CISA.MS.EXO.12.2 - Safe lists SHOULD NOT be enabled.
Overview
Safe lists SHOULD NOT be enabled.
Rationale: Messages sent from allowed safe list addresses bypass important security mechanisms, including spam filtering and sender authentication checks. Avoiding use of safe lists prevents potential threats from circumventing security mechanisms. While blocking all malicious senders is not feasible, blocking specific known, malicious IP addresses may reduce the threat from specific senders.
Remediation action:
To modify the connection filters, follow the instructions found in Use the Microsoft 365 Defender portal to modify the default connection filter policy.
- Sign in to Microsoft 365 Defender portal.
- From the left-hand menu, find Email & collaboration and select Policies and Rules.
- Select Threat Policies from the list of policy names.
- Under Policies, select Anti-spam.
- Select Connection filter policy (Default).
- Click Edit connection filter policy.
- Ensure Turn on safe list is not selected.
Related links
- Defender admin center - Anti-spam policies
- CISA 12 IP Allow Lists - MS.EXO.12.2v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.12.2 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaAntiSpamSafeList |
| Tags | CISA, CISA.MS.EXO.12.2, MS.EXO, MS.EXO.12.2 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaAntiSpamSafeList.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaAntiSpamSafeList.ps1