diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 20a6cca48a..442c25efc3 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file. - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427) - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408) - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609) +- Update M365 Exchange service metadata to new format [(#9683)](https://github.com/prowler-cloud/prowler/pull/9683) + --- diff --git a/prowler/providers/m365/services/exchange/exchange_external_email_tagging_enabled/exchange_external_email_tagging_enabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_external_email_tagging_enabled/exchange_external_email_tagging_enabled.metadata.json index 04dd408be2..1b2f31c4a0 100644 --- a/prowler/providers/m365/services/exchange/exchange_external_email_tagging_enabled/exchange_external_email_tagging_enabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_external_email_tagging_enabled/exchange_external_email_tagging_enabled.metadata.json @@ -1,29 +1,37 @@ { "Provider": "m365", "CheckID": "exchange_external_email_tagging_enabled", - "CheckTitle": "Ensure email from external senders is identified.", + "CheckTitle": "Exchange identity has external sender tagging enabled", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Exchange External Mail Tagging", - "Description": "Ensure that emails from external senders are identified using the native External tag experience in Outlook clients, which helps users recognize messages originating outside the organization.", - "Risk": "If external email tagging is not enabled, users may be unable to quickly identify emails coming from outside the organization, increasing the risk of phishing or social engineering attacks.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps", + "ResourceType": "", + "Description": "**Exchange Online** uses native external sender identification so supported Outlook clients display an `External` tag on messages originating outside the organization.", + "Risk": "Without the native tag, users lose a clear signal that a message is from outside the tenant, increasing susceptibility to **phishing**, **BEC**, and credential theft. This raises risks to **confidentiality** (exfiltration) and **integrity** (fraudulent approvals) via social engineering and reply-chain attacks.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.vansurksum.com/2021/03/12/enable-external-sender-identification-in-exchange-online/", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps", + "https://www.meetingroom365.com/blog/set-externaiinoutlook-powershell/", + "https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098", + "https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-externalinoutlook?view=exchange-ps" + ], "Remediation": { "Code": { "CLI": "Set-ExternalInOutlook -Enabled $true", "NativeIaC": "", - "Other": "", + "Other": "1. Sign in to the Exchange admin center: https://admin.exchange.microsoft.com\n2. Navigate to Mail flow > External tagging\n3. Turn on Enable external tagging in Outlook\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable the External tag for Outlook to help users visually identify emails from outside the organization.", - "Url": "https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098" + "Text": "Enable native external sender identification and prefer it over subject-line modifications. Apply **defense in depth**: enforce **anti-phishing** protections, validate senders with SPF/DKIM/DMARC, and deliver user training. *Use exceptions sparingly* for trusted domains to reduce noise while preserving **least privilege** in communication paths.", + "Url": "https://hub.prowler.com/check/exchange_external_email_tagging_enabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_mailbox_audit_bypass_disabled/exchange_mailbox_audit_bypass_disabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_mailbox_audit_bypass_disabled/exchange_mailbox_audit_bypass_disabled.metadata.json index e25451be52..b32ee7ed8b 100644 --- a/prowler/providers/m365/services/exchange/exchange_mailbox_audit_bypass_disabled/exchange_mailbox_audit_bypass_disabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_mailbox_audit_bypass_disabled/exchange_mailbox_audit_bypass_disabled.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "exchange_mailbox_audit_bypass_disabled", - "CheckTitle": "Ensure 'AuditBypassEnabled' is not enabled on any mailbox in the organization.", + "CheckTitle": "Exchange mailbox has AuditBypassEnabled disabled", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Mailboxes", - "Description": "Ensure that no mailboxes in the organization have 'AuditBypassEnabled' set to true. This setting prevents mailbox audit logging and can allow unauthorized access without traceability.", - "Risk": "If 'AuditBypassEnabled' is set to true for any mailbox, access to those mailboxes won't be logged, creating a blind spot in forensic analysis and increasing the risk of undetected malicious activity.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailboxauditbypassassociation?view=exchange-ps", + "ResourceType": "", + "Description": "**Exchange mailboxes** are evaluated for **audit logging bypass** by reviewing the `AuditBypassEnabled` setting and identifying mailboxes where auditing can be circumvented.", + "Risk": "**Bypassed mailbox auditing** removes visibility into access and actions, weakening detective controls. Covert data exfiltration, inbox-rule abuse, and persistence become harder to spot, harming **confidentiality** and **integrity** and impeding **forensics**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailboxauditbypassassociation?view=exchange-ps", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps" + ], "Remediation": { "Code": { - "CLI": "$MBXAudit = Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }; foreach ($mailbox in $MBXAudit) { $mailboxName = $mailbox.Name; Set-MailboxAuditBypassAssociation -Identity $mailboxName -AuditBypassEnabled $false; Write-Host \"Audit Bypass disabled for mailbox Identity: $mailboxName\" -ForegroundColor Green }", + "CLI": "Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object {$_.AuditBypassEnabled} | ForEach-Object { Set-MailboxAuditBypassAssociation -Identity $_.Identity -AuditBypassEnabled $false }", "NativeIaC": "", - "Other": "", + "Other": "1. Open PowerShell and connect to Exchange Online: Connect-ExchangeOnline\n2. Run:\n```\nGet-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object {$_.AuditBypassEnabled} | ForEach-Object { Set-MailboxAuditBypassAssociation -Identity $_.Identity -AuditBypassEnabled $false }\n```", "Terraform": "" }, "Recommendation": { - "Text": "Ensure that no mailboxes have 'AuditBypassEnabled' enabled to guarantee full audit logging for all mailbox activities.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps" + "Text": "Disable audit bypass by keeping `AuditBypassEnabled` set to `false` for all accounts. Apply **least privilege** to service identities, use dedicated accounts for automation, and monitor for bypass associations with alerts. Enforce **separation of duties** and preserve tamper-resistant audit logs.", + "Url": "https://hub.prowler.com/check/exchange_mailbox_audit_bypass_disabled" } }, "Categories": [ + "logging", + "forensics-ready", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.metadata.json b/prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.metadata.json index 3f4edb187d..ccf5b29ca9 100644 --- a/prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_mailbox_policy_additional_storage_restricted/exchange_mailbox_policy_additional_storage_restricted.metadata.json @@ -1,30 +1,34 @@ { "Provider": "m365", "CheckID": "exchange_mailbox_policy_additional_storage_restricted", - "CheckTitle": "Ensure additional storage providers are restricted in Outlook on the web.", + "CheckTitle": "Exchange mailbox policy has additional storage providers disabled", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Mailboxes Policy", - "Description": "Restrict the availability of additional storage providers (e.g., Box, Dropbox, Google Drive) in Outlook on the web to prevent users from accessing external storage services through the OWA interface.", - "Risk": "Allowing users to access third-party storage providers from Outlook on the web increases the risk of data exfiltration and exposure to untrusted content or malware.", - "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps", + "ResourceType": "", + "Description": "**Outlook on the web mailbox policy** governs access to **additional storage providers** (e.g., Box, Dropbox, Google Drive, personal OneDrive). The finding evaluates whether these third-party file integrations are disabled via `AdditionalStorageProvidersAvailable=false`.", + "Risk": "Enabling third-party storage in OWA weakens:\n- **Confidentiality**: data can leave the tenant to unmanaged clouds\n- **Integrity**: external links can deliver or reference malicious/tampered files\n- **Visibility/Compliance**: M365 DLP and audit may not fully apply, enabling undetected exfiltration", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps" + ], "Remediation": { "Code": { "CLI": "Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false", "NativeIaC": "", - "Other": "", + "Other": "1. Sign in to the Exchange admin center (https://admin.exchange.microsoft.com)\n2. Open Classic Exchange admin center (left pane)\n3. Go to Permissions > Outlook Web App policies\n4. Edit OwaMailboxPolicy-Default\n5. In Features, set \"Additional storage providers\" to Off\n6. Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable access to additional storage providers in Outlook on the web to reduce the risk of data leakage.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps" + "Text": "Block third-party storage integrations in the OWA mailbox policy (`AdditionalStorageProvidersAvailable=false`). Prefer **enterprise-managed repositories**, enforce **least privilege**, and apply **DLP** and **Conditional Access** to control egress. *If required*, permit only vetted providers under **governed exceptions** with monitoring.", + "Url": "https://hub.prowler.com/check/exchange_mailbox_policy_additional_storage_restricted" } }, "Categories": [ - "e3" + "e3", + "trust-boundaries" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/m365/services/exchange/exchange_organization_mailbox_auditing_enabled/exchange_organization_mailbox_auditing_enabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_organization_mailbox_auditing_enabled/exchange_organization_mailbox_auditing_enabled.metadata.json index f1884cde7e..f4f97fc657 100644 --- a/prowler/providers/m365/services/exchange/exchange_organization_mailbox_auditing_enabled/exchange_organization_mailbox_auditing_enabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_organization_mailbox_auditing_enabled/exchange_organization_mailbox_auditing_enabled.metadata.json @@ -1,29 +1,40 @@ { "Provider": "m365", "CheckID": "exchange_organization_mailbox_auditing_enabled", - "CheckTitle": "Ensure AuditDisabled organizationally is set to False.", + "CheckTitle": "Exchange organization has mailbox auditing enabled", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Organization Configuration", - "Description": "Ensure that the AuditDisabled property is set to False at the organizational level in Exchange Online. This enables mailbox auditing by default for all mailboxes and overrides individual mailbox settings.", - "Risk": "If mailbox auditing is disabled at the organization level, no mailbox actions are audited, limiting forensic investigation capabilities and exposing the organization to undetected malicious activity.", - "RelatedUrl": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide", + "ResourceType": "", + "Description": "Exchange Online organization setting `AuditDisabled` controls tenant-wide **mailbox auditing**. This evaluates whether it is `False` so default audit events are recorded for owner, delegate, and admin across all mailboxes, taking precedence over per-mailbox settings.", + "Risk": "Disabling tenant-wide auditing lets mailbox activity go unrecorded. Adversaries or insiders could exfiltrate data, alter or delete messages, or send as users without trace, undermining **confidentiality**, **integrity**, and effective **incident response**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://superuser.com/questions/1400521/office365-mailbox-auditing-by-default", + "https://o365reports.com/2020/01/21/enable-mailbox-auditing-in-office-365-powershell/", + "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps#-auditdisabled", + "https://community.spiceworks.com/t/enable-mailbox-auditing-by-default-exchange-2016-on-prem/745347", + "https://techcommunity.microsoft.com/blog/microsoft-security-blog/exchange-online-mailbox-auditing-enabled-by-default/361324", + "https://petri.com/mailbox-auditing-exchange-online/", + "https://blog.hametbenoit.info/2018/07/16/exchange-online-mailbox-auditing-will-be-enabled-by-default/" + ], "Remediation": { "Code": { "CLI": "Set-OrganizationConfig -AuditDisabled $false", "NativeIaC": "", - "Other": "", + "Other": "1. Open PowerShell and connect to Exchange Online: Connect-ExchangeOnline\n2. Run: Set-OrganizationConfig -AuditDisabled $false\n3. Verify: Get-OrganizationConfig | Select-Object AuditDisabled (should be False)", "Terraform": "" }, "Recommendation": { - "Text": "Set AuditDisabled to False at the organization level to ensure mailbox auditing is always enforced.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps#-auditdisabled" + "Text": "Ensure `AuditDisabled`=`False` to keep **mailbox auditing** on by default.\n\n- Apply **least privilege** and minimize audit bypass\n- Define retention and review audit logs\n- Alert on risky actions (e.g., hard delete, rule changes)\n- Layer with **defense in depth** for email access", + "Url": "https://hub.prowler.com/check/exchange_organization_mailbox_auditing_enabled" } }, "Categories": [ + "logging", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_organization_mailtips_enabled/exchange_organization_mailtips_enabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_organization_mailtips_enabled/exchange_organization_mailtips_enabled.metadata.json index d73b4f1bf8..aa2564cac7 100644 --- a/prowler/providers/m365/services/exchange/exchange_organization_mailtips_enabled/exchange_organization_mailtips_enabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_organization_mailtips_enabled/exchange_organization_mailtips_enabled.metadata.json @@ -1,29 +1,38 @@ { "Provider": "m365", "CheckID": "exchange_organization_mailtips_enabled", - "CheckTitle": "Ensure MailTips are enabled for end users.", + "CheckTitle": "Exchange Online organization has MailTips fully enabled", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "medium", - "ResourceType": "Exchange Organization Configuration", - "Description": "Ensure that MailTips are enabled in Exchange Online to provide users with informative messages while composing emails, helping to avoid issues such as sending to large groups or external recipients unintentionally.", - "Risk": "Without MailTips, users may inadvertently send sensitive information externally or generate non-delivery reports, leading to communication errors and potential data exposure.", - "RelatedUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips", + "ResourceType": "", + "Description": "**Exchange Online** organization has **MailTips** fully configured: `MailTipsAllTipsEnabled`, `MailTipsExternalRecipientsTipsEnabled`, `MailTipsGroupMetricsEnabled`, and `MailTipsLargeAudienceThreshold` `25`.", + "Risk": "Absent or lax **MailTips** reduces user cues, increasing unintended external sends and large-audience blasts, harming **confidentiality**. Missing group metrics or high thresholds hide risky recipient counts; no OOF/full-mailbox tips cause misdelivery that enables phishing loops and data exfiltration.