Information
You should set your Exchange Online Spam Policies to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails.
Rationale:
A blocked account is a good indication that the account in question has been breached and an attacker is using it to send spam emails to other people.
Impact:
Notification of users that have been blocked should not cause an impact to the user.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To set the Exchange Online Spam Policies correctly, use the Microsoft 365 Admin Center:
Go to https://protection.office.com/antispam
Click on the Anti-spam outbound policy (default).
Select Edit protection settings then under Notifications
Check Send a copy of outbound messages that exceed these limits to these users and groups then enter the desired email addresses.
Check Notify these users and groups if a sender is blocked due to sending outbound spam then enter the desired email addresses.
Click Save.
To set the Exchange Online Spam Policies correctly, use the Exchange Online PowerShell Module:
Connect to Exchange Online using Connect-ExchangeOnline.
Run the following PowerShell command:
$BccEmailAddress = @('<INSERT-EMAIL>')
$NotifyEmailAddress = @('<INSERT-EMAIL>')
Set-HostedOutboundSpamFilterPolicy -Identity Default -BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -NotifyOutboundSpamRecipients $NotifyEmailAddress
Default Value:
disabled