Email Security/Exchange Online - Ensure Exchange Online Spam Policies are Set to Notify Administrators

 








Summary

The organizations having Microsoft 365 with mailboxes in Exchange Online or standalone Exchange Online protection (EOP) organizations without the Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.

Exchange Online Spam Policies can be configured to copy emails and notify someone when a sender in your tenant has been blocked for sending spam emails. 

Reason

If an account is blocked, that means, it has been breached and an attacker has been using it to send spam emails to other people.

Note- Audit and Remediation guidance may focus on the Default policy, but, if a Custom Policy exists in the organization's tenant then, it should be ensured that the setting is set as outlined in the highest priority policy listed.

What If?

The blocked notifications does not affect the users. 

How to?

To set the Exchange Online Spam Policies correctly, use the Microsoft 365 Admin Center:
  1. Go to the Microsoft Admin Center and click Security.
  2. Under Email & collaboration > Policies & rules > Threat policies > Anti-spam policies
  3. Now, select Anti-spam Outbound policy (default).
  4. Select Edit protection settings then under Notifications
  5. Check Send a copy of outbound messages that exceeds these limits to these users and groups then enter the desired email addresses.
  6. Check Notify these users and groups if a sender is blocked  due to sending outbound spam then enter the desired email addresses.
  7. Click Save.

To set the Exchange Online Spam Policies correctly, use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

$BccEmailAddress = @ ("<INSERT-EMAIL>")

$NotifyEmailAddress = @ ("<INSERT-EMAIL>")

Set-HostedOutboundSpamFilterPolicy -Identity Default -
BccSuspiciousOutboundAdditionalRecipients $BccEmailAddress -
BccSuspiciousOutboundMail $true -NotifyOutboundSpam $true -
NotifyOutboundSpamRecipients $NotifyEmailAddress

Monitor:

To verify the Exchange Online Spam Policies are set correctly, use the Microsoft 365 Admin Center:
  1. Go to the Microsoft Admin Center and click Security.
  2. Under Email & collaboration > Policies & rules > Threat policies > Anti-spam policies
  3. Now, select Anti-spam Outbound policy (default).
  4. Verify that Send a copy of outbound messages that exceeds these limits to these users and groups is set to On, after that, make sure the email address is correct.
  5. Verify that Notify these users and groups if a sender is blocked  due to sending outbound spam  is set to On, then ensure that the email address is correct.
To verify that the Exchange Online Spam Policies are set correctly, use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

Get-HostedOutboundSpamFilterPolicy | Select-Object Bcc*, Notify*

      3. Verify both BccSuspiciousOutboundMail and NotifyOutboundSpam are set to True and the email             addresses to be notified are correct.






































Comments

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

Work with String Data Using KQL Statements

Threat Hunting in Microsoft Sentinel (part 1)