2.1.12 Ensure the 'Restricted entities' report is reviewed weekly

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Microsoft 365 Defender reviews of Restricted Entities will provide a list of user accounts restricted from sending e-mail. If a user exceeds one of the outbound sending limits as specified in the service limits or in outbound spam policies, the user is restricted from sending email, but they can still receive email.

Rationale:

Users who are found on the restricted users list have a high probability of having been compromised. Review of this list will allow an organization to remediate these user accounts, and then unblock them.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the report of users who have had their email privileges restricted due to spamming:

Navigate to Microsoft 365 Defender https://security.microsoft.com.

Under Email & collaboration navigate to Review.

Click Restricted Entities.

Review alerts and take appropriate action (unblocking) after account has been remediated.

Review a list of users blocked from sending messages using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline

Run the following PowerShell command:

Get-BlockedSenderAddress

Review.

See Also

https://workbench.cisecurity.org/benchmarks/12934