diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..cdef148d78 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update M365 Defender service metadata to new format [(#9681)](https://github.com/prowler-cloud/prowler/pull/9681) + --- diff --git a/prowler/providers/m365/services/defender/defender_antiphishing_policy_configured/defender_antiphishing_policy_configured.metadata.json b/prowler/providers/m365/services/defender/defender_antiphishing_policy_configured/defender_antiphishing_policy_configured.metadata.json index 9f36b64bd9..4a4281930d 100644 --- a/prowler/providers/m365/services/defender/defender_antiphishing_policy_configured/defender_antiphishing_policy_configured.metadata.json +++ b/prowler/providers/m365/services/defender/defender_antiphishing_policy_configured/defender_antiphishing_policy_configured.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "defender_antiphishing_policy_configured", - "CheckTitle": "Ensure anti-phishing policies are properly configured and active.", + "CheckTitle": "Defender anti-phishing policy active, quarantines spoofed senders and DMARC reject/quarantine failures, honors DMARC policy, safety tips enabled", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "low", - "ResourceType": "Defender Anti-Phishing Policy", - "Description": "Ensure that anti-phishing policies are created and configured for specific users, groups, or domains, taking precedence over the default policy. This check verifies the existence of rules within policies and validates specific policy settings such as spoof intelligence, DMARC actions, safety tips, and unauthenticated sender actions.", - "Risk": "Without anti-phishing policies, organizations may rely solely on default settings, which might not adequately protect against phishing attacks targeted at specific users, groups, or domains. This increases the risk of successful phishing attempts and potential data breaches.", - "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Defender for Office 365 anti-phishing policies** are evaluated for custom scoping to users, groups, or domains and precedence over the default, plus key settings: **spoof intelligence**, DMARC honoring, `quarantine` actions for spoof/DMARC, **safety tips**, unauthenticated sender indicators, and policy enablement.", + "Risk": "Missing or lax configuration lets **spoofed** and **impersonated** emails reach inboxes. Ignoring DMARC or not using `quarantine` enables delivery of fraudulent messages, driving **credential theft**, **BEC**, and **account takeover**, compromising data **confidentiality** and **integrity** and enabling lateral movement via mailbox rule abuse.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://powerdmarc.com/dmarc-for-office-365/", + "https://agio.com/anti-phishing-protection-for-microsoft-365/", + "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide", + "https://ironscales.com/guides/microsoft-365-defender/anti-phishing-policies-in-microsoft-365", + "https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-mdo-configure", + "https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about", + "https://security.microsoft.com.", + "https://www.linkedin.com/pulse/reduce-phishing-emails-how-configure-microsoft-office-de-la-vega-ma0mc" + ], "Remediation": { "Code": { - "CLI": "$params = @{Name='';PhishThresholdLevel=3;EnableTargetedUserProtection=$true;EnableOrganizationDomainsProtection=$true;EnableMailboxIntelligence=$true;EnableMailboxIntelligenceProtection=$true;EnableSpoofIntelligence=$true;TargetedUserProtectionAction='Quarantine';TargetedDomainProtectionAction='Quarantine';MailboxIntelligenceProtectionAction='Quarantine';TargetedUserQuarantineTag='DefaultFullAccessWithNotificationPolicy';MailboxIntelligenceQuarantineTag='DefaultFullAccessWithNotificationPolicy';TargetedDomainQuarantineTag='DefaultFullAccessWithNotificationPolicy';EnableFirstContactSafetyTips=$true;EnableSimilarUsersSafetyTips=$true;EnableSimilarDomainsSafetyTips=$true;EnableUnusualCharactersSafetyTips=$true;HonorDmarcPolicy=$true}; New-AntiPhishPolicy @params; New-AntiPhishRule -Name $params.Name -AntiPhishPolicy $params.Name -RecipientDomainIs (Get-AcceptedDomain).Name -Priority 0", + "CLI": "", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-phishing 5. Ensure policies have rules with the state set to 'on' and validate settings: spoof intelligence enabled, spoof intelligence action set to 'Quarantine', DMARC reject and quarantine actions, safety tips enabled, unauthenticated sender action enabled, show tag enabled, and honor DMARC policy enabled. If not, modify them to be as recommended.", + "Other": "1. Go to Microsoft 365 Defender: https://security.microsoft.com > Email & collaboration > Policies & rules > Threat policies > Anti-phishing\n2. Open the Default anti-phishing policy and click Edit\n3. Spoof settings: ensure Enable spoof intelligence is On and set If the message is detected as spoof by spoof intelligence to Quarantine\n4. DMARC: turn On Honor DMARC record policy and set both actions to Quarantine:\n - If DMARC policy is p=quarantine: Quarantine\n - If DMARC policy is p=reject: Quarantine\n5. Safety tips & indicators: turn On Show first contact safety tip, Show (?) for unauthenticated senders for spoof, and Show \"via\" tag\n6. Save changes\n7. If using custom anti-phishing policies, ensure their rule Status is On", "Terraform": "" }, "Recommendation": { - "Text": "Create and configure anti-phishing policies for specific users, groups, or domains to enhance protection against phishing attacks.", - "Url": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide" + "Text": "Apply **defense in depth** for email:\n- Create high-priority custom policies for sensitive users/groups/domains\n- Enable **spoof intelligence**; honor DMARC (`p=quarantine`, `p=reject`) with `quarantine` actions\n- Turn on **safety tips** and unauthenticated sender tags\n- Review policy precedence, scope, and thresholds regularly to minimize false positives", + "Url": "https://hub.prowler.com/check/defender_antiphishing_policy_configured" } }, "Categories": [ + "email-security", "e5" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_empty_ip_allowlist/defender_antispam_connection_filter_policy_empty_ip_allowlist.metadata.json b/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_empty_ip_allowlist/defender_antispam_connection_filter_policy_empty_ip_allowlist.metadata.json index 21230498e1..e40b76f720 100644 --- a/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_empty_ip_allowlist/defender_antispam_connection_filter_policy_empty_ip_allowlist.metadata.json +++ b/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_empty_ip_allowlist/defender_antispam_connection_filter_policy_empty_ip_allowlist.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "defender_antispam_connection_filter_policy_empty_ip_allowlist", - "CheckTitle": "Ensure the Anti-Spam Connection Filter Policy IP Allowlist is empty or undefined.", + "CheckTitle": "Defender Antispam Connection Filter Policy IP Allowlist is empty or undefined", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "Defender Anti-Spam Policy", - "Description": "This check focuses on Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations. It ensures that the connection filter policy's IP Allowlist is empty or undefined to prevent bypassing spam filtering and sender authentication checks, which could lead to successful delivery of malicious emails.", - "Risk": "Using the IP Allowlist without additional verification like mail flow rules poses a risk, as emails from these sources skip essential security checks (SPF, DKIM, DMARC). This could allow attackers to deliver harmful emails directly to the Inbox.", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Defender connection filter policy** is evaluated to determine whether the **IP Allowlist** (`IPAllowList`) is configured. The finding indicates if any IP addresses are present in the policy's allow list for Exchange Online or standalone EOP environments.", + "Risk": "Allowlisted IPs bypass **SPF**, **DKIM**, **DMARC** and antispam, enabling **phishing** and **spoofing** that steal credentials (confidentiality), deliver **malware** or fraudulent mail (integrity), and cause **inbox flooding** (availability). Attackers can abuse compromised or shared relays on those IPs to deliver malicious mail.", "RelatedUrl": "", + "AdditionalURLs": [ + "https://security.microsoft.com.", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-hostedconnectionfilterpolicy?view=exchange-ps" + ], "Remediation": { "Code": { - "CLI": "Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{}", + "CLI": "Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList $null", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-spam and click on the Connection filter policy (Default). 5. Remove IP entries from the allow list. 6. Click Save.", + "Other": "1. Go to https://security.microsoft.com and sign in\n2. Email & collaboration > Policies & rules > Threat policies\n3. Open Anti-spam > Connection filter policy (Default)\n4. Edit the IP allow list and remove all entries\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Ensure that the IP Allowlist in your connection filter policy is empty or undefined to prevent bypassing essential security checks.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-hostedconnectionfilterpolicy?view=exchange-ps" + "Text": "Keep the **IP Allowlist** empty. Rely on layered controls: **SPF**, **DKIM**, **DMARC**, connection filtering, and content scanning. *If an exception is unavoidable*, apply **defense in depth** (sender auth, TLS, reputation checks, and tight scope/time limits) and prefer domain- or certificate-based trust over static IPs. Monitor delivery logs for abuse.", + "Url": "https://hub.prowler.com/check/defender_antispam_connection_filter_policy_empty_ip_allowlist" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_safe_list_off/defender_antispam_connection_filter_policy_safe_list_off.metadata.json b/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_safe_list_off/defender_antispam_connection_filter_policy_safe_list_off.metadata.json index 75c3b20ddb..29785fec29 100644 --- a/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_safe_list_off/defender_antispam_connection_filter_policy_safe_list_off.metadata.json +++ b/prowler/providers/m365/services/defender/defender_antispam_connection_filter_policy_safe_list_off/defender_antispam_connection_filter_policy_safe_list_off.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "defender_antispam_connection_filter_policy_safe_list_off", - "CheckTitle": "Ensure the default connection filter policy has the SafeList setting disabled", + "CheckTitle": "Defender Antispam Connection Filter Policy has Safe List disabled", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "Defender Anti-Spam Policy", - "Description": "This check ensures that the EnableSafeList setting in the default connection filter policy is set to False. The safe list, managed dynamically by Microsoft, allows emails from listed IPs to bypass spam filtering and sender authentication checks, posing a security risk.", - "Risk": "If the safe list is enabled, emails from IPs on this list can bypass essential security checks (SPF, DKIM, DMARC), potentially allowing malicious emails to be delivered directly to users' inboxes.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure", + "Severity": "high", + "ResourceType": "", + "Description": "**Defender connection filter policy** safe list setting is evaluated. When enabled, mail from Microsoft-managed IPs skips spam filtering and some sender authentication. The finding indicates whether this implicit bypass is turned off.", + "Risk": "With the safe list on, inbound mail can bypass SPF/DKIM/DMARC and spam heuristics, allowing spoofed or phishing messages to reach inboxes. This risks credential theft (confidentiality), enables account takeover and tampering (integrity), and may lead to malware-driven outages (availability).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://security.microsoft.com.", + "https://learn.microsoft.com/en-us/defender-office-365/connection-filter-policies-configure", + "https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list" + ], "Remediation": { "Code": { "CLI": "Set-HostedConnectionFilterPolicy -Identity Default -EnableSafeList $false", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-spam and click on the Connection filter policy (Default). 5. Disable the safe list option. 6. Click Save.", + "Other": "1. Go to https://security.microsoft.com/antispam\n2. Select Connection filter policy (Default)\n3. Click Edit connection filter policy\n4. Uncheck Turn on safe list\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Ensure that the EnableSafeList setting in your connection filter policy is set to False to prevent bypassing essential security checks.", - "Url": "https://learn.microsoft.com/en-us/defender-office-365/create-safe-sender-lists-in-office-365#use-the-ip-allow-list" + "Text": "Disable the **safe list** (`EnableSafeList=false`). Favor **allow-by-exception**: use the **Tenant Allow/Block List** or tightly scoped IPs only when necessary and validated by strong **email authentication**. Apply **least privilege**, review exceptions regularly, and layer **defense in depth** with anti-phishing and monitoring.", + "Url": "https://hub.prowler.com/check/defender_antispam_connection_filter_policy_safe_list_off" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_configured/defender_antispam_outbound_policy_configured.metadata.json b/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_configured/defender_antispam_outbound_policy_configured.metadata.json index ea80ba2681..cc0ca3dcd5 100644 --- a/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_configured/defender_antispam_outbound_policy_configured.metadata.json +++ b/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_configured/defender_antispam_outbound_policy_configured.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "defender_antispam_outbound_policy_configured", - "CheckTitle": "Ensure Defender Outbound Spam Policies are set to notify administrators.", + "CheckTitle": "Defender outbound spam policy is configured to notify recipients when senders are blocked or exceed sending limits", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "low", - "ResourceType": "Defender Anti-Spam Outbound Policy", - "Description": "Ensure that outbound anti-spam policies are configured to notify administrators and copy suspicious outbound messages to designated recipients when a sender is blocked for sending spam emails.", - "Risk": "Without outbound spam notifications and message copies, compromised accounts may go undetected, increasing the risk of reputation damage or data leakage through unauthorized email activity.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about", + "Severity": "high", + "ResourceType": "", + "Description": "**Defender outbound spam policies** must send **administrator alerts** and Bcc **suspicious outbound messages** when a sender exceeds limits or is blocked. The assessment checks for `notify limit exceeded` and `notify sender blocked` with recipient addresses in the default policy and any applicable custom policies.", + "Risk": "Absent alerts and copies, **compromised mailboxes** can exfiltrate data and send phishing undetected. This harms **email deliverability** through blocklisting and throttling (**availability**), undermines domain **integrity**, and impedes **forensics** by removing evidence needed to triage abusive outbound traffic.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.nakivo.com/blog/configuring-office-365-spam-filter/", + "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about", + "https://www.duocircle.com/content/outbound-spam-filtering/outbound-spam-office-365", + "https://learn.microsoft.com/is-is/defender-office-365/outbound-spam-policies-configure", + "https://security.microsoft.com.", + "https://www.thatlazyadmin.com/2019/04/01/configure-outbound-spam-notification-office-365-exchange-online/", + "https://blog.admindroid.com/configure-outbound-spam-policy-in-microsoft-365/", + "https://www.linkedin.com/pulse/set-up-outbound-spam-notifications-exchange-online-ankit-sharma-eqspf" + ], "Remediation": { "Code": { - "CLI": "$BccEmailAddress = @(\"\")\n$NotifyEmailAddress = @(\"\")\nSet-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress", + "CLI": "Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundMail $true -BccSuspiciousOutboundAdditionalRecipients \"\" -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients \"\"", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules > Threat policies. 3. Under Policies, select Anti-spam. 4. Click on the Anti-spam outbound policy (default). 5. Select Edit protection settings then under Notifications: 6. Check 'Send a copy of suspicious outbound messages or message that exceed these limits to these users and groups' and enter the email addresses. 7. Check 'Notify these users and groups if a sender is blocked due to sending outbound spam' and enter the desired email addresses. 8. Click Save.", + "Other": "1. Sign in to Microsoft 365 Defender: https://security.microsoft.com\n2. Go to Email & collaboration > Policies & rules > Threat policies > Anti-spam\n3. Open Anti-spam outbound policy (Default) and select Edit protection settings\n4. Under Notifications:\n - Check \"Send a copy of suspicious outbound messages or messages that exceed these limits to these users and groups\" and add \n - Check \"Notify these users and groups if a sender is blocked due to sending outbound spam\" and add \n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Configure Defender outbound spam filter policies to notify administrators and copy suspicious outbound messages when users are blocked for sending spam.", - "Url": "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about" + "Text": "Enable outbound spam notifications and Bcc suspicious messages to a monitored mailbox, applying them consistently to default and scoped policies. Set prudent sending limits and block actions, disable unnecessary external forwarding, and monitor alerts-aligning with **least privilege** and **defense in depth**.", + "Url": "https://hub.prowler.com/check/defender_antispam_outbound_policy_configured" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_forwarding_disabled/defender_antispam_outbound_policy_forwarding_disabled.metadata.json b/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_forwarding_disabled/defender_antispam_outbound_policy_forwarding_disabled.metadata.json index db659cad71..00abb6c662 100644 --- a/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_forwarding_disabled/defender_antispam_outbound_policy_forwarding_disabled.metadata.json +++ b/prowler/providers/m365/services/defender/defender_antispam_outbound_policy_forwarding_disabled/defender_antispam_outbound_policy_forwarding_disabled.