLink": null
            }
        },
        "text": {
            "data": {
                "properties": {
                     
                },
                "expandObject": null
            },
            "status": {
                "keyName": [
                     
                ],
                "message": "Ensure notifications for internal users sending malware is Enabled",
                "defaultMessage": null
            },
            "properties": {
                "resourceName": "policyName",
                "resourceId": "policyId",
                "resourceType": "ExchangeMalwareFilterPolicy"
            },
            "onlyStatus": false
        }
    },
    "idSuffix": "m365_exo_anti_malware_admin_notification_disabled",
    "notes": [
         
    ],
    "categories": [
         
    ],
    "immutable_properties": [
        "policyId",
        "ruleId"
    ],
    "id": "microsoft365_2132"
}