CISA.MS.EXO.15.3 - User click tracking SHOULD be enabled.
Overviewβ
User click tracking SHOULD be enabled.
Rationale: Users may click on malicious links in emails, leading to compromise or unauthorized data disclosure. Enabling user click tracking lets agencies know if a malicious link may have been visited after the fact to help tailor a response to a potential incident.
Remediation action:β
- Sign in to Microsoft 365 Defender.
- In the left-hand menu, go to Email & Collaboration > Policies & Rules.
- Select Threat Policies.
- From the Templated policies section, select Preset Security Policies.
- Under either Standard protection or Strict protection, select Manage protection settings.
- Select Next until you reach the Apply Defender for Office 365 protection page.
- On the Apply Defender for Office 365 protection page, select All recipients.
- (Optional) Under Exclude these recipients, add Users and Groups to be exempted from the preset policies.
- Select Next on each page until the Review and confirm your changes page.
- On the Review and confirm your changes page, select Confirm.
Related linksβ
- Defender admin center - Preset security policies
- CISA 15 Link Protection - MS.EXO.15.3
- CISA ScubaGear Rego Reference
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.15.3 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaSafeLinkClickTracking |
| Tags | CISA, CISA.MS.EXO.15.3, MS.EXO, MS.EXO.15.3 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaSafeLinkClickTracking.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaSafeLinkClickTracking.ps1