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "defender_antispam_outbound_policy_forwarding_disabled", - "CheckTitle": "Ensure Defender Outbound Spam Policies are set to disable mail forwarding.", + "CheckTitle": "Defender Outbound Spam policy disables mail forwarding", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Defender Anti-Spam Outbound Policy", - "Description": "Ensure Defender Outbound Spam Policies are set to disable mail forwarding.", - "Risk": "Enabling email auto-forwarding can be exploited by attackers or malicious insiders to exfiltrate sensitive data outside the organization, often without detection.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about", + "ResourceType": "", + "Description": "**Defender outbound spam policies** are evaluated to confirm that automatic mail forwarding is disabled in the default policy and in any custom policies applied to users, groups, or domains.", + "Risk": "Allowing **automatic forwarding** enables covert **data exfiltration**, eroding **confidentiality**. Attackers or insiders can auto-route mail to external inboxes, persist access, evade monitoring, and harvest sensitive content (tickets, approvals, MFA codes), enabling **lateral movement** and fraud while reducing auditability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about", + "https://security.microsoft.com/." + ], "Remediation": { "Code": { - "CLI": "Set-HostedOutboundSpamFilterPolicy -Identity {policyName} -AutoForwardingMode Off", + "CLI": "Set-HostedOutboundSpamFilterPolicy -Identity -AutoForwardingMode Off", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com/. 2. Expand E-mail & collaboration then select Policies & rules. 3. Select Threat policies > Anti-spam. 4. Select Anti-spam outbound policy (default). 5. Click Edit protection settings. 6. Set Automatic forwarding rules dropdown to Off - Forwarding is disabled and click Save. 7. Repeat steps 4-6 for any additional higher priority, custom policies.", + "Other": "1. Sign in to https://security.microsoft.com\n2. Go to Email & collaboration > Policies & rules > Threat policies > Anti-spam\n3. Open Anti-spam outbound policy (Default) or the target custom policy\n4. Click Edit protection settings and set Automatic forwarding rules to Off - Forwarding is disabled, then Save\n5. For custom policies, ensure the policy Status is On (enabled); repeat for any additional policies", "Terraform": "" }, "Recommendation": { - "Text": "Block all forms of mail forwarding using Anti-spam outbound policies in Exchange Online. Apply exclusions only where justified by organizational policy.", - "Url": "https://learn.microsoft.com/en-us/defender-office-365/outbound-spam-protection-about" + "Text": "Disable **automatic forwarding** globally in outbound spam policies to enforce **least privilege** on data flows. *If exceptions are required*, restrict to named senders or domains, document approvals, and review regularly. Add **DLP**, alerts on new forwarding rules, and mailbox auditing for **defense in depth**.", + "Url": "https://hub.prowler.com/check/defender_antispam_outbound_policy_forwarding_disabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_antispam_policy_inbound_no_allowed_domains/defender_antispam_policy_inbound_no_allowed_domains.metadata.json b/prowler/providers/m365/services/defender/defender_antispam_policy_inbound_no_allowed_domains/defender_antispam_policy_inbound_no_allowed_domains.metadata.json index 49d399cd01..56084b89f7 100644 --- a/prowler/providers/m365/services/defender/defender_antispam_policy_inbound_no_allowed_domains/defender_antispam_policy_inbound_no_allowed_domains.metadata.json +++ b/prowler/providers/m365/services/defender/defender_antispam_policy_inbound_no_allowed_domains/defender_antispam_policy_inbound_no_allowed_domains.metadata.json @@ -1,29 +1,41 @@ { "Provider": "m365", "CheckID": "defender_antispam_policy_inbound_no_allowed_domains", - "CheckTitle": "Ensure inbound anti-spam policies do not contain allowed domains", + "CheckTitle": "Inbound anti-spam policy does not contain allowed domains", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "low", - "ResourceType": "Defender Anti-Spam Policy", - "Description": "Ensure that inbound anti-spam policies do not have any domains listed in the AllowedSenderDomains. Messages from these domains bypass most email protections, increasing the risk of successful phishing attacks.", - "Risk": "Having domains in the AllowedSenderDomains list allows emails from these domains to bypass essential security checks, increasing the risk of phishing attacks and other malicious activities.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about#allow-and-block-lists-in-anti-spam-policies", + "Severity": "high", + "ResourceType": "", + "Description": "**Inbound anti-spam policies** are evaluated for domains listed in `AllowedSenderDomains`.\n\nThe finding identifies any policy where this list is populated rather than empty.", + "Risk": "Populating `AllowedSenderDomains` makes messages from those domains skip **spam filtering** and **email authentication** (SPF, DKIM, DMARC), often delivered with SCL `-1`. Attackers can spoof such domains to phish credentials, enable BEC, and alter mailboxes, undermining **confidentiality** and **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.alitajran.com/allowlist-domain-microsoft-365/", + "https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-hostedcontentfilterpolicy?view=exchange-ps", + "https://security.microsoft.com).", + "https://lazyadmin.nl/office-365/whitelist-domain-office-365/", + "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-allowed-sender-domains?view=o365-worldwide", + "https://learn.microsoft.com/en-us/defender-office-365/anti-spam-policies-configure", + "https://www.youtube.com/watch?v=nT5xjJzlKzc", + "https://cloudinfra.net/bypass-spam-filtering-in-microsoft-365-office-365/", + "https://learn.microsoft.com/en-us/defender-office-365/anti-spam-protection-about#allow-and-block-lists-in-anti-spam-policies" + ], "Remediation": { "Code": { - "CLI": "Set-HostedContentFilterPolicy -Identity -AllowedSenderDomains @{}", + "CLI": "Set-HostedContentFilterPolicy -Identity -AllowedSenderDomains $null", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender (https://security.microsoft.com). 2. Click to expand Email & collaboration and select Policies & rules > Threat policies. 3. Under Policies, select Anti-spam. 4. Open each out-of-compliance inbound anti-spam policy by clicking on it. 5. Click Edit allowed and blocked senders and domains. 6. Select Allow domains. 7. Delete each domain from the domains list. 8. Click Done > Save. 9. Repeat as needed.", + "Other": "1. Open Microsoft 365 Defender: https://security.microsoft.com/antispam\n2. Open each inbound anti-spam policy (Default and any custom).