Information
You should set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.
Rationale:
A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.
Impact:
Notification of users that have been blocked should not cause an impact to the user.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To set the Exchange Online Spam Policies correctly, use the Microsoft 365 Admin Center:
Click Security to open the Security portal.
Navigate to Threat management, then Policy, select Anti-spam.
Click Anti-spam outbound policy.
Select Edit policy then expand Notifications
Check Send a copy of outbound messages that exceed these limits to these users and groups then select +Add people, enter the desired email addresses.
Check Notify specific people if senders are blocked then select +Add people, enter the desired email addresses.
Click Save.
To set the Exchange Online Spam Policies correctly, use the Exchange Online PowerShell Module:
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell command:
$BccEmailAddress = @('<INSERT-EMAIL>')
$NotifyEmailAddress = @('<INSERT-EMAIL>')
Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress
Default Value:
Disabled