prowler-cloud · puchy22 · Dec 23, 2025 · Dec 23, 2025
@@ -18,6 +18,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Shield service metadata to new format [(#9427)](https://github.com/prowler-cloud/prowler/pull/9427)
 - Update AWS Secrets Manager service metadata to new format [(#9408)](https://github.com/prowler-cloud/prowler/pull/9408)
 - Improve SageMaker service tag retrieval with parallel execution [(#9609)](https://github.com/prowler-cloud/prowler/pull/9609)
+- Update M365 Exchange service metadata to new format [(#9683)](https://github.com/prowler-cloud/prowler/pull/9683)
+
 
 ---
 

@@ -1,29 +1,37 @@
 {
   "Provider": "m365",
   "CheckID": "exchange_external_email_tagging_enabled",
-  "CheckTitle": "Ensure email from external senders is identified.",
+  "CheckTitle": "Exchange identity has external sender tagging enabled",
   "CheckType": [],
   "ServiceName": "exchange",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Exchange External Mail Tagging",
-  "Description": "Ensure that emails from external senders are identified using the native External tag experience in Outlook clients, which helps users recognize messages originating outside the organization.",
-  "Risk": "If external email tagging is not enabled, users may be unable to quickly identify emails coming from outside the organization, increasing the risk of phishing or social engineering attacks.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps",
+  "ResourceType": "",
+  "Description": "**Exchange Online** uses native external sender identification so supported Outlook clients display an `External` tag on messages originating outside the organization.",
+  "Risk": "Without the native tag, users lose a clear signal that a message is from outside the tenant, increasing susceptibility to **phishing**, **BEC**, and credential theft. This raises risks to **confidentiality** (exfiltration) and **integrity** (fraudulent approvals) via social engineering and reply-chain attacks.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.vansurksum.com/2021/03/12/enable-external-sender-identification-in-exchange-online/",
+    "https://learn.microsoft.com/en-us/powershell/module/exchange/set-externalinoutlook?view=exchange-ps",
+    "https://www.meetingroom365.com/blog/set-externaiinoutlook-powershell/",
+    "https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098",
+    "https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-externalinoutlook?view=exchange-ps"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-ExternalInOutlook -Enabled $true",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to the Exchange admin center: https://admin.exchange.microsoft.com\n2. Navigate to Mail flow > External tagging\n3. Turn on Enable external tagging in Outlook\n4. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable the External tag for Outlook to help users visually identify emails from outside the organization.",
-      "Url": "https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098"
+      "Text": "Enable native external sender identification and prefer it over subject-line modifications. Apply **defense in depth**: enforce **anti-phishing** protections, validate senders with SPF/DKIM/DMARC, and deliver user training. *Use exceptions sparingly* for trusted domains to reduce noise while preserving **least privilege** in communication paths.",
+      "Url": "https://hub.prowler.com/check/exchange_external_email_tagging_enabled"
     }
   },
   "Categories": [
+    "email-security",
     "e3"
   ],
   "DependsOn": [],

@@ -1,29 +1,35 @@
 {
   "Provider": "m365",
   "CheckID": "exchange_mailbox_audit_bypass_disabled",
-  "CheckTitle": "Ensure 'AuditBypassEnabled' is not enabled on any mailbox in the organization.",
+  "CheckTitle": "Exchange mailbox has AuditBypassEnabled disabled",
   "CheckType": [],
   "ServiceName": "exchange",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Exchange Mailboxes",
-  "Description": "Ensure that no mailboxes in the organization have 'AuditBypassEnabled' set to true. This setting prevents mailbox audit logging and can allow unauthorized access without traceability.",
-  "Risk": "If 'AuditBypassEnabled' is set to true for any mailbox, access to those mailboxes won't be logged, creating a blind spot in forensic analysis and increasing the risk of undetected malicious activity.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailboxauditbypassassociation?view=exchange-ps",
+  "ResourceType": "",
+  "Description": "**Exchange mailboxes** are evaluated for **audit logging bypass** by reviewing the `AuditBypassEnabled` setting and identifying mailboxes where auditing can be circumvented.",
+  "Risk": "**Bypassed mailbox auditing** removes visibility into access and actions, weakening detective controls. Covert data exfiltration, inbox-rule abuse, and persistence become harder to spot, harming **confidentiality** and **integrity** and impeding **forensics**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/powershell/module/exchange/get-mailboxauditbypassassociation?view=exchange-ps",
+    "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "$MBXAudit = Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object { $_.AuditBypassEnabled -eq $true }; foreach ($mailbox in $MBXAudit) { $mailboxName = $mailbox.Name; Set-MailboxAuditBypassAssociation -Identity $mailboxName -AuditBypassEnabled $false; Write-Host \"Audit Bypass disabled for mailbox Identity: $mailboxName\" -ForegroundColor Green }",
+      "CLI": "Get-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object {$_.AuditBypassEnabled} | ForEach-Object { Set-MailboxAuditBypassAssociation -Identity $_.Identity -AuditBypassEnabled $false }",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Open PowerShell and connect to Exchange Online: Connect-ExchangeOnline\n2. Run:\n```\nGet-MailboxAuditBypassAssociation -ResultSize unlimited | Where-Object {$_.AuditBypassEnabled} | ForEach-Object { Set-MailboxAuditBypassAssociation -Identity $_.Identity -AuditBypassEnabled $false }\n```",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Ensure that no mailboxes have 'AuditBypassEnabled' enabled to guarantee full audit logging for all mailbox activities.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-mailboxauditbypassassociation?view=exchange-ps"
+      "Text": "Disable audit bypass by keeping `AuditBypassEnabled` set to `false` for all accounts. Apply **least privilege** to service identities, use dedicated accounts for automation, and monitor for bypass associations with alerts. Enforce **separation of duties** and preserve tamper-resistant audit logs.",
+      "Url": "https://hub.prowler.com/check/exchange_mailbox_audit_bypass_disabled"
     }
   },
   "Categories": [
+    "logging",
+    "forensics-ready",
     "e3"
   ],
   "DependsOn": [],

@@ -1,30 +1,34 @@
 {
   "Provider": "m365",
   "CheckID": "exchange_mailbox_policy_additional_storage_restricted",
-  "CheckTitle": "Ensure additional storage providers are restricted in Outlook on the web.",
+  "CheckTitle": "Exchange mailbox policy has additional storage providers disabled",
   "CheckType": [],
   "ServiceName": "exchange",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Exchange Mailboxes Policy",
-  "Description": "Restrict the availability of additional storage providers (e.g., Box, Dropbox, Google Drive) in Outlook on the web to prevent users from accessing external storage services through the OWA interface.",
-  "Risk": "Allowing users to access third-party storage providers from Outlook on the web increases the risk of data exfiltration and exposure to untrusted content or malware.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps",
+  "ResourceType": "",
+  "Description": "**Outlook on the web mailbox policy** governs access to **additional storage providers** (e.g., Box, Dropbox, Google Drive, personal OneDrive). The finding evaluates whether these third-party file integrations are disabled via `AdditionalStorageProvidersAvailable=false`.",
+  "Risk": "Enabling third-party storage in OWA weakens:\n- **Confidentiality**: data can leave the tenant to unmanaged clouds\n- **Integrity**: external links can deliver or reference malicious/tampered files\n- **Visibility/Compliance**: M365 DLP and audit may not fully apply, enabling undetected exfiltration",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-OwaMailboxPolicy -Identity OwaMailboxPolicy-Default -AdditionalStorageProvidersAvailable $false",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to the Exchange admin center (https://admin.exchange.microsoft.com)\n2. Open Classic Exchange admin center (left pane)\n3. Go to Permissions > Outlook Web App policies\n4. Edit OwaMailboxPolicy-Default\n5. In Features, set \"Additional storage providers\" to Off\n6. Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Disable access to additional storage providers in Outlook on the web to reduce the risk of data leakage.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps"
+      "Text": "Block third-party storage integrations in the OWA mailbox policy (`AdditionalStorageProvidersAvailable=false`). Prefer **enterprise-managed repositories**, enforce **least privilege**, and apply **DLP** and **Conditional Access** to control egress. *If required*, permit only vetted providers under **governed exceptions** with monitoring.",
+      "Url": "https://hub.prowler.com/check/exchange_mailbox_policy_additional_storage_restricted"
     }
   },
   "Categories": [
-    "e3"
+    "e3",
+    "trust-boundaries"
   ],
   "DependsOn": [],
   "RelatedTo": [],

@@ -1,29 +1,40 @@
 {
   "Provider": "m365",
   "CheckID": "exchange_organization_mailbox_auditing_enabled",
-  "CheckTitle": "Ensure AuditDisabled organizationally is set to False.",
+  "CheckTitle": "Exchange organization has mailbox auditing enabled",
   "CheckType": [],
   "ServiceName": "exchange",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "high",
-  "ResourceType": "Exchange Organization Configuration",
-  "Description": "Ensure that the AuditDisabled property is set to False at the organizational level in Exchange Online. This enables mailbox auditing by default for all mailboxes and overrides individual mailbox settings.",
-  "Risk": "If mailbox auditing is disabled at the organization level, no mailbox actions are audited, limiting forensic investigation capabilities and exposing the organization to undetected malicious activity.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide",
+  "ResourceType": "",
+  "Description": "Exchange Online organization setting `AuditDisabled` controls tenant-wide **mailbox auditing**. This evaluates whether it is `False` so default audit events are recorded for owner, delegate, and admin across all mailboxes, taking precedence over per-mailbox settings.",
+  "Risk": "Disabling tenant-wide auditing lets mailbox activity go unrecorded. Adversaries or insiders could exfiltrate data, alter or delete messages, or send as users without trace, undermining **confidentiality**, **integrity**, and effective **incident response**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://superuser.com/questions/1400521/office365-mailbox-auditing-by-default",
+    "https://o365reports.com/2020/01/21/enable-mailbox-auditing-in-office-365-powershell/",
+    "https://learn.microsoft.com/en-us/purview/audit-mailboxes?view=o365-worldwide",
+    "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps#-auditdisabled",
+    "https://community.spiceworks.com/t/enable-mailbox-auditing-by-default-exchange-2016-on-prem/745347",
+    "https://techcommunity.microsoft.com/blog/microsoft-security-blog/exchange-online-mailbox-auditing-enabled-by-default/361324",
+    "https://petri.com/mailbox-auditing-exchange-online/",
+    "https://blog.hametbenoit.info/2018/07/16/exchange-online-mailbox-auditing-will-be-enabled-by-default/"
+  ],
   "Remediation": {
     "Code": {
       "CLI": "Set-OrganizationConfig -AuditDisabled $false",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Open PowerShell and connect to Exchange Online: Connect-ExchangeOnline\n2. Run: Set-OrganizationConfig -AuditDisabled $false\n3. Verify: Get-OrganizationConfig | Select-Object AuditDisabled  (should be False)",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Set AuditDisabled to False at the organization level to ensure mailbox auditing is always enforced.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps#-auditdisabled"
+      "Text": "Ensure `AuditDisabled`=`False` to keep **mailbox auditing** on by default.\n\n- Apply **least privilege** and minimize audit bypass\n- Define retention and review audit logs\n- Alert on risky actions (e.g., hard delete, rule changes)\n- Layer with **defense in depth** for email access",
+      "Url": "https://hub.prowler.com/check/exchange_organization_mailbox_auditing_enabled"
     }
   },
   "Categories": [
+    "logging",
     "e3"
   ],
   "DependsOn": [],

