Email Security/Exchange Online - Ensure Notifications For Internal Users Sending Malware Is Enabled
Summary
Exchange Online Protection (EOP) is known as a cloud-based filtering service that protects an organization against spam, malware, and other email threats. It is present in all Microsoft 365 organizations with Exchange Online mailboxes.
EOP generally uses flexible anti-malware policies that can be easily set to notify Admins of malicious activity.
Reason
This setting can alert an administrator about an internal user sending contaminated messages indicating a compromised account or machine, that would require to be investigated.
Note- Audit and Remediation guidance may focus on the Default policy, but, if there is a custom policy in the organization's tenant, then, make sure that the setting is set as outlined in the highest priority policy list.
What If?
Notification of account with potential issues should not cause an impact to the user.
How to?
To enable notifications for internal users sending malware, use the Microsoft 365 Admin Center:
- Click Security to open the Security portal.
- Under Email & Collaboration navigate to Policies & rules > Threat policies.
- Select Anti-malware.
- Pick Default policy.
- Now, click on Edit protection settings and change the settings for Notify an admin about undelivered messages from internal senders to On and enter the email address of the administrator who should be notified under Administrator email address.
To check the setting from PowerShell, use the Exchange Online PowerShell Module:- Connect to Exchange Online using Connect-ExchangeOnline.
- Now, run the following Exchange Online PowerShell command:
Set-MalwareFilterPolicy -Identity ' (Identity Name) ' -EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress{admin@domainl.com}
- Connect to Exchange Online using Connect-ExchangeOnline.
- Now, run the following Exchange Online PowerShell command:
Set-MalwareFilterPolicy -Identity ' (Identity Name) ' -
EnableInternalSenderAdminNotifications $True -InternalSenderAdminAddress
{admin@domainl.com}
Monitor:
To verify notifications for internal users sending malware is enabled, use the Microsoft 365 Admin Center:
- Click Security to open the Security portal.
- Under Email & Collaboration navigate to Policies & rules > Threat policies.
- Select Anti-malware.
- Click on Default policy.
- Now, ensure the setting for Notify an admin about undelivered messages from internal senders is set to On and that there is at least one email address under Administrator email address.
To check the setting from PowerShell, use the Exchange Online PowerShell Module:- Connect to Exchange Online using Connect-ExchangeOnline.
- Now, run the following Exchange Online PowerShell command:
Get-MalwareFilterPolicy | fl Identity,EnableInternalSenderAdminNotifications, InternalSenderAdminAddress
- Connect to Exchange Online using Connect-ExchangeOnline.
- Now, run the following Exchange Online PowerShell command:
Get-MalwareFilterPolicy | fl Identity,
EnableInternalSenderAdminNotifications, InternalSenderAdminAddress
Comments
Post a Comment