ORCA.118.4 - Your own domains are not being allow listed in an unsafe manner in Transport Rules.
Overview
Emails coming from allow listed domains bypass several layers of protection within Exchange Online Protection. When allow listing your own domains, an attacker can spoof any account in your organisation that has this domain. This is a significant phishing attack vector.
Remediation action
Remove allow listing on domains belonging to your organisation.
Related Links
- Exchange admin center in Exchange Online
- Using Exchange Transport Rules (ETRs) to allow specific senders
Test Metadata
| Field | Value |
|---|---|
| Test ID | ORCA.118.4 |
| Severity | Medium |
| Suite | ORCA |
| Category | EXO |
| PowerShell test | Test-ORCA118_4 |
| Tags | EXO, ORCA, ORCA.118.4 |
Source
- Pester test:
tests/orca/Test-ORCA118_4.Tests.ps1 - PowerShell source:
powershell/public/orca/Test-ORCA118_4.ps1