CISA.MS.EXO.7.1 - External sender warnings SHALL be implemented.
Overview
External sender warnings SHALL be implemented.
Rationale: Phishing is an ever-present threat. Alerting users when email originates from outside their organization can encourage them to exercise increased caution, especially if an email is one they expected from an internal sender.
⚠️ WARNING: This test allows the use of a technical mechanism that differs from CISA's, though the outcome is the same.
Remediation action:
Option 1: Use external sender identification
This feature is only available for Outlook, Outlook for Mac, Outlook on the web, and Outlook for iOS and Android.
- Connect to Exchange Online using PowerShell module
ExchangeOnlineManagement - Enable the feature with the cmdlet
Set-ExternalInOutlook
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline
Set-ExternalInOutlook -Enabled $true
Option 2: Prepend subject with "[External]"
To create a mail flow rule to produce external sender warnings:
- Sign in to the Exchange admin center.
- Under Mail flow, select Rules.
- Click the plus (+) button to create a new rule.
- Select Modify messages….
- Give the rule an appropriate name.
- Under Apply this rule if…, select The sender is external/internal.
- Under select sender location, select Outside the organization, then click OK.
- Under Do the following…, select Prepend the subject of the message with….
- Under specify subject prefix, enter a message such as "[External]" (without the quotation marks), then click OK.
- Click Next.
- Under Choose a mode for this rule, select Enforce.
- Leave the Severity as Not Specified.
- Leave the Match sender address in message as Header and click Next.
- Click Finish and then Done.
- The new rule will be disabled. Re-select the new rule to show its settings and slide the Enable or disable rule slider to the right until it shows as Enabled.
Related links
- Exchange admin center - Mail Flow Rules
- CISA 7 External Sender Warnings - MS.EXO.7.1v1
- CISA ScubaGear Rego Reference
Test Metadata
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.7.1 |
| Severity | Medium |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaExternalSenderWarning |
| Tags | CISA, CISA.MS.EXO.7.1, MS.EXO, MS.EXO.7.1 |
Source
- Pester test:
tests/cisa/exchange/Test-MtCisaExternalSenderWarning.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaExternalSenderWarning.ps1