ORCA.118.2 - Domains are not being allow listed in an unsafe manner in Transport Rules.
Overviewβ
Emails coming from allow listed domains bypass several layers of protection within Exchange Online Protection. If domains are allow listed, they are open to being spoofed from malicious actors.
Remediation actionβ
Remove allow listed domains.
Related Linksβ
- Exchange admin center in Exchange Online
- Using Exchange Transport Rules (ETRs) to allow specific senders
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | ORCA.118.2 |
| Severity | High |
| Suite | ORCA |
| Category | EXO |
| PowerShell test | Test-ORCA118_2 |
| Tags | EXO, ORCA, ORCA.118.2 |
Sourceβ
- Pester test:
tests/orca/Test-ORCA118_2.Tests.ps1 - PowerShell source:
powershell/public/orca/Test-ORCA118_2.ps1