ORCA.118.2 - Domains are not being allow listed in an unsafe manner in Transport Rules.
Overview
Emails coming from allow listed domains bypass several layers of protection within Exchange Online Protection. If domains are allow listed, they are open to being spoofed from malicious actors.
Remediation action
Remove allow listed domains.
Related Links
- Exchange admin center in Exchange Online
- Using Exchange Transport Rules (ETRs) to allow specific senders
Test Metadata
| Field | Value |
|---|---|
| Test ID | ORCA.118.2 |
| Severity | High |
| Suite | ORCA |
| Category | EXO |
| PowerShell test | Test-ORCA118_2 |
| Tags | EXO, ORCA, ORCA.118.2 |
Source
- Pester test:
tests/orca/Test-ORCA118_2.Tests.ps1 - PowerShell source:
powershell/public/orca/Test-ORCA118_2.ps1