@@ -1,29 +1,38 @@
 {
   "Provider": "m365",
   "CheckID": "exchange_organization_mailtips_enabled",
-  "CheckTitle": "Ensure MailTips are enabled for end users.",
+  "CheckTitle": "Exchange Online organization has MailTips fully enabled",
   "CheckType": [],
   "ServiceName": "exchange",
   "SubServiceName": "",
   "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "Exchange Organization Configuration",
-  "Description": "Ensure that MailTips are enabled in Exchange Online to provide users with informative messages while composing emails, helping to avoid issues such as sending to large groups or external recipients unintentionally.",
-  "Risk": "Without MailTips, users may inadvertently send sensitive information externally or generate non-delivery reports, leading to communication errors and potential data exposure.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips",
+  "ResourceType": "",
+  "Description": "**Exchange Online** organization has **MailTips** fully configured: `MailTipsAllTipsEnabled`, `MailTipsExternalRecipientsTipsEnabled`, `MailTipsGroupMetricsEnabled`, and `MailTipsLargeAudienceThreshold`  `25`.",
+  "Risk": "Absent or lax **MailTips** reduces user cues, increasing unintended external sends and large-audience blasts, harming **confidentiality**. Missing group metrics or high thresholds hide risky recipient counts; no OOF/full-mailbox tips cause misdelivery that enables phishing loops and data exfiltration.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://cloudrun.co.uk/office365/enabling-the-external-recipient-mailtip-in-office-365/",
+    "https://learn.microsoft.com/en-us/powershell/module/exchangepowershell/set-organizationconfig?view=exchange-ps",
+    "https://blog.securesky.com/part-3-configuration-of-office-365-to-protect-against-bec-attacks",
+    "https://ezcloudinfo.com/2014/07/23/overview-and-troubleshooting-mailtips-in-exchange-2010-2013/",
+    "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps",
+    "https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/mailtips/mailtips"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "$TipsParams = @{ MailTipsAllTipsEnabled = $true; MailTipsExternalRecipientsTipsEnabled = $true; MailTipsGroupMetricsEnabled = $true; MailTipsLargeAudienceThreshold = '25' }; Set-OrganizationConfig @TipsParams",
+      "CLI": "Set-OrganizationConfig -MailTipsAllTipsEnabled $true -MailTipsExternalRecipientsTipsEnabled $true -MailTipsGroupMetricsEnabled $true -MailTipsLargeAudienceThreshold 25",
       "NativeIaC": "",
-      "Other": "",
+      "Other": "1. Sign in to the Exchange admin center (admin.exchange.microsoft.com)\n2. Open Classic Exchange admin center > Organization > MailTips\n3. Enable: \"Enable MailTips\" (All tips)\n4. Enable: \"External recipients MailTip\"\n5. Enable: \"Turn on group metrics for MailTips\"\n6. Set \"Large audience threshold\" to 25 (or less)\n7. Click Save",
       "Terraform": ""
     },
     "Recommendation": {
-      "Text": "Enable MailTips features in Exchange Online and configure the large audience threshold appropriately to assist users when composing emails.",
-      "Url": "https://learn.microsoft.com/en-us/powershell/module/exchange/set-organizationconfig?view=exchange-ps"
+      "Text": "Apply **defense in depth** with consistent **MailTips**:\n- Enable external-recipient and group-metrics tips\n- Keep `MailTipsLargeAudienceThreshold` conservative (`25`)\n- Train users to heed tips before sending\nPair with **DLP** and restricted forwarding to prevent accidental disclosure.",
+      "Url": "https://hub.prowler.com/check/exchange_organization_mailtips_enabled"
     }
   },
   "Categories": [
+    "email-security",
     "e3"
   ],
   "DependsOn": [],