Detections
Analytics
8.6.1 Ensure users can report security concerns in Teams
Information
User reporting settings allow a user to report a message as malicious for further analysis. This recommendation is composed of 3 different settings and all be configured to pass:In the Teams admin center: On by default and controls whether users are able to report messages from Teams. When this setting is turned off, users can't report messages within Teams, so the corresponding setting in the Microsoft 365 Defender portal is irrelevant.
In the Microsoft 365 Defender portal: On by default for new tenants. Existing tenants need to enable it. If user reporting of messages is turned on in the Teams admin center, it also needs to be turned on the Defender portal for user reported messages to show up correctly on the User reported tab on the Submissions page.
Defender - Report message destinations: This applies to more than just Microsoft Teams and allows for an organization to keep their reports contained. Due to how the parameters are configured on the backend it is included in this assessment as a requirement.
Rationale:
Users will be able to more quickly and systematically alert administrators of suspicious malicious messages within Teams. The content of these messages may be sensitive in nature and therefore should be kept within the organization and not shared with Microsoft without first consulting company policy.
Note:
The reported message remains visible to the user in the Teams client.
Users can report the same message multiple times.
The message sender isn't notified that messages were reported.
Impact:
Enabling message reporting has an impact beyond just addressing security concerns. When users of the platform report a message, the content could include messages that are threatening or harassing in nature, possibly stemming from colleagues.
Due to this the security staff responsible for reviewing and acting on these reports should be equipped with the skills to discern and appropriately direct such messages to the relevant departments, such as Human Resources (HR).
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
To remediate using the UI:Navigate to Microsoft Teams admin center https://admin.teams.microsoft.com.
Click to expand Messaging select Messaging policies.
Click Global (Org-wide default).
Set Report a security concern to On.
Next, navigate to Microsoft 365 Defender https://security.microsoft.com/
Click on Settings > Email & collaboration > User reported settings.
Scroll to Microsoft Teams.
Check Monitor reported messages in Microsoft Teams and Save.
Set Send reported messages to: to My reporting mailbox only with reports configured to be sent to authorized staff.
To remediate using PowerShell:
Connect to Teams PowerShell using Connect-MicrosoftTeams.
Connect to Exchange Online PowerShell using Connect-ExchangeOnline.
Run the following cmdlet:
Set-CsTeamsMessagingPolicy -Identity Global -AllowSecurityEndUserReporting $true
To configure the Defender reporting policies, edit and run this script:
$usersub = '[email protected]' # Change this.
$params = @{
Identity = 'DefaultReportSubmissionPolicy'
EnableReportToMicrosoft = $false
ReportChatMessageEnabled = $false
ReportChatMessageToCustomizedAddressEnabled = $true
ReportJunkToCustomizedAddress = $true
ReportNotJunkToCustomizedAddress = $true
ReportPhishToCustomizedAddress = $true
ReportJunkAddresses = $usersub
ReportNotJunkAddresses = $usersub
ReportPhishAddresses = $usersub
}
Set-ReportSubmissionPolicy @params
New-ReportSubmissionRule -Name DefaultReportSubmissionRule -ReportSubmissionPolicy DefaultReportSubmissionPolicy -SentTo $usersub
Default Value:
On (True)
Report message destination: Microsoft Only
See Also
Item Details
Audit Name: CIS Microsoft 365 Foundations E3 L1 v3.1.0
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b.
Plugin: microsoft_azure
Control ID: 5b0f732fffae258a7d7c09a9f38c6d19906b288da4ac2c2949b42bde82eac6c2