rules/findings/m365/microsoft_defender/malware/ms-defender-notifications-for-internal-users-sending-malware-disabled.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Defender", "serviceName": "Microsoft 365", "displayName": "Ensure notifications for internal users sending malware is Enabled", "description": "Consider to setup the Exchange Online Protection malware filter to notify administrators if internal senders are blocked for sending malware.", "rationale": "This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise, that would need to be investigated.", "impact": "Notification of account with potential issues should not cause an impact to the user.", "remediation": { "text": "###### To enable notifications for internal users sending malware, use the Microsoft 365 Admin Center\r\n\t\t\t\t\t1. Select Security.\r\n\t\t\t\t\t2. Expand `Threat Management`then select `Policy`.\r\n\t\t\t\t\t3. Select `Anti-Malware`.\r\n\t\t\t\t\t4. Change the setting `Notify administrator about undelivered messages from internal senders` to `Always On` and enter the email address of the administrator who should be notified under `Administrator email address`.\r\n\t\t\t\t\t###### To check the setting from PowerShell, use the Exchange Online Module for PowerShell\r\n\t\t\t\t\t1. Connect to Exchange Online using `Connect-ExchangeOnline`\r\n\t\t\t\t\t2. Run the following PowerShell command:\t\t\t\t\t\r\n\t\t\t\t\t```powershell\r\n\t\t\t\t\tset-MalwareFilterPolicy -Identity \u0027{Identity Name}\u0027 -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {admin@domain1.com}\r\n\t\t\t\t\t```", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-protection-service-description/anti-spam-and-anti-malware-protection-eop" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "6.1.0", "reference": "2.1.3", "profile": [ "E3 Level 1", "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "o365_exo_malware_policy", "subPath": null, "selectCondition": { }, "query": [ { "operator": "and", "filter": [ { "conditions": [ [ "isEnabled", "eq", "True" ] ] }, { "conditions": [ [ "Policy.EnableInternalSenderAdminNotifications", "eq", "false" ], [ "Policy.InternalSenderAdminAddress.Length", "eq", "0" ] ], "operator": "or" } ] } ], "shouldExist": null, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "policyName": "Name", "IsEnabled": "Enabled", "Policy.EnableInternalSenderAdminNotifications": "Internal Senders Admin Notify", "Policy.InternalSenderAdminAddress": "Internal Senders Admin Address" }, "expandObject": null }, "table": "default", "decorate": [ ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "*" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure notifications for internal users sending malware is Enabled", "defaultMessage": null }, "properties": { "resourceName": "policyName", "resourceId": "policyId", "resourceType": "ExchangeMalwareFilterPolicy" }, "onlyStatus": false } }, "idSuffix": "m365_exo_anti_malware_admin_notification_disabled", "notes": [ ], "categories": [ ], "immutable_properties": [ "policyId", "ruleId" ], "id": "microsoft365_2132" } |