Email Security/Exchange Online - Ensure Mail Transport Rules Do Not Whitelist Specific Domains

 








Summary

The Exchange Online Mail Transport rules should be set, so that, they do not whitelist any specific domains.

Reason

If certain domains are whitelisted in the transport rules, they can bypass the regular malware and phishing scanning, which in turn allows an attacker to launch attacks against any user from a safe haven domain.

What If?

One should be careful while implementing to make sure that there is no business need for case-by-case whitelisting. However, if all the whitelisted domains are removed, then, it will surely affect the incoming mail flow to an organization although modern systems sending legitimate mails should have no issues with it.

How to?

To alter the mail transport rules so they do not whitelist any specific domain, use the Microsoft 365 Admin Center:
  1. Select Exchange.
  2. Go for Mail Flow and Rules.
  3. Now, for each rule that whitelists specific domains, select the rule and click the 'Delete' icon.

To remove mail transport rules, you may also use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

Remove-TransportRule {RuleName}

      3. Verify the rules no longer exists.

Get-TransportRule | WhereObject {($_.setscl -eq -1 -and $_.SenderDomainIs - ne $null)} | ft Name,SenderDomainIs

Monitor:

To verify the mail transport rules do not whitelist any specific domains, use the Microsoft 365 Admin Center:
  1. Select Exchange.
  2. Go for Mail Flow and Rules.
  3. Now, review the rules and verify that none of them whitelists any specific domains.
To verify that mail transport rules do not whitelist any domains, you may also use the Exchange Online PowerShell Module:
  1. Connect to Exchange Online using Connect-ExchangeOnline.
  2. Now, run the following Exchange Online PowerShell command: 

Get-TransportRule | WhereObject {($_.setscl -eq -1 -and $_.SenderDomainIs - ne $null)} | ft Name,SenderDomainIs






































Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)