ORCA Exchange Online Tests
These tests validate Exchange Online security configuration checks from ORCA.
Tests
| Test ID | Title | Severity | Category |
|---|---|---|---|
| ORCA.100 | Bulk Complaint Level threshold is between 4 and 6. | Medium | EXO |
| ORCA.101 | Bulk is marked as spam. | Medium | EXO |
| ORCA.102 | Advanced Spam filter options are turned off. | Medium | EXO |
| ORCA.103 | Outbound spam filter policy settings configured. | Medium | EXO |
| ORCA.104 | High Confidence Phish action set to Quarantine message. | High | EXO |
| ORCA.105 | Safe Links Synchronous URL detonation is enabled. | Medium | EXO |
| ORCA.106 | Quarantine retention period is 30 days. | Medium | EXO |
| ORCA.107 | End-user spam notification is enabled. | Low | EXO |
| ORCA.108 | DKIM signing is set up for all your custom domains. | Medium | EXO |
| ORCA.108.1 | DNS Records have been set up to support DKIM. | Medium | EXO |
| ORCA.109 | Senders are not being allow listed in an unsafe manner. | Medium | EXO |
| ORCA.110 | Internal Sender notifications are disabled. | Medium | EXO |
| ORCA.111 | Anti-phishing policy exists and EnableUnauthenticatedSender is true. | High | EXO |
| ORCA.112 | Anti-spoofing protection action is configured to Move message to the recipients' Junk Email folders in Anti-phishing policy. | Medium | EXO |
| ORCA.113 | AllowClickThrough is disabled in Safe Links policies. | Medium | EXO |
| ORCA.114 | No IP Allow Lists have been configured. | High | EXO |
| ORCA.115 | Mailbox intelligence based impersonation protection is enabled in anti-phishing policies. | Medium | EXO |
| ORCA.116 | Mailbox intelligence based impersonation protection action set to move message to junk mail folder. | Medium | EXO |
| ORCA.118.1 | Domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | High | EXO |
| ORCA.118.2 | Domains are not being allow listed in an unsafe manner in Transport Rules. | High | EXO |
| ORCA.118.3 | Your own domains are not being allow listed in an unsafe manner in Anti-Spam Policies. | Medium | EXO |
| ORCA.118.4 | Your own domains are not being allow listed in an unsafe manner in Transport Rules. | Medium | EXO |
| ORCA.119 | Similar Domains Safety Tips is enabled. | Info | EXO |
| ORCA.120.1 | Zero Hour Autopurge Enabled for Phish. | Medium | EXO |
| ORCA.120.2 | Zero Hour Autopurge Enabled for Malware. | Medium | EXO |
| ORCA.120.3 | Zero Hour Autopurge Enabled for Spam. | Medium | EXO |
| ORCA.121 | Supported filter policy action used. | Low | EXO |
| ORCA.123 | Unusual Characters Safety Tips is enabled. | Info | EXO |
| ORCA.124 | Safe attachments unknown malware response set to block messages. | High | EXO |
| ORCA.139 | Spam action set to move message to junk mail folder or quarantine. | Low | EXO |
| ORCA.140 | High Confidence Spam action set to Quarantine message. | High | EXO |
| ORCA.141 | Bulk action set to Move message to Junk Email Folder. | Medium | EXO |
| ORCA.142 | Phish action set to Quarantine message. | Medium | EXO |
| ORCA.143 | Safety Tips are enabled. | Info | EXO |
| ORCA.156 | Safe Links Policies are tracking when user clicks on safe links. | Medium | EXO |
| ORCA.158 | Safe Attachments is enabled for SharePoint and Teams. | Medium | EXO |
| ORCA.179 | Safe Links is enabled intra-organization. | Medium | EXO |
| ORCA.180 | Anti-phishing policy exists and EnableSpoofIntelligence is true. | Medium | EXO |
| ORCA.189 | Safe Attachments is not bypassed. | Medium | EXO |
| ORCA.189.2 | Safe Links is not bypassed. | High | EXO |
| ORCA.205 | Common attachment type filter is enabled. | Medium | EXO |
| ORCA.220 | Advanced Phish filter Threshold level is adequate. | Medium | EXO |
| ORCA.221 | Mailbox intelligence is enabled in anti-phishing policies. | Medium | EXO |
| ORCA.222 | Domain Impersonation action is set to move to Quarantine. | Medium | EXO |
| ORCA.223 | User impersonation action is set to move to Quarantine. | High | EXO |
| ORCA.224 | Similar Users Safety Tips is enabled. | Info | EXO |
| ORCA.225 | Safe Documents is enabled for Office clients. | Medium | EXO |
| ORCA.226 | Each domain has a Safe Link policy applied to it. | Medium | EXO |
| ORCA.227 | Each domain has a Safe Attachments policy applied to it. | Medium | EXO |
| ORCA.228 | No trusted senders in Anti-phishing policy. | High | EXO |
| ORCA.229 | No trusted domains in Anti-phishing policy. | Medium | EXO |
| ORCA.230 | Each domain has a Anti-phishing policy applied to it, or the default policy is being used. | Medium | EXO |
| ORCA.231 | Each domain has a anti-spam policy applied to it, or the default policy is being used. | Medium | EXO |
| ORCA.232 | Each domain has a malware filter policy applied to it, or the default policy is being used. | High | EXO |
| ORCA.233 | Domains are pointed directly at EOP or enhanced filtering is used. | Medium | EXO |
| ORCA.233.1 | Domains are pointed directly at EOP or enhanced filtering is configured on all default connectors. | Medium | EXO |
| ORCA.234 | Click through is disabled for Safe Documents. | Medium | EXO |
| ORCA.235 | SPF records is set up for all your custom domains. | Medium | EXO |
| ORCA.236 | Safe Links is enabled for emails. | Medium | EXO |
| ORCA.237 | Safe Links is enabled for teams messages. | Medium | EXO |
| ORCA.238 | Safe Links is enabled for office documents. | Medium | EXO |
| ORCA.239 | No exclusions for the built-in protection policies. | High | EXO |
| ORCA.240 | Outlook is configured to display external tags for external emails. | Medium | EXO |
| ORCA.241 | Anti-phishing policy exists and EnableFirstContactSafetyTips is true. | Medium | EXO |
| ORCA.242 | Important protection alerts responsible for AIR activities are enabled. | High | EXO |
| ORCA.243 | Authenticated Receive Chain is set up for domains not pointing to EOP/MDO, or all domains point to EOP/MDO. | Medium | EXO |
| ORCA.244 | Policies are configured to honor sending domains DMARC. | Medium | EXO |