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://cloudrun.co.uk/office365/enabling-the-external-recipient-mailtip-in-office-365/", + "https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-organizationconfig?view=exchange-ps", + "https://blog.securesky.com/part-3-configuration-of-office-365-to-protect-against-bec-attacks", + "https://ezcloudinfo.com/2014/07/23/overview-and-troubleshooting-mailtips-in-exchange-2010-2013/", + "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps", + "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips" + ], "Remediation": { "Code": { - "CLI": "$TipsParams = @{ MailTipsAllTipsEnabled = $true; MailTipsExternalRecipientsTipsEnabled = $true; MailTipsGroupMetricsEnabled = $true; MailTipsLargeAudienceThreshold = '25' }; Set-OrganizationConfig @TipsParams", + "CLI": "Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold 25", "NativeIaC": "", - "Other": "", + "Other": "1. Sign in to the Exchange admin center (admin.exchange.microsoft.com)\n2. Open Classic Exchange admin center > Organization > MailTips\n3. Enable: \"Enable MailTips\" (All tips)\n4. Enable: \"External recipients MailTip\"\n5. Enable: \"Turn on group metrics for MailTips\"\n6. Set \"Large audience threshold\" to 25 (or less)\n7. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable MailTips features in Exchange Online and configure the large audience threshold appropriately to assist users when composing emails.", - "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps" + "Text": "Apply **defense in depth** with consistent **MailTips**:\n- Enable external-recipient and group-metrics tips\n- Keep `MailTipsLargeAudienceThreshold` conservative (`25`)\n- Train users to heed tips before sending\nPair with **DLP** and restricted forwarding to prevent accidental disclosure.", + "Url": "https://hub.prowler.com/check/exchange_organization_mailtips_enabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_organization_modern_authentication_enabled/exchange_organization_modern_authentication_enabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_organization_modern_authentication_enabled/exchange_organization_modern_authentication_enabled.metadata.json index de57477a8b..a04a2cccf2 100644 --- a/prowler/providers/m365/services/exchange/exchange_organization_modern_authentication_enabled/exchange_organization_modern_authentication_enabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_organization_modern_authentication_enabled/exchange_organization_modern_authentication_enabled.metadata.json @@ -1,30 +1,36 @@ { "Provider": "m365", "CheckID": "exchange_organization_modern_authentication_enabled", - "CheckTitle": "Ensure Modern Authentication for Exchange Online is enabled.", + "CheckTitle": "Exchange Online organization has Modern Authentication enabled", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", - "Severity": "critical", - "ResourceType": "Exchange Organization Configuration", - "Description": "Ensure that modern authentication is enabled for Exchange Online, requiring exchange and mailboxes clients to use strong authentication mechanisms instead of basic authentication.", - "Risk": "If modern authentication is not enabled, Exchange Online email clients may fall back to basic authentication, making it easier for attackers to bypass multifactor authentication and compromise user credentials.", - "RelatedUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online", + "Severity": "high", + "ResourceType": "", + "Description": "**Exchange Online** organization setting determines if **Modern Authentication** (`OAuth 2.0`) is enabled for client connections.\n\nThis evaluates whether clients use token-based sign-in rather than `Basic` credentials.", + "Risk": "Without **Modern Authentication**, clients may fall back to `Basic`, disabling **MFA** and enabling **password spraying** and **credential stuffing**. Account takeover can expose mailboxes, alter rules, and send fraudulent emails, harming confidentiality and integrity.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://www.thewindowsclub.com/how-to-configure-exchange-server-authentication-in-outlook", + "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online", + "https://profadmins.com/2020/03/27/enabling-modern-authentication-and-mfa/", + "https://jumpcloud.com/support/enable-modern-authentication-for-m365" + ], "Remediation": { "Code": { - "CLI": "Set-OrganizationConfig -OAuth2ClientProfileEnabled $True", + "CLI": "Set-OrganizationConfig -OAuth2ClientProfileEnabled $true", "NativeIaC": "", - "Other": "", + "Other": "1. Sign in to the Microsoft 365 admin center\n2. Go to Settings > Org settings > Modern authentication\n3. Enable \"Turn on modern authentication for Outlook 2013 for Windows and later\"\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Enable modern authentication in Exchange Online to enforce secure authentication methods for email clients.", - "Url": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online" + "Text": "Enable **Modern Authentication** org-wide and phase out `Basic` to enforce token-based access. Require **MFA** with conditional access, block legacy mail protocols where feasible, and apply **least privilege** on mailbox permissions. Monitor sign-ins for legacy usage to maintain **defense in depth**.", + "Url": "https://hub.prowler.com/check/exchange_organization_modern_authentication_enabled" } }, "Categories": [ - "e3" + "identity-access" ], "DependsOn": [], "RelatedTo": [], diff --git a/prowler/providers/m365/services/exchange/exchange_roles_assignment_policy_addins_disabled/exchange_roles_assignment_policy_addins_disabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_roles_assignment_policy_addins_disabled/exchange_roles_assignment_policy_addins_disabled.metadata.json index d558b1e514..891a321181 100644 --- a/prowler/providers/m365/services/exchange/exchange_roles_assignment_policy_addins_disabled/exchange_roles_assignment_policy_addins_disabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_roles_assignment_policy_addins_disabled/exchange_roles_assignment_policy_addins_disabled.metadata.json @@ -1,29 +1,35 @@ { "Provider": "m365", "CheckID": "exchange_roles_assignment_policy_addins_disabled", - "CheckTitle": "Ensure there is no policy with Outlook add-ins allowed.", + "CheckTitle": "Exchange role assignment policy does not allow Outlook add-ins", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Role Assignment Policy", - "Description": "Restricting users from installing Outlook add-ins reduces the risk of data exposure or exploitation through unapproved or vulnerable add-ins.", - "Risk": "Allowing users to install add-ins may expose sensitive information or introduce malicious behavior through third-party integrations. Disabling this capability mitigates the risk of unauthorized data access.", - "RelatedUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/specify-who-can-install-and-manage-add-ins", + "ResourceType": "", + "Description": "**Exchange Online role assignment policies** are assessed for roles that permit installing or managing **Outlook add-ins** (such as `My Marketplace Apps`, `My Custom Apps`, `My ReadWriteMailbox Apps`, `Org Marketplace Apps`, `Org Custom Apps`). Presence of these roles indicates users or admins can deploy add-ins from the store or custom sources.", + "Risk": "Allowing add-in installation exposes mailboxes to **malicious or vulnerable add-ins**. With `ReadWriteMailbox`, an add-in can read, copy, or alter messages, auto-forward mail, and access tokens, enabling **data exfiltration**, message tampering, and **lateral movement**, impacting confidentiality and integrity.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/add-ins-for-outlook/specify-who-can-install-and-manage-add-ins", + "https://learn.microsoft.com/en-us/exchange/permissions-exo/role-assignment-policies", + "https://admin.exchange.microsoft.com." + ], "Remediation": { "Code": { - "CLI": "$policy = \"Role Assignment Policy - Prevent Add-ins\"; $roles = \"MyTextMessaging\", \"MyDistributionGroups\", \"MyMailSubscriptions\", \"MyBaseOptions\", \"MyVoiceMail\", \"MyProfileInformation\", \"MyContactInformation\", \"MyRetentionPolicies\", \"MyDistributionGroupMembership\"; New-RoleAssignmentPolicy -Name $policy -Roles $roles; Set-RoleAssignmentPolicy -id $policy -IsDefault; Get-EXOMailbox -ResultSize Unlimited | Set-Mailbox -RoleAssignmentPolicy $policy", + "CLI": "Get-ManagementRoleAssignment -RoleAssigneeType RoleAssignmentPolicy | Where-Object {$_.Name -like \"My Custom Apps-*\" -or $_.Name -like \"My Marketplace Apps-*\" -or $_.Name -like \"My ReadWriteMailbox Apps-*\"} | Remove-ManagementRoleAssignment -Confirm:$false", "NativeIaC": "", - "Other": "1. Navigate to Exchange admin center https://admin.exchange.microsoft.com. 2. Click to expand Roles > User roles. 3. Select Default Role Assignment Policy. 4. In the right pane, click Manage permissions. 5. Uncheck My Custom Apps, My Marketplace Apps and My ReadWriteMailboxApps under Other roles. 6. Save changes.", + "Other": "1. Sign in to the Exchange admin center: https://admin.exchange.microsoft.com\n2. Go to Roles > User roles\n3. For each role assignment policy:\n - Select the policy > Manage permissions\n - Under Other roles, uncheck: My Custom Apps, My Marketplace Apps, My ReadWriteMailbox Apps\n - Save changes\n4. Repeat for all role assignment policies so none include these three roles", "Terraform": "" }, "Recommendation": { - "Text": "Restrict Outlook add-in installation by updating the Role Assignment Policy to exclude roles that allow app installation.", - "Url": "https://learn.microsoft.com/en-us/exchange/permissions-exo/role-assignment-policies" + "Text": "Enforce **least privilege** for add-ins: remove add-in roles from end-user policies, reserve add-in management for trusted admins, and only deploy vetted add-ins via an **allowlist**. Review role assignment policies regularly to sustain **defense in depth** and prevent unapproved extensions.", + "Url": "https://hub.prowler.com/check/exchange_roles_assignment_policy_addins_disabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_transport_config_smtp_auth_disabled/exchange_transport_config_smtp_auth_disabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_transport_config_smtp_auth_disabled/exchange_transport_config_smtp_auth_disabled.metadata.json index b9b7c02983..c5a1dcd9f4 100644 --- a/prowler/providers/m365/services/exchange/exchange_transport_config_smtp_auth_disabled/exchange_transport_config_smtp_auth_disabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_transport_config_smtp_auth_disabled/exchange_transport_config_smtp_auth_disabled.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "exchange_transport_config_smtp_auth_disabled", - "CheckTitle": "Ensure SMTP AUTH is disabled.", + "CheckTitle": "SMTP AUTH is disabled in the Exchange Online Transport Configuration", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Transport Config", - "Description": "Ensure that SMTP AUTH is disabled at the organization level in Exchange Online to reduce exposure to legacy protocols that can be exploited for malicious use.", - "Risk": "Leaving SMTP AUTH enabled allows legacy clients to authenticate using outdated methods, increasing the risk of credential compromise and unauthorized email sending.", - "RelatedUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission", + "ResourceType": "", + "Description": "**Exchange Online transport configuration** disables **authenticated SMTP submission** (`SMTP AUTH`) at the organization level", + "Risk": "With **SMTP AUTH enabled**, attackers can:\n- Launch **password spraying** against mailboxes\n- Bypass **MFA** on SMTP submissions\n- Send **unauthorized email**, enabling internal spoofing and phishing\n\nThis undermines message **integrity**, aids **lateral movement**, and harms tenant reputation and deliverability.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission", + "https://admin.exchange.microsoft.com." + ], "Remediation": { "Code": { "CLI": "Set-TransportConfig -SmtpClientAuthenticationDisabled $true", "NativeIaC": "", - "Other": "1. Navigate to Exchange admin center https://admin.exchange.microsoft.com. 2. Select Settings > Mail flow. 3. Ensure 'Turn off SMTP AUTH protocol for your organization' is checked.", + "Other": "1. Open the Exchange admin center: https://admin.exchange.microsoft.com\n2. Go to Settings > Mail flow\n3. Turn on \"Turn off SMTP AUTH protocol for your organization\"\n4. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Disable SMTP AUTH at the organization level to support secure, modern authentication practices and block legacy protocol usage.", - "Url": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/authenticated-client-smtp-submission" + "Text": "Disable **SMTP AUTH** tenant-wide and allow per-mailbox exceptions only when justified, time-bound, and monitored. Prefer **modern authentication** and secure submission alternatives. Apply **least privilege** and **defense in depth**, restrict app access, rotate secrets, and monitor send patterns for anomalies.", + "Url": "https://hub.prowler.com/check/exchange_transport_config_smtp_auth_disabled" } }, "Categories": [ + "identity-access", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_transport_rules_mail_forwarding_disabled/exchange_transport_rules_mail_forwarding_disabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_transport_rules_mail_forwarding_disabled/exchange_transport_rules_mail_forwarding_disabled.metadata.json index 0b9a127f09..7418d283f4 100644 --- a/prowler/providers/m365/services/exchange/exchange_transport_rules_mail_forwarding_disabled/exchange_transport_rules_mail_forwarding_disabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_transport_rules_mail_forwarding_disabled/exchange_transport_rules_mail_forwarding_disabled.metadata.json @@ -1,29 +1,34 @@ { "Provider": "m365", "CheckID": "exchange_transport_rules_mail_forwarding_disabled", - "CheckTitle": "Ensure mail transport rules are set to disable mail forwarding.", + "CheckTitle": "Exchange transport rule does not allow forwarding mail to external domains", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Transport Rules", - "Description": "Ensure mail transport rules are set to disable mail forwarding.", - "Risk": "Enabling email auto-forwarding can be exploited by attackers or malicious insiders to exfiltrate sensitive data outside the organization, often without detection.", - "RelatedUrl": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/configuration-best-practices", + "ResourceType": "", + "Description": "**Exchange Online mail flow rules** are assessed for actions that **forward or redirect messages to external domains**. The finding highlights rules that add external recipients during transport.", + "Risk": "External auto-forwarding enables silent **data exfiltration**, bypassing **DLP** and retention, reducing **confidentiality**.\n\nA compromised mailbox can use forwarding for **persistence** and **lateral movement**, leaking sensitive content to untrusted domains and undermining communication **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/configuration-best-practices" + ], "Remediation": { "Code": { - "CLI": "Remove-TransportRule -Identity ", + "CLI": "Remove-TransportRule -Identity ", "NativeIaC": "", - "Other": "1. Select Exchange to open the Exchange admin center. 2. Select Mail Flow then Rules. 3. For each rule that redirects email to external domains, select the rule and click the 'Delete' icon.", + "Other": "1. In the Microsoft 365 admin center, go to Admin centers > Exchange\n2. Navigate to Mail flow > Rules\n3. For each rule that has the action \"Redirect the message to\", select the rule, click Edit\n4. Under \"Do the following\", remove the action \"Redirect the message to\"\n5. Click Save\n6. Repeat for any other rules with this action", "Terraform": "" }, "Recommendation": { - "Text": "Block all forms of mail forwarding using Transport rules in Exchange Online. Apply exclusions only where justified by organizational policy.", - "Url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + "Text": "Block external auto-forwarding at the organization level and prefer internal controls for sharing. Apply **least privilege** with narrowly scoped, time-bound exceptions only when justified.\n\nAdopt **defense in depth**: pair with DLP, outbound filtering, and alerts on new forwarding rules. Review and attest rules regularly.", + "Url": "https://hub.prowler.com/check/exchange_transport_rules_mail_forwarding_disabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_transport_rules_whitelist_disabled/exchange_transport_rules_whitelist_disabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_transport_rules_whitelist_disabled/exchange_transport_rules_whitelist_disabled.metadata.json index aecec711d4..791ca1d414 100644 --- a/prowler/providers/m365/services/exchange/exchange_transport_rules_whitelist_disabled/exchange_transport_rules_whitelist_disabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_transport_rules_whitelist_disabled/exchange_transport_rules_whitelist_disabled.metadata.json @@ -1,29 +1,41 @@ { "Provider": "m365", "CheckID": "exchange_transport_rules_whitelist_disabled", - "CheckTitle": "Ensure mail transport rules do not whitelist specific domains", + "CheckTitle": "Exchange transport rule does not whitelist any domains", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Transport Rules", - "Description": "Mail flow rules (transport rules) in Exchange Online are used to identify and take action on messages that flow through the organization.", - "Risk": "Whitelisting domains in transport rules bypasses regular malware and phishing scanning, which can enable an attacker to launch attacks against your users from a safe haven domain.", - "RelatedUrl": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/configuration-best-practices", + "ResourceType": "", + "Description": "**Exchange Online mail flow rules** that whitelist specific sender domains by forcing `SCL` to `-1` (skip spam filtering) on matching messages", + "Risk": "**Domain-based whitelisting** skips **anti-spam/phish** analysis, allowing spoofed or compromised senders to reach the Inbox. This increases targeted phishing, BEC, and credential theft, enabling unauthorized access and data exfiltration, degrading **confidentiality** and **integrity**.", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl", + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/configuration-best-practices", + "https://admin.exchange.microsoft.com..", + "https://theinformationstore.com.au/transport-rules-spam-bypass/", + "https://video2.skills-academy.com/en-us/answers/questions/1330347/how-to-handle-email-campaign-to-not-tag-as-spam-or", + "https://cheapwindowsvps.com/blog/step-by-step-guide-how-to-whitelist-a-domain-in-microsoft-365/", + "https://adamtheautomator.com/office-365-whitelist-domain/", + "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", + "https://office365concepts.com/whitelist-a-domain-in-office-365/" + ], "Remediation": { "Code": { - "CLI": "Remove-TransportRule -Identity ", + "CLI": "Set-TransportRule -Identity -SetSCL 0", "NativeIaC": "", - "Other": "1. Navigate to Exchange admin center https://admin.exchange.microsoft.com.. 2. Click to expand Mail Flow and then select Rules. 3. For each rule that whitelists specific domains, select the rule and click the 'Delete' icon.", + "Other": "1. Open the Exchange admin center: https://admin.exchange.microsoft.com\n2. Go to Mail flow > Rules\n3. Edit any rule that has: condition \"The sender domain is\" AND action \"Set the spam confidence level (SCL) = Bypass spam filtering\"\n4. In Do the following, change \"Set the spam confidence level (SCL)\" from Bypass spam filtering to 0 (or remove the action)\n5. Click Save", "Terraform": "" }, "Recommendation": { - "Text": "Remove transport rules that whitelist specific domains to ensure proper scanning.", - "Url": "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules" + "Text": "Avoid blanket whitelisting. Do not set `SCL` to `-1` based solely on `sender domain`.\n\n- Prefer controlled allow mechanisms with review/expiry; keep **anti-spam/phish** active\n- If exceptions are unavoidable, apply **least privilege**: add strong conditions (auth results, known source IPs), narrow scope, time-bound, and monitor", + "Url": "https://hub.prowler.com/check/exchange_transport_rules_whitelist_disabled" } }, "Categories": [ + "email-security", "e3" ], "DependsOn": [], diff --git a/prowler/providers/m365/services/exchange/exchange_user_mailbox_auditing_enabled/exchange_user_mailbox_auditing_enabled.metadata.json b/prowler/providers/m365/services/exchange/exchange_user_mailbox_auditing_enabled/exchange_user_mailbox_auditing_enabled.metadata.json index 93b5049fab..2be8529e23 100644 --- a/prowler/providers/m365/services/exchange/exchange_user_mailbox_auditing_enabled/exchange_user_mailbox_auditing_enabled.metadata.json +++ b/prowler/providers/m365/services/exchange/exchange_user_mailbox_auditing_enabled/exchange_user_mailbox_auditing_enabled.metadata.json @@ -1,29 +1,39 @@ { "Provider": "m365", "CheckID": "exchange_user_mailbox_auditing_enabled", - "CheckTitle": "Ensure mailbox auditing is enabled for all user mailboxes.", + "CheckTitle": "User mailbox auditing is enabled with required Admin, Delegate, and Owner actions and audit log age meets the minimum", "CheckType": [], "ServiceName": "exchange", "SubServiceName": "", "ResourceIdTemplate": "", "Severity": "high", - "ResourceType": "Exchange Mailboxes Properties", - "Description": "Ensure mailbox auditing is enabled for all user mailboxes, including the configuration of audit actions for owners, delegates, and admins beyond the Microsoft defaults. The difference between both subscription is the log age so this parameter is configurable and users can set it to their subscription needs.", - "Risk": "If auditing is not properly enabled and configured, critical mailbox actions may go unrecorded, reducing the ability to investigate incidents, enforce compliance, or detect malicious behavior.", - "RelatedUrl": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide", + "ResourceType": "", + "Description": "**Exchange user mailboxes** have auditing enabled, include a defined set of actions for **Owner**, **Delegate**, and **Admin**, and retain audit records for at least the configured baseline (default `90` days).", + "Risk": "**Incomplete or short-retained mailbox audits** degrade confidentiality and integrity.\n- Untracked `SendAs`, inbox rule changes, and deletions enable covert access and data loss\n- Narrow log windows create blind spots, delaying detection and hindering forensics and eDiscovery", + "RelatedUrl": "", + "AdditionalURLs": [ + "https://woshub.com/mailbox-audit-logging-exchange-microsoft-365/", + "https://howdoicomputer.com/2016/05/exchange-online-and-hybrid-exchange-auditing-configurations/", + "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide", + "https://blog.ciaops.com/2025/10/15/configuring-exchange-online-mailbox-logging-best-practices-and-step-by-step-guide/", + "https://www.codetwo.com/admins-blog/user-mailbox-and-shared-mailbox-auditing-in-exchange-2013/", + "https://o365info.com/mailbox-audit-powershell-microsoft-365/", + "https://exchangepedia.com/2013/01/change-mailbox-audit-logging-age-limit-in-exchange-201.html" + ], "Remediation": { "Code": { - "CLI": "$AuditAdmin = @(\"ApplyRecord\", \"Copy\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\"); $AuditDelegate = @(\"ApplyRecord\", \"Create\", \"FolderBind\", \"HardDelete\", \"Move\", \"MoveToDeletedItems\", \"SendAs\", \"SendOnBehalf\", \"SoftDelete\", \"Update\", \"UpdateFolderPermissions\", \"UpdateInboxRules\"); $AuditOwner = @(\"ApplyRecord\", \"Create\", \"HardDelete\", \"MailboxLogin\", \"Move\", \"MoveToDeletedItems\", \"SoftDelete\", \"Update\", \"UpdateCalendarDelegation\", \"UpdateFolderPermissions\", \"UpdateInboxRules\"); $MBX = Get-EXOMailbox -ResultSize Unlimited | Where-Object { $_.RecipientTypeDetails -eq \"UserMailbox\" }; $MBX | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 90 -AuditAdmin $AuditAdmin -AuditDelegate $AuditDelegate -AuditOwner $AuditOwner", + "CLI": "Get-EXOMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox | Set-Mailbox -AuditEnabled $true -AuditLogAgeLimit 90 -AuditAdmin @('ApplyRecord','Copy','Create','FolderBind','HardDelete','Move','MoveToDeletedItems','SendAs','SendOnBehalf','SoftDelete','Update','UpdateCalendarDelegation','UpdateFolderPermissions','UpdateInboxRules') -AuditDelegate @('ApplyRecord','Create','FolderBind','HardDelete','Move','MoveToDeletedItems','SendAs','SendOnBehalf','SoftDelete','Update','UpdateFolderPermissions','UpdateInboxRules') -AuditOwner @('ApplyRecord','Create','HardDelete','MailboxLogin','Move','MoveToDeletedItems','SoftDelete','Update','UpdateCalendarDelegation','UpdateFolderPermissions','UpdateInboxRules')", "NativeIaC": "", "Other": "", "Terraform": "" }, "Recommendation": { - "Text": "Enable mailbox auditing for all user mailboxes and configure auditing for key mailbox actions for owners, delegates, and admins.", - "Url": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide" + "Text": "Standardize mailbox auditing on all user mailboxes. Log critical actions for **Owner**, **Delegate**, and **Admin** (e.g., `SendAs`, `UpdateInboxRules`, `HardDelete`, `MailboxLogin`). Set `AuditLogAgeLimit` to meet policy ( baseline). Apply least privilege for delegates, avoid audit bypass, and regularly review or forward logs to monitoring.", + "Url": "https://hub.prowler.com/check/exchange_user_mailbox_auditing_enabled" } }, "Categories": [ + "logging", "e3", "e5" ],