\n3. Click Edit allowed and blocked senders and domains.\n4. Select Allow domains.\n5. Remove all domains, then click Done and Save.\n6. Repeat for any remaining inbound anti-spam policies.", "Terraform": "" }, "Recommendation": { - "Text": "Ensure that the AllowedSenderDomains list in your inbound anti-spam policies is empty to prevent bypassing essential security checks.", - "Url": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-the-allowed-sender-domains?view=o365-worldwide" + "Text": "- Keep `AllowedSenderDomains` empty.\n- Use narrowly scoped allow logic that requires authentication alignment and additional conditions (sender, IP, headers).\n- Make any exceptions temporary and reviewed.\n\nApply **least privilege** and **defense in depth** to email trust decisions.", + "Url": "https://hub.prowler.com/check/defender_antispam_policy_inbound_no_allowed_domains" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_chat_report_policy_configured/defender_chat_report_policy_configured.metadata.json b/prowler/providers/m365/services/defender/defender_chat_report_policy_configured/defender_chat_report_policy_configured.metadata.json index c350874861..ca9b5338a8 100644 --- a/prowler/providers/m365/services/defender/defender_chat_report_policy_configured/defender_chat_report_policy_configured.metadata.json +++ b/prowler/providers/m365/services/defender/defender_chat_report_policy_configured/defender_chat_report_policy_configured.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "defender_chat_report_policy_configured", - "CheckTitle": "Ensure chat report submission policy is properly configured in Defender", + "CheckTitle": "Defender report submission policy uses customized addresses for junk, not junk and phish, and chat reports are sent only to a customized address", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Defender Report Submission Policy", - "Description": "Ensure Defender report submission policy is properly configured to use customized addresses and enable chat message reporting to customized addresses, while disabling report chat message to Microsoft.", - "Risk": "If Defender report submission policy is not properly configured, reported messages from Teams may not be handled or routed correctly, reducing the organization's ability to respond to threats.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide", + "ResourceType": "", + "Description": "**Defender for Office 365** user-reported settings ensure `junk`, `not-junk`, and `phish` reports are sent to **customized addresses** with valid destinations, and that **Teams chat reports** route to customized addresses while direct chat reporting to Microsoft is disabled.", + "Risk": "Misrouted or disabled user reports reduce **visibility** into Teams threats, delaying containment. Attackers can keep distributing **phishing links** or **malicious files**, causing credential theft (**confidentiality**), message manipulation (**integrity**), and channel disruption from ongoing spam (**availability**).", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide", + "https://security.microsoft.com/)." + ], "Remediation": { "Code": { - "CLI": "Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -EnableReportToMicrosoft $false -ReportChatMessageEnabled $false -ReportChatMessageToCustomizedAddressEnabled $true -ReportJunkToCustomizedAddress $true -ReportNotJunkToCustomizedAddress $true -ReportPhishToCustomizedAddress $true -ReportJunkAddresses $usersub -ReportNotJunkAddresses $usersub -ReportPhishAddresses $usersub", + "CLI": "Set-ReportSubmissionPolicy -Identity DefaultReportSubmissionPolicy -ReportJunkToCustomizedAddress $true -ReportNotJunkToCustomizedAddress $true -ReportPhishToCustomizedAddress $true -ReportJunkAddresses -ReportNotJunkAddresses -ReportPhishAddresses -ReportChatMessageEnabled $false -ReportChatMessageToCustomizedAddressEnabled $true", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender (https://security.microsoft.com/). 2. Click on Settings > Email & collaboration > User reported settings. 3. Scroll to Microsoft Teams section. 4. Ensure Monitor reported messages in Microsoft Teams is checked. 5. Ensure Send reported messages to: is set to My reporting mailbox only with report email addresses defined for authorized staff.", + "Other": "1. Go to Microsoft 365 Defender: https://security.microsoft.com\n2. Navigate to Settings > Email & collaboration > User reported settings\n3. In Reported message destinations (Outlook):\n - Turn on Send Junk to a customized address and enter \n - Turn on Send Not junk to a customized address and enter \n - Turn on Send Phish to a customized address and enter \n4. In Microsoft Teams section:\n - Turn off Monitor reported messages in Microsoft Teams\n - Turn on Send reported Teams messages to a customized address", "Terraform": "" }, "Recommendation": { - "Text": "Configure Defender report submission policy to use customized addresses and enable chat message reporting to customized addresses, while disabling report chat message to Microsoft.", - "Url": "https://learn.microsoft.com/en-us/defender-office-365/submissions-teams?view=o365-worldwide" + "Text": "Send all user-reported `junk`, `not-junk`, and `phish` to monitored **custom mailboxes** and enable **Teams chat reporting** to those addresses, keeping direct chat submissions to Microsoft disabled. Apply **least privilege** to reviewer access, establish a **triage workflow**, and integrate alerts for **defense in depth**.", + "Url": "https://hub.prowler.com/check/defender_chat_report_policy_configured" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_domain_dkim_enabled/defender_domain_dkim_enabled.metadata.json b/prowler/providers/m365/services/defender/defender_domain_dkim_enabled/defender_domain_dkim_enabled.metadata.json index 160c950d78..441e7c9822 100644 --- a/prowler/providers/m365/services/defender/defender_domain_dkim_enabled/defender_domain_dkim_enabled.metadata.json +++ b/prowler/providers/m365/services/defender/defender_domain_dkim_enabled/defender_domain_dkim_enabled.metadata.json @@ -1,29 +1,41 @@ { "Provider": "m365", "CheckID": "defender_domain_dkim_enabled", - "CheckTitle": "Ensure that DKIM is enabled for all Exchange Online Domains", + "CheckTitle": "Exchange Online domain has DKIM enabled", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Online Domain", - "Description": "This check ensures that DomainKeys Identified Mail (DKIM) is enabled for all Exchange Online domains. DKIM is a crucial authentication method that, along with SPF and DMARC, helps prevent attackers from sending spoofed emails that appear to originate from your domain. By adding a digital signature to outbound emails, DKIM allows receiving email systems to verify the legitimacy of incoming messages.", - "Risk": "If DKIM is not enabled, attackers may send spoofed emails that appear to originate from your domain, potentially leading to phishing attacks and damage to your domain's reputation.", - "RelatedUrl": "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide", + "ResourceType": "", + "Description": "**Exchange Online domains** use **DKIM signing** for outbound mail. This evaluates each domain to confirm an active DKIM configuration so messages include a verifiable signature via the domain's DKIM selectors.", + "Risk": "Without **DKIM**, recipients can't verify sender authenticity, enabling **domain spoofing** and **BEC phishing**.\n\nAttackers can impersonate trusted mail to steal credentials, deliver malware, and pivot internally, impacting **confidentiality** and **integrity**. Messages may also fail **DMARC** alignment, reducing deliverability and trust.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.tenable.com/audits/items/CIS_Microsoft_365_v1.4.0_E3_Level_1.audit:2555af4ce33dad1aeec6eb0988662416", + "https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-dkimsigningconfig?view=exchange-ps", + "https://github.com/MicrosoftDocs/office-docs-powershell/blob/main/exchange/exchange-ps/exchange/New-DkimSigningConfig.md", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps", + "https://danielchronlund.com/2020/04/29/quickly-check-and-manage-your-exchange-online-dns-records-for-spf-dkim-and-dmarc-with-powershell/", + "https://www.lunavi.com/blog/enable-dkim-in-exchange-online-protection", + "https://www.alitajran.com/configure-dkim-record-for-office-365/", + "https://security.microsoft.com/.", + "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email?view=o365-worldwide" + ], "Remediation": { "Code": { - "CLI": "Set-DkimSigningConfig -Identity -Enabled $True", + "CLI": "Set-DkimSigningConfig -Identity -Enabled $true", "NativeIaC": "", - "Other": "1. After DNS records are created, enable DKIM signing in Microsoft 365 Defender. 2. Navigate to Microsoft 365 Defender at https://security.microsoft.com/. 3. Go to Email & collaboration > Policies & rules > Threat policies. 4. Under Rules, select Email authentication settings. 5. Choose DKIM, click on each domain, and enable 'Sign messages for this domain with DKIM signature'.", + "Other": "1. Sign in to Microsoft 365 Defender: https://security.microsoft.com\n2. Go to Email & collaboration > Policies & rules > Threat policies > Email authentication settings > DKIM\n3. Select the domain and enable \"Sign messages for this domain with DKIM signatures\"\n4. If prompted for CNAMEs, publish the two records shown at your DNS provider, wait for DNS to update, then return and enable in step 3", "Terraform": "" }, "Recommendation": { - "Text": "Enable DKIM for all your Exchange Online domains to ensure emails are cryptographically signed and to protect against email spoofing.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps" + "Text": "- Enable **DKIM signing** for all sending domains and subdomains\n- Combine with **SPF** and **DMARC** to enforce alignment (defense in depth)\n- Apply **least privilege** to mail auth settings\n- Rotate DKIM keys regularly and monitor authentication results to detect anomalies", + "Url": "https://hub.prowler.com/check/defender_domain_dkim_enabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_malware_policy_common_attachments_filter_enabled/defender_malware_policy_common_attachments_filter_enabled.metadata.json b/prowler/providers/m365/services/defender/defender_malware_policy_common_attachments_filter_enabled/defender_malware_policy_common_attachments_filter_enabled.metadata.json index 64ac779872..7eb418e323 100644 --- a/prowler/providers/m365/services/defender/defender_malware_policy_common_attachments_filter_enabled/defender_malware_policy_common_attachments_filter_enabled.metadata.json +++ b/prowler/providers/m365/services/defender/defender_malware_policy_common_attachments_filter_enabled/defender_malware_policy_common_attachments_filter_enabled.metadata.json @@ -1,29 +1,41 @@ { "Provider": "m365", "CheckID": "defender_malware_policy_common_attachments_filter_enabled", - "CheckTitle": "Ensure the Common Attachment Types Filter is enabled.", + "CheckTitle": "Defender malware policy has Common Attachment Types Filter enabled", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Defender Malware Policy", - "Description": "Ensure that the Common Attachment Types Filter is enabled in anti-malware policies to block known and custom malicious file types from being attached to emails.", - "Risk": "If this setting is not enabled, users may receive emails with malicious attachments that could contain malware, increasing the risk of endpoint infection or data compromise.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure?view=o365-worldwide", + "Severity": "high", + "ResourceType": "", + "Description": "**Defender for Office 365 anti-malware policies** use the **Common Attachment Types Filter** to block risky file formats regardless of extension. The evaluation checks whether this filter is enabled across default and custom policies and considers policy precedence that could override or bypass the protection.", + "Risk": "Without consistent **attachment type blocking**, malicious `exe`, `js`, `iso`, or `zip` payloads can reach users, enabling code execution and phishing kits.\n- Confidentiality: data exfiltration\n- Integrity: credential theft/tampering\n- Availability: ransomware\n\nPolicy scope/priority gaps can leave specific users unprotected.