Detections
Analytics

2.4.2 Ensure Priority accounts have 'Strict protection' presets applied

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Preset security policies have been established by Microsoft, utilizing observations and experiences within datacenters to strike a balance between the exclusion of malicious content from users and limiting unwarranted disruptions. These policies can apply to all, or select users and encompass recommendations for addressing spam, malware, and phishing threats. The policy parameters are pre-determined and non-adjustable.

Strict protection has the most aggressive protection of the 3 presets.

EOP: Anti-spam, Anti-malware and Anti-phishing

Defender: Spoof protection, Impersonation protection and Advanced phishing

Defender: Safe Links and Safe Attachments

NOTE: The preset security polices cannot target Priority account TAGS currently, groups should be used instead.

Rationale:

Enabling priority account protection for users in Microsoft 365 is necessary to enhance security for accounts with access to sensitive data and high privileges, such as CEOs, CISOs, CFOs, and IT admins. These priority accounts are often targeted by spear phishing or whaling attacks and require stronger protection to prevent account compromise.

The implementation of stringent, pre-defined policies may result in instances of false positive, however, the benefit of requiring the end-user to preview junk email before accessing their inbox outweighs the potential risk of mistakenly perceiving a malicious email as safe due to its placement in the inbox.

Impact:

Strict policies are more likely to cause false positives in anti-spam, phishing, impersonation, spoofing and intelligence responses.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enable strict preset security policies for Priority accounts:

Navigate to Microsoft 365 Defender https://security.microsoft.com/

Select to expand E-mail & collaboration.

Select Policies & rules > Threat policies > Preset security policies.

Click to Manage protection settings for Strict protection preset.

For Apply Exchange Online Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts.

For Apply Defender for Office 365 Protection select at minimum Specific recipients and include the Accounts/Groups identified as Priority Accounts.

For Impersonation protection click Next and add valid e-mails or priority accounts both internal and external that may be subject to impersonation.

For Protected custom domains add the organization's domain name, along side other key partners.

Click Next and finally Confirm

Default Value:

By default presets are not applied to any users or groups.

See Also

https://workbench.cisecurity.org/benchmarks/12934

Item Details

Plugin: microsoft_azure

Control ID: 13dbfa7f1662c978e2228af6c36f058e8c28410f13fffdd461ff833c22b4c4a6