CIS.M365.2.1.13 - (L1) Ensure the connection filter safe list is off (Only Checks Default Policy)
Overview
2.1.13 (L1) Ensure the connection filter safe list is off
In Microsoft 365 organizations with Exchange Online mailboxes or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, connection filtering and the default connection filter policy identify good or bad source email servers by IP addresses. The key components of the default connection filter policy are IP Allow List, IP Block List and Safe list. The safe list is a pre-configured allow list that is dynamically updated by Microsoft. The recommended safe list state is: Off or False
Rationale
Without additional verification like mail flow rules, email from sources in the IP Allow List skips spam filtering and sender authentication (SPF, DKIM, DMARC) checks. This method creates a high risk of attackers successfully delivering email to the Inbox that would otherwise be filtered. Messages that are determined to be malware or high confidence phishing are filtered. The safe list is managed dynamically by Microsoft, and administrators do not have visibility into which sender are included. Incoming messages from email servers on the safe list bypass spam filtering.
Impact
This is the default behavior. IP Allow lists may reduce false positives, however, this benefit is outweighed by the importance of a policy which scans all messages regardless of the origin. This supports the principle of zero trust.
Remediation action:
- Navigate to Microsoft 365 Defender.
- Click to expand Email & collaboration select Policies & rules> Threat policies.
- Under Policies select Anti-spam.
- Click on the Connection filter policy (Default).
- Click Edit connection filter policy.
- Uncheck Turn on safe list.
- Click Save.
PowerShell
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following PowerShell command:
Set-HostedConnectionFilterPolicy -Identity Default -EnableSafeList $false
Related links
- Microsoft 365 Defender
- Configure connection filtering in cloud organizations
- Create sender allowlists for cloud mailboxes
- When user and organization settings conflict
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 119
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.1.13 |
| Severity | Medium |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisConnectionFilterSafeList |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.2.1.13, L1 |
Source
- Pester test:
tests/cis/Test-MtCisConnectionFilterSafeList.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisConnectionFilterSafeList.ps1