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/common-attachment-blocking-scenarios", + "https://petri.com/microsoft-changelog/anti-malware-policy-common-attachment-filter-additional-file-types-block-by-default/", + "https://www.quixtec.com/updated-antimalware-default-policy-common-attachment-filter-settings-updates/", + "https://o365info.com/block-email-attachment-microsoft-365/", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-malwarefilterpolicy?view=exchange-ps", + "https://security.microsoft.com.", + "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure?view=o365-worldwide", + "https://blog.ciaops.com/2025/09/04/configuring-robust-anti-malware-policies-in-exchange-online-protection-eop-with-enhancements-from-microsoft-defender-for-office-365-mdo/", + "https://activedirectorypro.com/block-dangerous-file-attachments-in-exchange-online/" + ], "Remediation": { "Code": { - "CLI": "Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true", + "CLI": "Set-MalwareFilterPolicy -Identity -EnableFileFilter $true", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-malware and click on the Default (Default) policy. 5. On the policy page, scroll to the bottom and click Edit protection settings. 6. Check the option Enable the common attachments filter. 7. Click Save.", + "Other": "1. Sign in to Microsoft 365 Defender: https://security.microsoft.com\n2. Go to Email & collaboration > Policies & rules > Threat policies > Anti-malware\n3. Open the failing anti-malware policy (e.g., Default or the named custom policy)\n4. Click Edit protection settings\n5. Enable \"Enable the common attachments filter\"\n6. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable the common attachment types filter in your default or custom anti-malware policy to prevent the delivery of emails with potentially dangerous attachments.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-malwarefilterpolicy?view=exchange-ps" + "Text": "Enable the **Common Attachment Types Filter** in all applicable anti-malware policies and choose a strict action (e.g., `Quarantine` or `Reject`).\n- Block high-risk formats; review the list regularly\n- Align policy precedence to cover every recipient\n- Use defense-in-depth: **Safe Attachments**, **Safe Links**, **ZAP**; apply **least privilege** to file types", + "Url": "https://hub.prowler.com/check/defender_malware_policy_common_attachments_filter_enabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_malware_policy_comprehensive_attachments_filter_applied/defender_malware_policy_comprehensive_attachments_filter_applied.metadata.json b/prowler/providers/m365/services/defender/defender_malware_policy_comprehensive_attachments_filter_applied/defender_malware_policy_comprehensive_attachments_filter_applied.metadata.json index f9433c414c..bdb3960c98 100644 --- a/prowler/providers/m365/services/defender/defender_malware_policy_comprehensive_attachments_filter_applied/defender_malware_policy_comprehensive_attachments_filter_applied.metadata.json +++ b/prowler/providers/m365/services/defender/defender_malware_policy_comprehensive_attachments_filter_applied/defender_malware_policy_comprehensive_attachments_filter_applied.metadata.json @@ -1,29 +1,41 @@ { "Provider": "m365", "CheckID": "defender_malware_policy_comprehensive_attachments_filter_applied", - "CheckTitle": "Ensure the Common Attachment Types Filter is enabled and applied in a comprehensive way", + "CheckTitle": "Defender anti-malware policy has Common Attachment Types Filter enabled and blocks all recommended file types", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "medium", - "ResourceType": "Defender Malware Policy", - "Description": "Ensure that the Common Attachment Types Filter is enabled in all enabled anti-malware policies in a Comprehensive way to block known and custom malicious file types from being attached to emails. This means that the file types that the filter blocks are checked by the organization, by default all the default file types from M365 defender should be blocked but you can change that with the config file.", - "Risk": "If this setting or the policy is not enabled, users may receive emails with malicious attachments that could contain malware, increasing the risk of endpoint infection or data compromise.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about?view=o365-worldwide#common-attachments-filter-in-anti-malware-policies", + "Severity": "high", + "ResourceType": "", + "Description": "**Microsoft Defender anti-malware policies** use the **Common Attachment Types Filter** to block a comprehensive set of risky file extensions. It evaluates whether the filter is enabled and all recommended types are blocked across the default policy and any enabled custom policies, considering scope and precedence.", + "Risk": "Missing or partial blocking of dangerous extensions lets **malicious attachments** reach users, enabling code execution, malware staging, and credential theft. Mis-scoped custom policies can override safer defaults, risking **confidentiality** via data exfiltration and **availability** through ransomware and lateral movement.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-policies-configure", + "https://www.undocumented-features.com/2019/08/13/exchange-online-protection-eop-best-practices-and-recommendations/", + "https://m365admin.handsontek.net/anti-malware-policy-common-attachment-filter-additional-file-types-block-by-default/", + "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about?view=o365-worldwide#common-attachments-filter-in-anti-malware-policies", + "https://o365info.com/block-email-attachment-microsoft-365/", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-malwarefilterpolicy?view=exchange-ps", + "https://security.microsoft.com.", + "https://video2.skills-academy.com/en-us/exchange/security-and-compliance/mail-flow-rules/common-attachment-blocking-scenarios?source=recommendations", + "https://activedirectorypro.com/block-dangerous-file-attachments-in-exchange-online/" + ], "Remediation": { "Code": { - "CLI": "$Policy = @{Name = 'CIS L2 Attachment Policy'; EnableFileFilter = $true; }; $L2Extensions = @('ace','ani','apk','app','appx','arj','bat','cab','cmd','com','deb','dex','dll','docm','elf','exe','hta','img','iso','jar','jnlp','kext','lha','lib','library','lnk','lzh','macho','msc','msi','msix','msp','mst','pif','ppa','ppam','reg','rev','scf','scr','sct','sys','uif','vb','vbe','vbs','vxd','wsc','wsf','wsh','xll','xz','z'); New-MalwareFilterPolicy @Policy -FileTypes $L2Extensions; $Rule = @{Name = $Policy.Name; Enabled = $false; MalwareFilterPolicy = $Policy.Name; Priority = 0}; New-MalwareFilterRule @Rule", + "CLI": "Set-MalwareFilterPolicy -Identity Default -EnableFileFilter $true -FileTypes ace,ani,apk,app,appx,arj,bat,cab,cmd,com,deb,dex,dll,docm,elf,exe,hta,img,iso,jar,jnlp,kext,lha,lib,library,lnk,lzh,macho,msc,msi,msix,msp,mst,pif,ppa,ppam,reg,rev,scf,scr,sct,sys,uif,vb,vbe,vbs,vxd,wsc,wsf,wsh,xll,xz,z", "NativeIaC": "", - "Other": "1. Navigate to Microsoft 365 Defender https://security.microsoft.com. 2. Click to expand Email & collaboration and select Policies & rules. 