CISA.MS.EXO.10.3 - Email scanning SHALL be capable of reviewing emails after delivery.
Overviewβ
Email scanning SHALL be capable of reviewing emails after delivery.
Rationale: As known malware signatures are updated, it is possible for an email to be retroactively identified as containing malware after delivery. By scanning emails, the number of malware-infected in users' mailboxes can be reduced.
Remediation action:β
- Sign in to Microsoft 365 Defender.
- In the left-hand menu, go to Email & Collaboration > Policies & Rules.
- Select Threat Policies.
- From the Templated policies section, select Preset Security Policies.
- Under Standard protection, slide the toggle switch to the right so the text next to the toggle reads Standard protection is on.
- Under Strict protection, slide the toggle switch to the right so the text next to the toggle reads Strict protection is on.
Note: If the toggle slider in step 5 is grayed out, click on Manage protection settings instead and configure the policy settings according to Use the Microsoft 365 Defender portal to assign Standard and Strict preset security policies to users | Microsoft Learn.
Related linksβ
- Defender admin center - Preset security policies
- Defender admin center - Order and precedence of email protection
- CISA 10 Malware Scanning - MS.EXO.10.3v1
- CISA ScubaGear Rego Reference
- Microsoft Learn - Zero-hour auto purge (ZAP) for malware
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CISA.MS.EXO.10.3 |
| Severity | High |
| Suite | CISA |
| Category | exchange |
| PowerShell test | Test-MtCisaMalwareZap |
| Tags | CISA, CISA.MS.EXO.10.3, MS.EXO, MS.EXO.10.3 |
Sourceβ
- Pester test:
tests/cisa/exchange/Test-MtCisaMalwareZap.Tests.ps1 - PowerShell source:
powershell/public/cisa/exchange/Test-MtCisaMalwareZap.ps1