CIS.M365.2.1.6 - (L1) Ensure Exchange Online Spam Policies are set to notify administrators (Only Checks Default Policy)
Overview
2.1.6 (L1) Ensure Exchange Online Spam Policies are set to notify administrators
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. Configure Exchange Online Spam Policies to copy emails and notify someone when a sender in the organization has been blocked for sending spam emails.
Rationale
A blocked account is a good indication that the account in question has been breached, and an attacker is using it to send spam emails to other people.
Impact
Notification of users that have been blocked should not cause an impact to the user.
Remediation action:
To set the Exchange Online Spam Policies:
- Navigate to Microsoft 365 Defender https://security.microsoft.com
- Under Email & collaboration select Policies & rules
- Select Threat policies then Anti-spam
- Click on the Anti-spam outbound policy (default)
- Select Edit protection settings then under Notifications
- Check Send a copy of outbound messages that exceed these limits to these users and groups then enter the desired email addresses
- Check Notify these users and groups if a sender is blocked due to sending outbound spam then enter the desired email addresses.
- Click Save.
PowerShell
- Connect to Exchange Online using
Connect-ExchangeOnline. - Run the following PowerShell command:
$BccEmailAddress = @("<INSERT-EMAIL>")
$NotifyEmailAddress = @("<INSERT-EMAIL>")
Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress
Note: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant, then ensure the setting is set as outlined in the highest priority policy listed.
Related links
- Microsoft 365 Defender
- Outbound spam protection for cloud mailboxes
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 91
Test Metadata
| Field | Value |
|---|---|
| Test ID | CIS.M365.2.1.6 |
| Severity | Medium |
| Suite | CIS |
| Category | CIS E3 Level 1 |
| PowerShell test | Test-MtCisOutboundSpamFilterPolicy |
| Tags | CIS, CIS E3, CIS E3 Level 1, CIS M365 v6.0.1, CIS.M365.2.1.6, L1 |
Source
- Pester test:
tests/cis/Test-MtCisOutboundSpamFilterPolicy.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisOutboundSpamFilterPolicy.ps1