2.1.3 Ensure notifications for internal users sending malware is Enabled

Information

Exchange Online Protection (EOP) is the cloud-based filtering service that protects organizations against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes.

EOP uses flexible anti-malware policies for malware protection settings. These policies can be set to notify Admins of malicious activity.

Rationale:

This setting alerts administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated.

Impact:

Notification of account with potential issues should not cause an impact to the user.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To enable notifications for internal users sending malware:

Navigate to Microsoft 365 Defender https://security.microsoft.com.

Click to expand E-mail & Collaboration select Policies & rules.

On the Policies & rules page select Threat policies.

Under Policies select Anti-malware.

Click on the Default (Default) policy.

Click on Edit protection settings and change the settings for Notify an admin about undelivered messages from internal senders to On and enter the email address of the administrator who should be notified under Administrator email address.

Click Save.

To remediate using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following command:

Set-MalwareFilterPolicy -Identity '{Identity Name}' -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress {[email protected]}

NOTE: Audit and Remediation guidance may focus on the Default policy however, if a Custom Policy exists in the organization's tenant then ensure the setting is set as outlined in the highest priority policy listed.

Default Value:

EnableInternalSenderAdminNotifications : False

InternalSenderAdminAddress : $null

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: INCIDENT RESPONSE

References: 800-53|IR-1, 800-53|IR-8, CSCv7|7.1, CSCv7|8.1

Plugin: microsoft_azure

Control ID: eafc8aaf9e5c37fb52abe98679ff9ddae0a721fd81f5c295690e6a2cd73c6e5b