CIS.M365.2.1.3 - (L1) Ensure notifications for internal users sending malware is Enabled (Only Checks Default Policy)
Overviewβ
2.1.3 (L1) Ensure notifications for internal users sending malware is Enabled
Exchange Online Protection (EOP) is Microsoft's cloud-based filtering service that protects organizations against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.
EOP uses flexible anti-malware policies for malware protection settings. These policies can be set to notify Admins of malicious activity.
Rationaleβ
This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated.
Impactβ
Notification of account with potential issues should not have an impact on the user
Remediation action:β
To enable notifications for internal users sending malware:
- Navigate to Microsoft 365 Defender https://security.microsoft.com.
- Click to expand E-mail & Collaboration select Policies & rules.
- On the Policies & rules page select Threat policies.
- Under Policies select Anti-malware.
- Click on the Default (Default) policy.
- Click on Edit protection settings and change the settings for Notify an admin about undelivered messages from internal senders to On and enter the email address of the administrator who should be notified under Administrator email address.
- Click Save.
PowerShellβ
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following command:
Set-MalwareFilterPolicy -Identity '{Identity Name}' -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {admin@domain1.com}
Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.
Related linksβ
- Microsoft 365 Defender
- Anti-malware protection for cloud mailboxes
- Configure anti-malware policies for cloud mailboxes
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 81
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.1.3 |
| Severity | Medium |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisInternalMalwareNotification |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.2.1.3, L1 |
Sourceβ
- Pester test:
tests/cis/Test-MtCisInternalMalwareNotification.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisInternalMalwareNotification.ps1