CIS.M365.2.1.12 - (L1) Ensure the connection filter IP allow list is not used (Only Checks Default Policy)
Overview
2.1.12 (L1) Ensure the connection filter IP allow list is not used
In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are IP Allow List, IP Block List and Safe list. The recommended state is IP Allow List empty or undefined.
Rationale
Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. Messages that are determined to be malware or high confidence phishing are filtered.
Impact
This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust.
Remediation action:
To remove IPs from the allow list:
- Navigate to Microsoft 365 Defender.
- Click to expand Email & collaboration select Policies & rules > Threat policies.
- Under policies select Anti-spam.
- Click on the Connection filter policy (Default).
- Click Edit connection filter policy.
- Remove any IP entries from Always allow messages from the following IP addresses or address range:.
- Click Save.
PowerShell
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following PowerShell command:
Set-HostedConnectionFilterPolicy -Identity Default -IPAllowList @{}
Related links
- Microsoft 365 Defender
- Configure connection filtering in cloud organizations
- Create sender allowlists for cloud mailboxes
- When user and organization settings conflict
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 116
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.1.12 |
| Severity | Medium |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisHostedConnectionFilterPolicy |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.2.1.12, L1 |
Source
- Pester test:
tests/cis/Test-MtCisHostedConnectionFilterPolicy.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisHostedConnectionFilterPolicy.ps1