CISA.MS.EXO.12.1 - IP allow lists SHOULD NOT be created.
Overviewβ
IP allow lists SHOULD NOT be created.
Rationale: Messages sent from IP addresses on an allow list bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of IP allow lists prevents potential threats from circumventing security mechanisms.
Remediation action:β
To modify the connection filters, follow the instructions found in Use the Microsoft 365 Defender portal to modify the default connection filter policy.
- Sign in to Microsoft 365 Defender portal.
- From the left-hand menu, find Email & collaboration and select Policies and Rules.
- Select Threat Policies from the list of policy names.
- Under Policies, select Anti-spam.
- Select Connection filter policy (Default).
- Click Edit connection filter policy.
- Ensure no addresses are specified under Always allow messages from the following IP addresses or address range.
Related linksβ
- Defender admin center - Anti-spam policies
- CISA 12 IP Allow Lists - MS.EXO.12.1v1
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.12.1 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaAntiSpamAllowList |
| Tags | CISA, CISA.MS.EXO.12.1, MS.EXO, MS.EXO.12.1 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaAntiSpamAllowList.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaAntiSpamAllowList.ps1