CISA.MS.EXO.14.3 - Allowed domains SHALL NOT be added to inbound anti-spam protection policies.
Overviewโ
Allowed domains SHALL NOT be added to inbound anti-spam protection policies.
Rationale: Legitimate emails may be incorrectly filtered by spam protections. Adding allowed senders is an acceptable method of combating these false positives. Allowing an entire domain, especially a common domain like office.com, however, provides for a large number of potentially unknown users to bypass spam protections.
Remediation action:โ
- Sign in to Microsoft 365 Defender.
- In the left-hand menu, go to Email & Collaboration > Policies & Rules.
- Select Threat Policies.
- From the Templated policies section, select Preset Security Policies.
- Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
- Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.
Note: If the toggle slider in step 5 is grayed out, click on Manage protection settings instead and configure the policy settings according to Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users | Microsoft Learn.
Related linksโ
- Defender admin center - Preset security policies
- CISA 14 Inbound Anti-Spam Protections - MS.EXO.14.3
- CISA ScubaGear Rego Reference
Test Metadataโ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.14.3 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaSpamBypass |
| Tags | CISA, CISA.MS.EXO.14.3, MS.EXO, MS.EXO.14.3 |
Sourceโ
- Pester test:
tests/cisa/exchange/Test-MtCisaSpamBypass.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaSpamBypass.ps1