3. On the Policies & rules page select Threat policies. 4. Under Policies, select Anti-malware and click on the Default (Default) policy. 5. On the policy page, scroll to the bottom and click Edit protection settings. 6. Check the option Enable the common attachments filter. 7. Click on select file types and select the file types you want to block. 8. Click Save. 9. Ensure the status of the policy is On", + "Other": "1. Go to Microsoft 365 Defender: https://security.microsoft.com\n2. Navigate to Email & collaboration > Policies & rules > Threat policies > Anti-malware\n3. Open Default (Default) policy and select Edit protection settings\n4. Enable \"Enable the common attachments filter\"\n5. Select file types and ensure ALL of these are selected: ace, ani, apk, app, appx, arj, bat, cab, cmd, com, deb, dex, dll, docm, elf, exe, hta, img, iso, jar, jnlp, kext, lha, lib, library, lnk, lzh, macho, msc, msi, msix, msp, mst, pif, ppa, ppam, reg, rev, scf, scr, sct, sys, uif, vb, vbe, vbs, vxd, wsc, wsf, wsh, xll, xz, z\n6. Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable the common attachment types filter in your default or custom anti-malware policy to prevent the delivery of emails with potentially dangerous attachments.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-malwarefilterpolicy?view=exchange-ps" + "Text": "Enable and enforce the **Common Attachment Types Filter** in all anti-malware policies and block the full recommended set. Align custom policy scope and priority to avoid weakening coverage. Apply **least privilege** to exceptions, prefer quarantine, and regularly review/expand blocked types. Use ZAP and monitoring for **defense-in-depth**.", + "Url": "https://hub.prowler.com/check/defender_malware_policy_comprehensive_attachments_filter_applied" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/defender/defender_malware_policy_notifications_internal_users_malware_enabled/defender_malware_policy_notifications_internal_users_malware_enabled.metadata.json b/prowler/providers/m365/services/defender/defender_malware_policy_notifications_internal_users_malware_enabled/defender_malware_policy_notifications_internal_users_malware_enabled.metadata.json index 92ff9a7439..6c4272a9a7 100644 --- a/prowler/providers/m365/services/defender/defender_malware_policy_notifications_internal_users_malware_enabled/defender_malware_policy_notifications_internal_users_malware_enabled.metadata.json +++ b/prowler/providers/m365/services/defender/defender_malware_policy_notifications_internal_users_malware_enabled/defender_malware_policy_notifications_internal_users_malware_enabled.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "defender_malware_policy_notifications_internal_users_malware_enabled", - "CheckTitle": "Ensure notifications for internal users sending malware is Enabled", + "CheckTitle": "Defender anti-malware policy has admin notifications enabled for internal users sending malware", "CheckType": [], "ServiceName": "defender", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "high", - "ResourceType": "Defender Malware Policy", - "Description": "Verify that Exchange Online Protection (EOP) is configured to notify admins of malicious activity from internal users.", - "Risk": "If notifications for internal users sending malware are not enabled, administrators may not be aware of potential threats originating from within the organization, increasing the risk of undetected malicious activities.", - "RelatedUrl": "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about", + "Severity": "medium", + "ResourceType": "", + "Description": "**Defender anti-malware policies** are checked for **admin notifications** on malware detected from **internal senders**, ensuring a valid notification address is defined (`EnableInternalSenderAdminNotifications` and `InternalSenderAdminAddress`).\n\n*Effective settings across default and custom policies are considered.*", + "Risk": "Without these notifications, malware sent from internal accounts can persist unnoticed, delaying response and containment. This undermines **integrity** of email, enables **lateral movement** and **outbound propagation**, and can cause **domain reputation** damage and blocklisting, affecting **availability**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-malwarefilterpolicy?view=exchange-ps", + "https://learn.microsoft.com/en-us/defender-office-365/anti-malware-protection-about" + ], "Remediation": { "Code": { - "CLI": "Set-MalwareFilterPolicy -Identity Default -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress 'admin@example.com'", + "CLI": "Set-MalwareFilterPolicy -Identity Default -EnableInternalSenderAdminNotifications $true -InternalSenderAdminAddress \"\"", "NativeIaC": "", - "Other": "1. Connect to Exchange Online using Connect-ExchangeOnline. 2. Execute the command: Get-MalwareFilterPolicy | fl Identity, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress. 3. Ensure 'Notify an admin about undelivered messages from internal senders' is set to On and that at least one email address is listed under Administrator email address.", + "Other": "1. In the Microsoft Defender portal (security.microsoft.com), go to Email & collaboration > Policies & rules > Threat policies > Anti-malware\n2. Select the affected policy (e.g., Default) and click Edit policy\n3. Open Notifications\n4. Turn on \"Notify an admin about undelivered messages from internal senders\"\n5. Add at least one Administrator email address\n6. Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable notifications for internal users sending malware in your Defender Malware Policy to ensure admins are alerted of potential threats.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-malwarefilterpolicy?view=exchange-ps" + "Text": "Enable and maintain admin alerts for internal-sender malware and route to a monitored mailbox or SOC list (`EnableInternalSenderAdminNotifications` and `InternalSenderAdminAddress`).\n\nEnsure coverage via policy precedence, integrate with SIEM, and apply **least privilege** and **defense in depth** to limit impact.", + "Url": "https://hub.prowler.com/check/defender_malware_policy_notifications_internal_users_malware_enabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [],